diff --git a/backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch b/backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch new file mode 100644 index 0000000000000000000000000000000000000000..09726201f7ed60db259213fb0bbfaa5065b2708a --- /dev/null +++ b/backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch @@ -0,0 +1,30 @@ +From 495aa9b57a3ce3ee546a0498ef232b4aa47d0f51 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Tue, 28 Jan 2020 13:05:14 +0300 +Subject: [PATCH] pkcs12: do not go try calculating pbkdf2 with 0 iterations + +Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to +GnuTLS PKCS12 GOST code to check that iter is not 0. + +Signed-off-by: Dmitry Baryshkov +--- + .../dcbb6c7d385ddf87823849890768b022dc9e1eff | Bin 0 -> 1011 bytes + lib/x509/pkcs12.c | 3 +++ + 2 files changed, 3 insertions(+) + +diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c +index 8c3310d066..6324fb25a3 100644 +--- a/lib/x509/pkcs12.c ++++ b/lib/x509/pkcs12.c +@@ -867,6 +867,9 @@ _gnutls_pkcs12_gost_string_to_key(gnutls_mac_algorithm_t algo, + size_t temp_len = sizeof(temp); + unsigned int pass_len = 0; + ++ if (iter == 0) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ + if (pass) + pass_len = strlen(pass); + +-- +2.26.2 diff --git a/backport-x509-drop-endless-loop-in-print_crl.patch b/backport-x509-drop-endless-loop-in-print_crl.patch new file mode 100644 index 0000000000000000000000000000000000000000..faafab0fff24519d9e426e578bbf8b014162e859 --- /dev/null +++ b/backport-x509-drop-endless-loop-in-print_crl.patch @@ -0,0 +1,34 @@ +From 283af4cd77058ba7fea8cff59c83d3f3f0231f9f Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Tue, 10 Mar 2020 22:41:54 +0300 +Subject: [PATCH] x509: apply same fix to print_crl + +Signed-off-by: Dmitry Baryshkov +--- + lib/x509/output.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/lib/x509/output.c b/lib/x509/output.c +index 6f829b06ac..c54902fe4d 100644 +--- a/lib/x509/output.c ++++ b/lib/x509/output.c +@@ -2290,14 +2290,13 @@ print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned) + oid, + &sizeof_oid, + &critical); ++ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; + if (err < 0) { +- if (err == +- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) +- break; + addf(str, + "error: get_extension_info: %s\n", + gnutls_strerror(err)); +- continue; ++ break; + } + + if (i == 0) +-- +2.26.2 diff --git a/backport-x509-drop-endless-loop-in-print_crq.patch b/backport-x509-drop-endless-loop-in-print_crq.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea243ab2bae89eff2f660e064a385416c2330c51 --- /dev/null +++ b/backport-x509-drop-endless-loop-in-print_crq.patch @@ -0,0 +1,34 @@ +From 12609f4f97fb9a60d663f81571c07f7d297da0b3 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Tue, 10 Mar 2020 22:42:02 +0300 +Subject: [PATCH] x509: apply same fix to print_crq + +Signed-off-by: Dmitry Baryshkov +--- + lib/x509/output.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/lib/x509/output.c b/lib/x509/output.c +index c54902fe4d..be179f5f39 100644 +--- a/lib/x509/output.c ++++ b/lib/x509/output.c +@@ -2660,14 +2660,13 @@ print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert, + gnutls_x509_crq_get_attribute_info(cert, i, + oid, + &sizeof_oid); ++ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; + if (err < 0) { +- if (err == +- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) +- break; + addf(str, + "error: get_extension_info: %s\n", + gnutls_strerror(err)); +- continue; ++ break; + } + + if (i == 0) +-- +2.26.2 diff --git a/backport-x509-drop-endless-loop-in-print_extensions.patch b/backport-x509-drop-endless-loop-in-print_extensions.patch new file mode 100644 index 0000000000000000000000000000000000000000..1969b0e8cb326d8dfb300b10d68416e97282c4cd --- /dev/null +++ b/backport-x509-drop-endless-loop-in-print_extensions.patch @@ -0,0 +1,38 @@ +From e04f45d0283a80c990a9e1d7537ab871b769fdaf Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Tue, 10 Mar 2020 12:12:36 +0300 +Subject: [PATCH] x509: drop endless loop in print_extensions + +If crq is malformed in extensions part, print_extensions() might loop +endlessly because gnutls_x509_crq_get_extension_info would return +unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather +than bailing out. Fix this by handling this error code properly. Found +thanks to oss-fuzz. + +Signed-off-by: Dmitry Baryshkov +--- + lib/x509/output.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/x509/output.c b/lib/x509/output.c +index 2aa78b478..6f829b06a 100644 +--- a/lib/x509/output.c ++++ b/lib/x509/output.c +@@ -1281,12 +1281,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type, + return; + } + ++ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; + if (err < 0) { +- if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) +- break; + addf(str, "error: get_extension_info: %s\n", + gnutls_strerror(err)); +- continue; ++ break; + } + + if (i == 0) +-- +2.26.2 diff --git a/gnutls.spec b/gnutls.spec index cfef1e2240aaed3d48127a52a08792c3a1d57469..5d9a7ee3ecf2c81130226bc93a67d8cfd47a701d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ Name: gnutls Version: 3.6.9 -Release: 6 +Release: 7 Summary: The GNU Secure Communication Protocol Library License: LGPLv2.1+ and GPLv3+ @@ -9,6 +9,10 @@ Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig Patch0: fix-ipv6-handshake-failed.patch Patch1: fix-CVE-2020-11501-zeroed-random.patch +Patch2: backport-x509-drop-endless-loop-in-print_extensions.patch +Patch3: backport-x509-drop-endless-loop-in-print_crl.patch +Patch4: backport-x509-drop-endless-loop-in-print_crq.patch +Patch5: backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch %bcond_without dane %bcond_with guile @@ -195,6 +199,9 @@ make check %{?_smp_mflags} %endif %changelog +* Mon Jun 8 2020 Anakin Zhang - 3.6.9-7 +- fix x509 drop endless loop and pkcs12 iterations + * Wed Apr 22 2020 Anakin Zhang - 3.6.9-6 - fix CVE-2020-11501