[gnutls] - fix buffer overflow in gnutls-serv (#659259)
Tomáš Mráz
tmraz at fedoraproject.org
Thu Dec 2 14:36:23 UTC 2010
commit d7caee05603679c2c7a3afc1e7b8d1dee90ea074
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Dec 2 15:36:29 2010 +0100
- fix buffer overflow in gnutls-serv (#659259)
gnutls-2.10.3-sprintf.patch | 150 +++++++++++++++++++++++++++++++++++++++++++
gnutls.spec | 8 ++-
2 files changed, 157 insertions(+), 1 deletions(-)
---
diff --git a/gnutls-2.10.3-sprintf.patch b/gnutls-2.10.3-sprintf.patch
new file mode 100644
index 0000000..646f102
--- /dev/null
+++ b/gnutls-2.10.3-sprintf.patch
@@ -0,0 +1,150 @@
+diff -up gnutls-2.10.3/src/serv.c.sprintf gnutls-2.10.3/src/serv.c
+--- gnutls-2.10.3/src/serv.c.sprintf 2010-11-01 13:18:24.000000000 +0100
++++ gnutls-2.10.3/src/serv.c 2010-12-02 15:13:12.000000000 +0100
+@@ -438,7 +438,7 @@ static const char DEFAULT_DATA[] =
+
+ /* Creates html with the current session information.
+ */
+-#define tmp2 &http_buffer[strlen(http_buffer)]
++#define tmp2 &http_buffer[strlen(http_buffer)], len-strlen(http_buffer)
+ static char *
+ peer_print_info (gnutls_session_t session, int *ret_length,
+ const char *header)
+@@ -448,7 +448,7 @@ peer_print_info (gnutls_session_t sessio
+ size_t i, sesid_size;
+ char *http_buffer;
+ gnutls_kx_algorithm_t kx_alg;
+- size_t len = 5 * 1024 + strlen (header);
++ size_t len = 20 * 1024 + strlen (header);
+ char *crtinfo = NULL;
+ size_t ncrtinfo = 0;
+
+@@ -512,11 +512,11 @@ peer_print_info (gnutls_session_t sessio
+
+ /* print session_id */
+ gnutls_session_get_id (session, sesid, &sesid_size);
+- sprintf (tmp2, "\n<p>Session ID: <i>");
++ snprintf (tmp2, "\n<p>Session ID: <i>");
+ for (i = 0; i < sesid_size; i++)
+- sprintf (tmp2, "%.2X", sesid[i]);
+- sprintf (tmp2, "</i></p>\n");
+- sprintf (tmp2,
++ snprintf (tmp2, "%.2X", sesid[i]);
++ snprintf (tmp2, "</i></p>\n");
++ snprintf (tmp2,
+ "<h5>If your browser supports session resuming, then you should see the "
+ "same session ID, when you press the <b>reload</b> button.</h5>\n");
+
+@@ -530,7 +530,7 @@ peer_print_info (gnutls_session_t sessio
+
+ if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
+ {
+- sprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
++ snprintf (tmp2, "\n<p>Server Name: %s</p>\n", dns);
+ }
+
+ }
+@@ -541,7 +541,7 @@ peer_print_info (gnutls_session_t sessio
+ #ifdef ENABLE_SRP
+ if (kx_alg == GNUTLS_KX_SRP)
+ {
+- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
++ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ gnutls_srp_server_get_username (session));
+ }
+ #endif
+@@ -549,7 +549,7 @@ peer_print_info (gnutls_session_t sessio
+ #ifdef ENABLE_PSK
+ if (kx_alg == GNUTLS_KX_PSK)
+ {
+- sprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
++ snprintf (tmp2, "<p>Connected as user '%s'.</p>\n",
+ gnutls_psk_server_get_username (session));
+ }
+ #endif
+@@ -557,7 +557,7 @@ peer_print_info (gnutls_session_t sessio
+ #ifdef ENABLE_ANON
+ if (kx_alg == GNUTLS_KX_ANON_DH)
+ {
+- sprintf (tmp2,
++ snprintf (tmp2,
+ "<p> Connect using anonymous DH (prime of %d bits)</p>\n",
+ gnutls_dh_get_prime_bits (session));
+ }
+@@ -565,7 +565,7 @@ peer_print_info (gnutls_session_t sessio
