[openvas-libraries] Bugfix SIGSEGV caused by use-after-free in misc/network.c:load_cert_and_key
rebus
rebus at fedoraproject.org
Mon Jan 9 03:12:50 UTC 2012
commit 38b6061085f088dc1c2b335be9aa2001e09e8582
Author: Michal Ambroz <rebus at seznam.cz>
Date: Mon Jan 9 04:11:16 2012 +0100
Bugfix SIGSEGV caused by use-after-free in misc/network.c:load_cert_and_key
openvas-libraries-key.patch | 21 ++++++++++++
openvas-libraries-nowerror.patch | 64 ++++++++++++++++++++++++++++++++------
openvas-libraries.spec | 23 ++++++++++++--
3 files changed, 95 insertions(+), 13 deletions(-)
---
diff --git a/openvas-libraries-key.patch b/openvas-libraries-key.patch
new file mode 100644
index 0000000..9b5b133
--- /dev/null
+++ b/openvas-libraries-key.patch
@@ -0,0 +1,21 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=747167
+http://wald.intevation.org/tracker/index.php?func=detail&aid=6277&group_id=29&atid=220
+
+Premature releasing of the memory used by the private key results on Fedora 16 on
+SIGSEGV situation when the key material is used later on in _gnutls_pkcs1_rsa_decrypt.
+Due to reuse of released memory and wrong boundary checking in the _gnutls_pkcs1_rsa_decrypt
+overwrites whole stack and causes crash.
+
+diff -ru openvas-libraries-4.0.6.orig/misc/network.c openvas-libraries-4.0.6.new/misc/network.c
+--- openvas-libraries-4.0.6.orig/misc/network.c 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6.new/misc/network.c 2012-01-09 02:34:52.985456345 +0100
+@@ -751,6 +751,9 @@
+ goto cleanup;
+ }
+
++ /* not doing return here results in the key memory from xcred being released and overwritten */
++ return result;
++
+ cleanup:
+
+ unload_file (&data);
diff --git a/openvas-libraries-nowerror.patch b/openvas-libraries-nowerror.patch
index ff78294..a04484c 100644
--- a/openvas-libraries-nowerror.patch
+++ b/openvas-libraries-nowerror.patch
@@ -1,10 +1,18 @@
-Disable compile Werror flag to avoid stopping the compilation on warning about deprecated
-gnutls functions for setting priorities - I use this mainly because of the current issues.
-with SIGSEG in gnutls. Once resolved the gnutls and lowat patch should be used instead.
-Author: Michal Ambroz
-diff -ru openvas-libraries-4.0.5/CMakeLists.txt openvas-libraries-4.0.5.new/CMakeLists.txt
---- openvas-libraries-4.0.5/CMakeLists.txt 2011-06-01 15:38:38.000000000 +0200
-+++ openvas-libraries-4.0.5.new/CMakeLists.txt 2011-10-12 21:45:20.439909307 +0200
+diff -ru openvas-libraries-4.0.6.orig/base/CMakeLists.txt openvas-libraries-4.0.6/base/CMakeLists.txt
+--- openvas-libraries-4.0.6.orig/base/CMakeLists.txt 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6/base/CMakeLists.txt 2012-01-07 01:07:44.497633911 +0100
+@@ -28,7 +28,7 @@
+
+ if (NOT MINGW)
+ set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG}")
+- set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -Werror -fPIC")
++ set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -fPIC")
+ endif (NOT MINGW)
+
+ if (MINGW)
+diff -ru openvas-libraries-4.0.6.orig/CMakeLists.txt openvas-libraries-4.0.6/CMakeLists.txt
+--- openvas-libraries-4.0.6.orig/CMakeLists.txt 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6/CMakeLists.txt 2012-01-07 01:07:14.957214347 +0100
@@ -240,7 +240,7 @@
set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now")
@@ -14,9 +22,21 @@ diff -ru openvas-libraries-4.0.5/CMakeLists.txt openvas-libraries-4.0.5.new/CMak
add_subdirectory (base)
add_subdirectory (misc)
-diff -ru openvas-libraries-4.0.5/misc/CMakeLists.txt openvas-libraries-4.0.5.new/misc/CMakeLists.txt
---- openvas-libraries-4.0.5/misc/CMakeLists.txt 2011-06-01 15:38:37.000000000 +0200
-+++ openvas-libraries-4.0.5.new/misc/CMakeLists.txt 2011-10-12 21:45:33.274653165 +0200
+diff -ru openvas-libraries-4.0.6.orig/hg/CMakeLists.txt openvas-libraries-4.0.6/hg/CMakeLists.txt
+--- openvas-libraries-4.0.6.orig/hg/CMakeLists.txt 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6/hg/CMakeLists.txt 2012-01-07 01:08:42.756489194 +0100
+@@ -29,7 +29,7 @@
+ set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now")
+
+ set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG}")
+-set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -Werror -fPIC")
++set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -fPIC")
+
+ set (FILES hg_add_hosts.c hg_debug.c hg_dns_axfr.c hg_filter.c hg_subnet.c
+ hg_utils.c hosts_gatherer.c)
+diff -ru openvas-libraries-4.0.6.orig/misc/CMakeLists.txt openvas-libraries-4.0.6/misc/CMakeLists.txt
+--- openvas-libraries-4.0.6.orig/misc/CMakeLists.txt 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6/misc/CMakeLists.txt 2012-01-07 01:07:14.957214347 +0100
@@ -70,7 +70,7 @@
set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now")
@@ -26,3 +46,27 @@ diff -ru openvas-libraries-4.0.5/misc/CMakeLists.txt openvas-libraries-4.0.5.new
if (MINGW)
set (FILES openvas_auth.c openvas_server.c proctitle.c)
+diff -ru openvas-libraries-4.0.6.orig/nasl/CMakeLists.txt openvas-libraries-4.0.6/nasl/CMakeLists.txt
+--- openvas-libraries-4.0.6.orig/nasl/CMakeLists.txt 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6/nasl/CMakeLists.txt 2012-01-07 01:09:04.262066635 +0100
+@@ -39,7 +39,7 @@
+ # The "-D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1" is necessary for GPGME!
