[polarssl/el6] Fix for CVE-2014-8628
Morten Stevens
mstevens at fedoraproject.org
Wed Nov 12 14:41:12 UTC 2014
commit 457ca71d8650a2424488594d5bf0cca4d8b58d8f
Author: Morten Stevens <mstevens at imt-systems.com>
Date: Wed Nov 12 15:41:02 2014 +0100
Fix for CVE-2014-8628
CVE-2014-8628.patch | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++
polarssl.spec | 7 +++-
2 files changed, 116 insertions(+), 1 deletions(-)
---
diff --git a/CVE-2014-8628.patch b/CVE-2014-8628.patch
new file mode 100644
index 0000000..305d661
--- /dev/null
+++ b/CVE-2014-8628.patch
@@ -0,0 +1,110 @@
+--- a/library/ssl_srv.c
++++ b/library/ssl_srv.c
+@@ -528,6 +528,13 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
+ return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+
++ /* Should never happen unless client duplicates the extension */
++ if( ssl->handshake->curves != NULL )
++ {
++ SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
++ return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
++ }
++
+ /* Don't allow our peer to make use allocated too much memory,
+ * and leave room for a final 0 */
+ our_size = list_size / 2 + 1;
+diff --git a/library/x509.c b/library/x509.c
+index 49f7672..941472c 100644
+--- a/library/x509.c
++++ b/library/x509.c
+@@ -409,58 +409,47 @@ static int x509_get_attr_type_value( unsigned char **p,
+ * AttributeType ::= OBJECT IDENTIFIER
+ *
+ * AttributeValue ::= ANY DEFINED BY AttributeType
++ *
++ * We restrict RelativeDistinguishedName to be a set of 1 element. This is
++ * the most common case, and our x509_name structure currently can't handle
++ * more than that.
+ */
+ int x509_get_name( unsigned char **p, const unsigned char *end,
+ x509_name *cur )
+ {
+ int ret;
+- size_t len;
+- const unsigned char *end2;
+- x509_name *use;
++ size_t set_len;
++ const unsigned char *end_set;
+
+- if( ( ret = asn1_get_tag( p, end, &len,
++ /*
++ * parse first SET, restricted to 1 element
++ */
++ if( ( ret = asn1_get_tag( p, end, &set_len,
+ ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
+ return( POLARSSL_ERR_X509_INVALID_NAME + ret );
+
+- end2 = end;
+- end = *p + len;
+- use = cur;
+-
+- do
+- {
+- if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
+- return( ret );
++ end_set = *p + set_len;
+
+- if( *p != end )
+- {
+- use->next = (x509_name *) polarssl_malloc(
+- sizeof( x509_name ) );
+-
+- if( use->next == NULL )
+- return( POLARSSL_ERR_X509_MALLOC_FAILED );
++ if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
++ return( ret );
+
+- memset( use->next, 0, sizeof( x509_name ) );
+-
+- use = use->next;
+- }
+- }
+- while( *p != end );
++ if( *p != end_set )
++ return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+
+ /*
+ * recurse until end of SEQUENCE is reached
+ */
+- if( *p == end2 )
++ if( *p == end )
+ return( 0 );
+
+- cur->next = (x509_name *) polarssl_malloc(
+- sizeof( x509_name ) );
++ cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
+
+ if( cur->next == NULL )
+ return( POLARSSL_ERR_X509_MALLOC_FAILED );
+
+ memset( cur->next, 0, sizeof( x509_name ) );
+
+- return( x509_get_name( p, end2, cur->next ) );
++ return( x509_get_name( p, end, cur->next ) );
+ }
+
+ /*
+diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
+index 4cec070..c5c4af7 100644
+--- a/tests/suites/test_suite_x509parse.data
++++ b/tests/suites/test_suite_x509parse.data
+@@ -750,7 +750,7 @@ X509 Certificate ASN1 (TBSCertificate, issuer, no string data)
+ x509parse_crt:"30253023a0030201028204deadbeef300d06092a864886f70d0101020500300731053003060013":"":POLARSSL_ERR_X509_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA
+
+ X509 Certificate ASN1 (TBSCertificate, issuer, no full following string)
+-x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d0101020500300d310b3009060013045465737400":"":POLARSSL_ERR_X509_INVALID_NAME + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
++x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d0101020500300d310b3009060013045465737400":"":POLARSSL_ERR_X509_FEATURE_UNAVAILABLE
+
+ X509 Certificate ASN1 (TBSCertificate, valid issuer, no validity)
+ x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374":"":POLARSSL_ERR_X509_INVALID_DATE + POLARSSL_ERR_ASN1_OUT_OF_DATA
diff --git a/polarssl.spec b/polarssl.spec
index cad89eb..6aed2ca 100644
--- a/polarssl.spec
+++ b/polarssl.spec
@@ -1,12 +1,13 @@
Name: polarssl
Version: 1.3.2
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Light-weight cryptographic and SSL/TLS library
Group: System Environment/Libraries
License: GPLv2+
URL: http://polarssl.org/
Source0: http://polarssl.org/download/%{name}-%{version}-gpl.tgz
Patch0: CVE-2014-4911.patch
+Patch1: CVE-2014-8628.patch
BuildRequires: cmake
BuildRequires: doxygen
@@ -38,6 +39,7 @@ developing applications that use %{name}.
%prep
%setup -q
%patch0 -p1 -b .CVE-2014-4911
+%patch1 -p1 -b .CVE-2014-8628
%build
%cmake -D CMAKE_BUILD_TYPE:String="Release" -D USE_SHARED_POLARSSL_LIBRARY:BOOL=1 .
@@ -69,6 +71,9 @@ mv $RPM_BUILD_ROOT%{_bindir} $RPM_BUILD_ROOT%{_libexecdir}/polarssl
%{_libdir}/*.so
%changelog
+* Wed Nov 12 2014 Morten Stevens <mstevens at imt-systems.com> - 1.3.2-3
+- CVE-2014-8628 (#1159845)
+
* Mon Jul 14 2014 Morten Stevens <mstevens at imt-systems.com> - 1.3.2-2
- CVE-2014-4911 (rhbz#1118931)
More information about the scm-commits
mailing list