+
+ if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS)
+ {
+- sprintf (tmp2,
++ snprintf (tmp2,
+ "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
+ gnutls_dh_get_prime_bits (session));
+ }
+@@ -576,7 +576,7 @@ peer_print_info (gnutls_session_t sessio
+ tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2,
++ snprintf (tmp2,
+ "<TABLE border=1><TR><TD>Protocol version:</TD><TD>%s</TD></TR>\n",
+ tmp);
+
+@@ -587,50 +587,44 @@ peer_print_info (gnutls_session_t sessio
+ (session));
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
++ snprintf (tmp2, "<TR><TD>Certificate Type:</TD><TD>%s</TD></TR>\n", tmp);
+ }
+
+ tmp = gnutls_kx_get_name (kx_alg);
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
++ snprintf (tmp2, "<TR><TD>Key Exchange:</TD><TD>%s</TD></TR>\n", tmp);
+
+ tmp = gnutls_compression_get_name (gnutls_compression_get (session));
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
++ snprintf (tmp2, "<TR><TD>Compression</TD><TD>%s</TD></TR>\n", tmp);
+
+ tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
++ snprintf (tmp2, "<TR><TD>Cipher</TD><TD>%s</TD></TR>\n", tmp);
+
+ tmp = gnutls_mac_get_name (gnutls_mac_get (session));
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
++ snprintf (tmp2, "<TR><TD>MAC</TD><TD>%s</TD></TR>\n", tmp);
+
+ tmp = gnutls_cipher_suite_get_name (kx_alg,
+ gnutls_cipher_get (session),
+ gnutls_mac_get (session));
+ if (tmp == NULL)
+ tmp = str_unknown;
+- sprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
++ snprintf (tmp2, "<TR><TD>Ciphersuite</TD><TD>%s</TD></TR></p></TABLE>\n",
+ tmp);
+
+ if (crtinfo)
+ {
+- strcat (http_buffer, "<hr><PRE>");
+- strcat (http_buffer, crtinfo);
+- strcat (http_buffer, "\n</PRE>\n");
++ snprintf(tmp2, "<hr><PRE>%s\n</PRE>\n", crtinfo);
+ free (crtinfo);
+ }
+
+- strcat (http_buffer, "<hr><P>Your HTTP header was:<PRE>");
+- strcat (http_buffer, header);
+- strcat (http_buffer, "</PRE></P>");
+-
+- strcat (http_buffer, "\n" HTTP_END);
++ snprintf(tmp2, "<hr><P>Your HTTP header was:<PRE>%s</PRE></P>\n" HTTP_END, header);
+
+ *ret_length = strlen (http_buffer);
+
diff --git a/gnutls.spec b/gnutls.spec
index 4a249eb..0462880 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,7 +1,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 2.10.3
-Release: 1%{?dist}
+Release: 2%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
@@ -21,6 +21,8 @@ Patch2: gnutls-2.8.6-link-libgcrypt.patch
Patch3: gnutls-2.10.1-nosrp.patch
# Backport from upstream git
Patch4: gnutls-2.10.1-handshake-errors.patch
+# Sent to upstream
+Patch5: gnutls-2.10.3-sprintf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2
@@ -77,6 +79,7 @@ This package contains Guile bindings for the library.
%patch2 -p1 -b .link
%patch3 -p1 -b .nosrp
%patch4 -p1 -b .errors
+%patch5 -p1 -b .sprintf
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
@@ -160,6 +163,9 @@ fi
%{_datadir}/guile/site/gnutls.scm
%changelog
+* Tue Dec 2 2010 Tomas Mraz <tmraz at redhat.com> 2.10.3-2
+- fix buffer overflow in gnutls-serv (#659259)
+
* Fri Nov 19 2010 Tomas Mraz <tmraz at redhat.com> 2.10.3-1
- new upstream version
More information about the scm-commits
mailing list