[polarssl/el6] Fix for CVE-2014-8628

Morten Stevens mstevens at fedoraproject.org
Wed Nov 12 14:41:12 UTC 2014 

commit 457ca71d8650a2424488594d5bf0cca4d8b58d8f
Author: Morten Stevens <mstevens at imt-systems.com>
Date:   Wed Nov 12 15:41:02 2014 +0100

    Fix for CVE-2014-8628

 CVE-2014-8628.patch |  110 +++++++++++++++++++++++++++++++++++++++++++++++++++
 polarssl.spec       |    7 +++-
 2 files changed, 116 insertions(+), 1 deletions(-)
---
diff --git a/CVE-2014-8628.patch b/CVE-2014-8628.patch
new file mode 100644
index 0000000..305d661
--- /dev/null
+++ b/CVE-2014-8628.patch
@@ -0,0 +1,110 @@
+--- a/library/ssl_srv.c
++++ b/library/ssl_srv.c
+@@ -528,6 +528,13 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
+         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+     }
+ 
++    /* Should never happen unless client duplicates the extension */
++    if( ssl->handshake->curves != NULL )
++    {
++        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
++        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
++    }
++
+     /* Don't allow our peer to make use allocated too much memory,
+      * and leave room for a final 0 */
+     our_size = list_size / 2 + 1;
+diff --git a/library/x509.c b/library/x509.c
+index 49f7672..941472c 100644
+--- a/library/x509.c
++++ b/library/x509.c
+@@ -409,58 +409,47 @@ static int x509_get_attr_type_value( unsigned char **p,
+  *  AttributeType ::= OBJECT IDENTIFIER
+  *
+  *  AttributeValue ::= ANY DEFINED BY AttributeType
++ *
++ *  We restrict RelativeDistinguishedName to be a set of 1 element. This is
++ *  the most common case, and our x509_name structure currently can't handle
++ *  more than that.
+  */
+ int x509_get_name( unsigned char **p, const unsigned char *end,
+                    x509_name *cur )
+ {
+     int ret;
+-    size_t len;
+-    const unsigned char *end2;
+-    x509_name *use;
++    size_t set_len;
++    const unsigned char *end_set;
+ 
+-    if( ( ret = asn1_get_tag( p, end, &len,
++    /*
++     * parse first SET, restricted to 1 element
++     */
++    if( ( ret = asn1_get_tag( p, end, &set_len,
+             ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
+         return( POLARSSL_ERR_X509_INVALID_NAME + ret );
+ 
+-    end2 = end;
+-    end  = *p + len;
+-    use = cur;
+-
+-    do
+-    {
+-        if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
+-            return( ret );
++    end_set  = *p + set_len;
+ 
+-        if( *p != end )
+-        {
+-            use->next = (x509_name *) polarssl_malloc(
+-                    sizeof( x509_name ) );
+-
+-            if( use->next == NULL )
+-                return( POLARSSL_ERR_X509_MALLOC_FAILED );
++    if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
++        return( ret );
+ 
+-            memset( use->next, 0, sizeof( x509_name ) );
+-
+-            use = use->next;
+-        }
+-    }
+-    while( *p != end );
++    if( *p != end_set )
++        return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+ 
+     /*
+      * recurse until end of SEQUENCE is reached
+      */
+-    if( *p == end2 )
++    if( *p == end )
+         return( 0 );
+ 
+-    cur->next = (x509_name *) polarssl_malloc(
+-         sizeof( x509_name ) );
++    cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
+ 
+     if( cur->next == NULL )
+         return( POLARSSL_ERR_X509_MALLOC_FAILED );
+ 
+     memset( cur->next, 0, sizeof( x509_name ) );
+ 
+-    return( x509_get_name( p, end2, cur->next ) );
++    return( x509_get_name( p, end, cur->next ) );
+ }
+ 
+ /*
+diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
+index 4cec070..c5c4af7 100644
+--- a/tests/suites/test_suite_x509parse.data
++++ b/tests/suites/test_suite_x509parse.data
+@@ -750,7 +750,7 @@ X509 Certificate ASN1 (TBSCertificate, issuer, no string data)
+ x509parse_crt:"30253023a0030201028204deadbeef300d06092a864886f70d0101020500300731053003060013":"":POLARSSL_ERR_X509_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA
+ 
+ X509 Certificate ASN1 (TBSCertificate, issuer, no full following string)
+-x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d0101020500300d310b3009060013045465737400":"":POLARSSL_ERR_X509_INVALID_NAME + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
++x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d0101020500300d310b3009060013045465737400":"":POLARSSL_ERR_X509_FEATURE_UNAVAILABLE
+ 
+ X509 Certificate ASN1 (TBSCertificate, valid issuer, no validity)
+ x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374":"":POLARSSL_ERR_X509_INVALID_DATE + POLARSSL_ERR_ASN1_OUT_OF_DATA
diff --git a/polarssl.spec b/polarssl.spec
index cad89eb..6aed2ca 100644
--- a/polarssl.spec
+++ b/polarssl.spec
@@ -1,12 +1,13 @@
 Name: polarssl
 Version: 1.3.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: Light-weight cryptographic and SSL/TLS library
 Group: System Environment/Libraries
 License: GPLv2+
 URL: http://polarssl.org/
 Source0: http://polarssl.org/download/%{name}-%{version}-gpl.tgz
 Patch0: CVE-2014-4911.patch
+Patch1: CVE-2014-8628.patch
 
 BuildRequires: cmake
 BuildRequires: doxygen
@@ -38,6 +39,7 @@ developing applications that use %{name}.
 %prep
 %setup -q
 %patch0 -p1 -b .CVE-2014-4911
+%patch1 -p1 -b .CVE-2014-8628
 
 %build
 %cmake -D CMAKE_BUILD_TYPE:String="Release" -D USE_SHARED_POLARSSL_LIBRARY:BOOL=1 .
@@ -69,6 +71,9 @@ mv $RPM_BUILD_ROOT%{_bindir} $RPM_BUILD_ROOT%{_libexecdir}/polarssl
 %{_libdir}/*.so
 
 %changelog
+* Wed Nov 12 2014 Morten Stevens <mstevens at imt-systems.com> - 1.3.2-3
+- CVE-2014-8628 (#1159845)
+
 * Mon Jul 14 2014 Morten Stevens <mstevens at imt-systems.com> - 1.3.2-2
 - CVE-2014-4911 (rhbz#1118931)

More information about the scm-commits mailing list