diff options
Diffstat (limited to 'patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff')
-rw-r--r-- | patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff new file mode 100644 index 00000000..4fc4f45b --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff @@ -0,0 +1,62 @@ +From d62dfe61dcf118aa397c39b3b23d8459c150c3b7 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Thu, 3 Oct 2013 +Subject: CVE-2012-1569 [GNUTLS-SA-2012-3] + +asn1_get_length_der() in decoding.c in GNU Libtasn1 before 2.12 +does not properly handle certain large length values. This can be +exploited by attackers to cause a DoS or other impacts via a +crafted ASN.1 structure. + +Fix adapted for use with libtasn1 embedded in GnuTLS 2.8.6. + +Relevant upstream patch: +------------------------ +http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54 + +--- + decoding.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription) + * Extract a length field from DER data. + * + * Return value: Return the decoded length value, or -1 on indefinite +- * length, or -2 when the value was too big. ++ * length, or -2 when the value was too big to fit in a int, or -4 ++ * when the decoded length value plus @len would exceed @der_len. + **/ + signed long + asn1_get_length_der (const unsigned char *der, int der_len, int *len) + { +- unsigned long ans; ++ int ans; + int k, punt; + + *len = 0; +@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len) + ans = 0; + while (punt <= k && punt < der_len) + { +- unsigned long last = ans; ++ int last = ans; + + ans = ans * 256 + der[punt++]; + if (ans < last) +@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len) + } + else + { /* indefinite length method */ +- ans = -1; ++ *len = punt; ++ return -1; + } + + *len = punt; ++ if (ans + *len < ans || ans + *len > der_len) ++ return -4; + return ans; + } + } |