+ # The "-fno-strict-aliasing" silences warnings caused by macros defined in byteorder.h.
+ # Once the warnings have been addressed this flag should be removed.
+-set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -Werror -D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1 -fno-strict-aliasing")
++set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1 -fno-strict-aliasing")
+
+ # The "-Wno-error=unprototyped-calls" silences warnings produced by an
+ # openSUSE-patched gcc caused by code in regex.c.
+diff -ru openvas-libraries-4.0.6.orig/omp/CMakeLists.txt openvas-libraries-4.0.6/omp/CMakeLists.txt
+--- openvas-libraries-4.0.6.orig/omp/CMakeLists.txt 2011-11-03 09:30:08.000000000 +0100
++++ openvas-libraries-4.0.6/omp/CMakeLists.txt 2012-01-07 01:09:21.181734183 +0100
+@@ -27,7 +27,7 @@
+ set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now")
+
+ set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG}")
+-set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -Werror")
++set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall")
+
+ set (FILES xml.c omp.c)
+
diff --git a/openvas-libraries.spec b/openvas-libraries.spec
index 16339ec..5ba6f17 100644
--- a/openvas-libraries.spec
+++ b/openvas-libraries.spec
@@ -4,7 +4,7 @@ URL: http://www.openvas.org
License: LGPLv2
Group: System Environment/Libraries
Version: 4.0.6
-Release: 1%{?dist}
+Release: 2%{?dist}
Source0: http://wald.intevation.org/frs/download.php/979/%{name}-%{version}.tar.gz
#Reported as bug 1942 Fix compile time errors - variable 'xxx' set but not used
@@ -21,6 +21,15 @@ Patch2: openvas-libraries-lowat.patch
#with SIGSEG in gnutls. Once resolved the gnutls and lowat patch should be used instead.
Patch3: openvas-libraries-nowerror.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=747167
+#http://wald.intevation.org/tracker/index.php?func=detail&aid=6277&group_id=29&atid=220
+#Premature releasing of the memory used by the private key results on Fedora 16 on
+#SIGSEGV situation when the key material is used later on in _gnutls_pkcs1_rsa_decrypt.
+#Due to reuse of released memory and wrong boundary checking in the _gnutls_pkcs1_rsa_decrypt
+#overwrites whole stack and causes crash.
+Patch4: openvas-libraries-key.patch
+
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Obsoletes: openvas-libnasl
BuildRequires: glib2-devel
@@ -49,7 +58,7 @@ Development libraries and headers for use with openvas-libraries.
%prep
%setup -q
-%patch0 -p 1 -b .notused.patch
+#%patch0 -p 1 -b .notused.patch
#Patch for gnutls > 2.12.0
#%patch1 -p 1 -b .gnutls.patch
#%patch2 -p 1 -b .lowat.patch
@@ -57,10 +66,14 @@ Development libraries and headers for use with openvas-libraries.
#Used mainly to troubleshoot SIGSEG in gnutls. Once solved patch1/2 shuold be used instead
%patch3 -p 1 -b .nowerror.patch
+#Avoid SIGSEG in gnutls.
+%patch4 -p 1 -b .key.patch
+
+
#Fix FSF address in source files
OLDADDR="675 Mass Ave, Cambridge, MA 02139, USA"
NEWADDR="51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA"
-LIST=`grep -lre "$OLDADDR" *| grep -E '.c$|.h$'`
+LIST=`grep -lre "$OLDADDR" *| grep -E '.c$|.h$|.y$|COPYING'`
echo "$LIST" | xargs sed -i -e "s/$OLDADDR/$NEWADDR/"
OLDADDR="59 Temple Place - Suite 330, Boston, MA 02111-1307, USA"
@@ -119,6 +132,10 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/libopenvas.pc
%changelog
+* Mon Jan 09 2012 Michal Ambroz <rebus at, seznam.cz> - 4.0.6-2
+- added openvas-libraries-4.0.6-key.patch to fix use-after-free issue causing
+ SIGSEGV fault in gnutls code
+
* Fri Nov 04 2011 Michal Ambroz <rebus at, seznam.cz> - 4.0.6-1
- bump to version 4.0.6
More information about the scm-commits
mailing list