[gnutls/f16] fix CVE-2012-1573 - incorrect checks when parsing packets (#805432)

Tomáš Mráz tmraz at fedoraproject.org
Fri Mar 23 13:37:48 UTC 2012 

commit 1c18b8293973ceb11cea12d05fc909b95be244c0
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Fri Mar 23 14:37:39 2012 +0100

    fix CVE-2012-1573 - incorrect checks when parsing packets (#805432)
    
    - fix memory leak when generating keys (#796302)

 gnutls-2.12.14-cve-2012-1573.patch |   23 +++++++++++++++
 gnutls-2.12.14-leak.patch          |   56 ++++++++++++++++++++++++++++++++++++
 gnutls.spec                        |   10 ++++++-
 3 files changed, 88 insertions(+), 1 deletions(-)
---
diff --git a/gnutls-2.12.14-cve-2012-1573.patch b/gnutls-2.12.14-cve-2012-1573.patch
new file mode 100644
index 0000000..a1710f6
--- /dev/null
+++ b/gnutls-2.12.14-cve-2012-1573.patch
@@ -0,0 +1,23 @@
+diff -up gnutls-2.12.14/lib/gnutls_cipher.c.packet gnutls-2.12.14/lib/gnutls_cipher.c
+--- gnutls-2.12.14/lib/gnutls_cipher.c.packet	2011-09-18 00:16:53.000000000 +0200
++++ gnutls-2.12.14/lib/gnutls_cipher.c	2012-03-23 13:29:24.077877489 +0100
+@@ -511,14 +511,13 @@ _gnutls_ciphertext2compressed (gnutls_se
+         {
+           ciphertext.size -= blocksize;
+           ciphertext.data += blocksize;
+-
+-          if (ciphertext.size == 0)
+-            {
+-              gnutls_assert ();
+-              return GNUTLS_E_DECRYPTION_FAILED;
+-            }
+         }
+ 
++      if (ciphertext.size < hash_size)
++        {
++          gnutls_assert ();
++          return GNUTLS_E_DECRYPTION_FAILED;
++        }
+       pad = ciphertext.data[ciphertext.size - 1] + 1;   /* pad */
+ 
+       if ((int) pad > (int) ciphertext.size - hash_size)
diff --git a/gnutls-2.12.14-leak.patch b/gnutls-2.12.14-leak.patch
new file mode 100644
index 0000000..0a649df
--- /dev/null
+++ b/gnutls-2.12.14-leak.patch
@@ -0,0 +1,56 @@
+diff -up gnutls-2.12.14/lib/gcrypt/pk.c.leak gnutls-2.12.14/lib/gcrypt/pk.c
+--- gnutls-2.12.14/lib/gcrypt/pk.c.leak	2011-09-18 00:16:53.000000000 +0200
++++ gnutls-2.12.14/lib/gcrypt/pk.c	2012-03-08 17:54:16.821192070 +0100
+@@ -627,7 +627,6 @@ _rsa_generate_params (bigint_t * resarr,
+ 
+   int ret, i;
+   gcry_sexp_t parms, key, list;
+-  bigint_t tmp;
+ 
+   if (*resarr_len < RSA_PRIVATE_PARAMS)
+     {
+@@ -733,14 +732,6 @@ _rsa_generate_params (bigint_t * resarr,
+ 
+   *resarr_len = 6;
+ 
+-  tmp = _gnutls_mpi_alloc_like (resarr[0]);
+-  if (tmp == NULL)
+-    {
+-      gnutls_assert ();
+-      ret = GNUTLS_E_MEMORY_ERROR;
+-      goto cleanup;
+-    }
+-
+   ret = _gnutls_calc_rsa_exp (resarr, 2 + *resarr_len);
+   if (ret < 0)
+     {
+diff -up gnutls-2.12.14/lib/gnutls_pk.c.leak gnutls-2.12.14/lib/gnutls_pk.c
+--- gnutls-2.12.14/lib/gnutls_pk.c.leak	2011-09-18 00:16:53.000000000 +0200
++++ gnutls-2.12.14/lib/gnutls_pk.c	2012-03-08 17:40:58.725314720 +0100
+@@ -544,6 +544,7 @@ _generate_params (int algo, bigint_t * r
+     }
+   else
+     {
++      gnutls_pk_params_release(&params);
+       gnutls_assert ();
+       return GNUTLS_E_INVALID_REQUEST;
+     }
+diff -up gnutls-2.12.14/lib/x509/privkey.c.leak gnutls-2.12.14/lib/x509/privkey.c
+--- gnutls-2.12.14/lib/x509/privkey.c.leak	2011-09-18 00:16:54.000000000 +0200
++++ gnutls-2.12.14/lib/x509/privkey.c	2012-03-08 17:45:55.467830355 +0100
+@@ -1466,6 +1466,7 @@ gnutls_x509_privkey_generate (gnutls_x50
+         {
+           gnutls_assert ();
+           ret = GNUTLS_E_INTERNAL_ERROR;
++          goto cleanup;
+         }
+ 
+       if (ret < 0)
+@@ -1490,6 +1491,7 @@ gnutls_x509_privkey_generate (gnutls_x50
+         {
+           gnutls_assert ();
+           ret = GNUTLS_E_INTERNAL_ERROR;
++          goto cleanup;
+         }
+       if (ret < 0)
+         {
diff --git a/gnutls.spec b/gnutls.spec
index 9aaf238..a3c1a89 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,7 +1,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 2.12.14
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -21,6 +21,8 @@ Patch2: gnutls-2.8.6-link-libgcrypt.patch
 Patch3: gnutls-2.12.2-nosrp.patch
 # Skip tests that are expected to fail on libgcrypt build
 Patch4: gnutls-2.12.7-dsa-skiptests.patch
+Patch5: gnutls-2.12.14-leak.patch
+Patch6: gnutls-2.12.14-cve-2012-1573.patch
 
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: libgcrypt >= 1.2.2
@@ -88,6 +90,8 @@ This package contains Guile bindings for the library.
 %patch2 -p1 -b .link
 %patch3 -p1 -b .nosrp
 %patch4 -p1 -b .skiptests
+%patch5 -p1 -b .leak
+%patch6 -p1 -b .packet
 
 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
     touch lib/$i
@@ -184,6 +188,10 @@ fi
 %{_datadir}/guile/site/gnutls.scm
 
 %changelog
+* Fri Mar 23 2012 Tomas Mraz <tmraz at redhat.com> 2.12.14-2
+- fix CVE-2012-1573 - incorrect checks when parsing packets (#805432)
+- fix memory leak when generating keys (#796302)
+
 * Mon Nov  8 2011 Tomas Mraz <tmraz at redhat.com> 2.12.14-1
 - new upstream version

More information about the scm-commits mailing list