From f15d1c4a97433880b929b06b8604e19d76f7cb36 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 24 Mar 2021 12:41:25 +0100 Subject: main/gnutls: fix CVE-2021-20231 and CVE-2021-20232 fixes #12543 --- main/gnutls/APKBUILD | 11 +++++-- main/gnutls/CVE-2021-20231.patch | 62 ++++++++++++++++++++++++++++++++++++++++ main/gnutls/CVE-2021-20232.patch | 60 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 131 insertions(+), 2 deletions(-) create mode 100644 main/gnutls/CVE-2021-20231.patch create mode 100644 main/gnutls/CVE-2021-20232.patch diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 9ee64e49cf8..1cfa356915e 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa pkgname=gnutls pkgver=3.6.15 -pkgrel=0 +pkgrel=1 pkgdesc="A TLS protocol implementation" url="https://www.gnutls.org/" arch="all" @@ -17,9 +17,14 @@ case $pkgver in *.*.*.*) _v=${_v%.*};; esac source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz + CVE-2021-20231.patch + CVE-2021-20232.patch " # secfixes: +# 3.6.15-r1: +# - CVE-2021-20231 +# - CVE-2021-20232 # 3.6.15-r0: # - CVE-2020-24659 GNUTLS-SA-2020-09-04 # 3.6.14-r0: @@ -69,4 +74,6 @@ xx() { mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ } -sha512sums="f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c gnutls-3.6.15.tar.xz" +sha512sums="f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c gnutls-3.6.15.tar.xz +37261adbb9da45b3f2b11e65a148e19c825970d3342b2946ccbc4abbea9b61c8a90d79b220ddc16cdcad95ee26a77a53fac6400d68c76e2cf8aea5e22900e374 CVE-2021-20231.patch +9c6bffcccc2ac887f92f252be94a822465a79a5080d6e912c3f8ef44a53511f1eefb2fa876a3af6d21ddc2baf5717b8c454d6a79bd328fe52b02f4d27c12a505 CVE-2021-20232.patch" diff --git a/main/gnutls/CVE-2021-20231.patch b/main/gnutls/CVE-2021-20231.patch new file mode 100644 index 00000000000..36014467942 --- /dev/null +++ b/main/gnutls/CVE-2021-20231.patch @@ -0,0 +1,62 @@ +From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 29 Jan 2021 14:06:32 +0100 +Subject: [PATCH] key_share: avoid use-after-free around realloc + +Signed-off-by: Daiki Ueno +--- + lib/ext/key_share.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c +index ab8abf8fe6..a8c4bb5cff 100644 +--- a/lib/ext/key_share.c ++++ b/lib/ext/key_share.c +@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, + { + unsigned i; + int ret; +- unsigned char *lengthp; +- unsigned int cur_length; + unsigned int generated = 0; + const gnutls_group_entry_st *group; + const version_entry_st *ver; + + /* this extension is only being sent on client side */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { ++ unsigned int length_pos; ++ + ver = _gnutls_version_max(session); + if (unlikely(ver == NULL || ver->key_shares == 0)) + return 0; +@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, + if (!have_creds_for_tls13(session)) + return 0; + +- /* write the total length later */ +- lengthp = &extdata->data[extdata->length]; ++ length_pos = extdata->length; + + ret = + _gnutls_buffer_append_prefix(extdata, 16, 0); + if (ret < 0) + return gnutls_assert_val(ret); + +- cur_length = extdata->length; +- + if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ + group = get_group(session); + if (unlikely(group == NULL)) +@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, + } + + /* copy actual length */ +- _gnutls_write_uint16(extdata->length - cur_length, lengthp); ++ _gnutls_write_uint16(extdata->length - length_pos - 2, ++ &extdata->data[length_pos]); + + } else { /* server */ + ver = get_version(session); +-- +GitLab + diff --git a/main/gnutls/CVE-2021-20232.patch b/main/gnutls/CVE-2021-20232.patch new file mode 100644 index 00000000000..fd1575e4faf --- /dev/null +++ b/main/gnutls/CVE-2021-20232.patch @@ -0,0 +1,60 @@ +From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 29 Jan 2021 14:06:50 +0100 +Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc + +Signed-off-by: Daiki Ueno +--- + lib/ext/pre_shared_key.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c +index a042c6488e..380bf39ed5 100644 +--- a/lib/ext/pre_shared_key.c ++++ b/lib/ext/pre_shared_key.c +@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, + size_t spos; + gnutls_datum_t username = {NULL, 0}; + gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; +- gnutls_datum_t client_hello; ++ unsigned client_hello_len; + unsigned next_idx; + const mac_entry_st *prf_res = NULL; + const mac_entry_st *prf_psk = NULL; +@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, + assert(extdata->length >= sizeof(mbuffer_st)); + assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); + ext_offset -= sizeof(mbuffer_st); +- client_hello.data = extdata->data+sizeof(mbuffer_st); +- client_hello.size = extdata->length-sizeof(mbuffer_st); ++ client_hello_len = extdata->length-sizeof(mbuffer_st); + + next_idx = 0; + +@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, + } + + if (prf_res && rkey.size > 0) { ++ gnutls_datum_t client_hello; ++ ++ client_hello.data = extdata->data+sizeof(mbuffer_st); ++ client_hello.size = client_hello_len; ++ + ret = compute_psk_binder(session, prf_res, + binders_len, binders_pos, + ext_offset, &rkey, &client_hello, 1, +@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, + } + + if (prf_psk && user_key.size > 0 && info) { ++ gnutls_datum_t client_hello; ++ ++ client_hello.data = extdata->data+sizeof(mbuffer_st); ++ client_hello.size = client_hello_len; ++ + ret = compute_psk_binder(session, prf_psk, + binders_len, binders_pos, + ext_offset, &user_key, &client_hello, 0, +-- +GitLab + -- cgit v1.2.3