summaryrefslogtreecommitdiff
path: root/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff')
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff62
1 files changed, 62 insertions, 0 deletions
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff
new file mode 100644
index 00000000..4fc4f45b
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff
@@ -0,0 +1,62 @@
+From d62dfe61dcf118aa397c39b3b23d8459c150c3b7 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Thu, 3 Oct 2013
+Subject: CVE-2012-1569 [GNUTLS-SA-2012-3]
+
+asn1_get_length_der() in decoding.c in GNU Libtasn1 before 2.12
+does not properly handle certain large length values. This can be
+exploited by attackers to cause a DoS or other impacts via a
+crafted ASN.1 structure.
+
+Fix adapted for use with libtasn1 embedded in GnuTLS 2.8.6.
+
+Relevant upstream patch:
+------------------------
+http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54
+
+---
+ decoding.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription)
+ * Extract a length field from DER data.
+ *
+ * Return value: Return the decoded length value, or -1 on indefinite
+- * length, or -2 when the value was too big.
++ * length, or -2 when the value was too big to fit in a int, or -4
++ * when the decoded length value plus @len would exceed @der_len.
+ **/
+ signed long
+ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ {
+- unsigned long ans;
++ int ans;
+ int k, punt;
+
+ *len = 0;
+@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ ans = 0;
+ while (punt <= k && punt < der_len)
+ {
+- unsigned long last = ans;
++ int last = ans;
+
+ ans = ans * 256 + der[punt++];
+ if (ans < last)
+@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ }
+ else
+ { /* indefinite length method */
+- ans = -1;
++ *len = punt;
++ return -1;
+ }
+
+ *len = punt;
++ if (ans + *len < ans || ans + *len > der_len)
++ return -4;
+ return ans;
+ }
+ }