diff -Nru gnutls28-3.4.10/debian/changelog gnutls28-3.4.10/debian/changelog --- gnutls28-3.4.10/debian/changelog 2017-01-26 16:29:37.000000000 +0000 +++ gnutls28-3.4.10/debian/changelog 2017-06-12 13:32:37.000000000 +0000 @@ -1,3 +1,22 @@ +gnutls28 (3.4.10-4ubuntu1.3) xenial-security; urgency=medium + + * SECURITY UPDATE: null pointer dereference via status response TLS + extension decoding + - debian/patches/CVE-2017-7507-1.patch: ensure response IDs are + properly deinitialized in lib/ext/status_request.c. + - debian/patches/CVE-2017-7507-2.patch: remove parsing of responder IDs + from client extension in lib/ext/status_request.c. + - debian/patches/CVE-2017-7507-3.patch: documented requirements for + parameters in lib/ext/status_request.c. + - CVE-2017-7507 + * SECURITY UPDATE: DoS and possible code execution via OpenPGP + certificate decoding + - debian/patches/CVE-2017-7869.patch: enforce packet limits in + lib/opencdk/read-packet.c. + - CVE-2017-7869 + + -- Marc Deslauriers Mon, 12 Jun 2017 09:32:37 -0400 + gnutls28 (3.4.10-4ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: OCSP validation issue diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7507-1.patch 2017-06-12 13:31:51.000000000 +0000 @@ -0,0 +1,67 @@ +From 4c4d35264fada08b6536425c051fb8e0b05ee86b Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 24 May 2017 10:46:03 +0200 +Subject: [PATCH] ext/status_request: ensure response IDs are properly deinitialized + +That is, do not attempt to loop through the array if there is no array +allocated. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/ext/status_request.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +Index: gnutls28-3.4.10/lib/ext/status_request.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:31:49.636110502 -0400 ++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:31:49.612110214 -0400 +@@ -68,7 +68,10 @@ typedef struct { + + static void deinit_responder_id(status_request_ext_st *priv) + { +-unsigned i; ++ unsigned i; ++ ++ if (priv->responder_id == NULL) ++ return; + + for (i = 0; i < priv->responder_id_size; i++) + gnutls_free(priv->responder_id[i].data); +@@ -134,6 +137,7 @@ server_recv(gnutls_session_t session, + { + size_t i; + ssize_t data_size = size; ++ unsigned responder_ids = 0; + + /* minimum message is type (1) + responder_id_list (2) + + request_extension (2) = 5 */ +@@ -152,23 +156,24 @@ server_recv(gnutls_session_t session, + DECR_LEN(data_size, 1); + data++; + +- priv->responder_id_size = _gnutls_read_uint16(data); ++ responder_ids = _gnutls_read_uint16(data); + + DECR_LEN(data_size, 2); + data += 2; + +- if (data_size <= (ssize_t) (priv->responder_id_size * 2)) ++ if (data_size <= (ssize_t) (responder_ids * 2)) + return + gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- if (priv->responder_id != NULL) +- deinit_responder_id(priv); ++ deinit_responder_id(priv); + +- priv->responder_id = gnutls_calloc(1, priv->responder_id_size ++ priv->responder_id = gnutls_calloc(1, responder_ids + * sizeof(*priv->responder_id)); + if (priv->responder_id == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + ++ priv->responder_id_size = responder_ids; ++ + for (i = 0; i < priv->responder_id_size; i++) { + size_t l; + diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7507-2.patch 2017-06-12 13:32:18.000000000 +0000 @@ -0,0 +1,120 @@ +From 3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 24 May 2017 11:38:16 +0200 +Subject: [PATCH] ext/status_request: Removed the parsing of responder IDs from client extension + +These values were never used by gnutls, nor were accessible to applications, +and as such there is not reason to parse them. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/ext/status_request.c | 68 ++++++++++++++++---------------------------------------------------- + 1 file changed, 16 insertions(+), 52 deletions(-) + +Index: gnutls28-3.4.10/lib/ext/status_request.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:31:57.940210185 -0400 ++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:31:57.936210137 -0400 +@@ -66,21 +66,6 @@ typedef struct { + opaque Extensions<0..2^16-1>; + */ + +-static void deinit_responder_id(status_request_ext_st *priv) +-{ +- unsigned i; +- +- if (priv->responder_id == NULL) +- return; +- +- for (i = 0; i < priv->responder_id_size; i++) +- gnutls_free(priv->responder_id[i].data); +- +- gnutls_free(priv->responder_id); +- priv->responder_id = NULL; +- priv->responder_id_size = 0; +-} +- + + static int + client_send(gnutls_session_t session, +@@ -135,9 +120,8 @@ server_recv(gnutls_session_t session, + status_request_ext_st * priv, + const uint8_t * data, size_t size) + { +- size_t i; + ssize_t data_size = size; +- unsigned responder_ids = 0; ++ unsigned rid_bytes = 0; + + /* minimum message is type (1) + responder_id_list (2) + + request_extension (2) = 5 */ +@@ -156,44 +140,17 @@ server_recv(gnutls_session_t session, + DECR_LEN(data_size, 1); + data++; + +- responder_ids = _gnutls_read_uint16(data); ++ rid_bytes = _gnutls_read_uint16(data); + + DECR_LEN(data_size, 2); +- data += 2; ++ /*data += 2;*/ + +- if (data_size <= (ssize_t) (responder_ids * 2)) ++ /* sanity check only, we don't use any of the data below */ ++ ++ if (data_size < (ssize_t)rid_bytes) + return + gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- deinit_responder_id(priv); +- +- priv->responder_id = gnutls_calloc(1, responder_ids +- * sizeof(*priv->responder_id)); +- if (priv->responder_id == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- priv->responder_id_size = responder_ids; +- +- for (i = 0; i < priv->responder_id_size; i++) { +- size_t l; +- +- DECR_LEN(data_size, 2); +- +- l = _gnutls_read_uint16(data); +- data += 2; +- +- DECR_LEN(data_size, l); +- +- priv->responder_id[i].data = gnutls_malloc(l); +- if (priv->responder_id[i].data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- memcpy(priv->responder_id[i].data, data, l); +- priv->responder_id[i].size = l; +- +- data += l; +- } +- + return 0; + } + +@@ -477,11 +434,18 @@ gnutls_certificate_set_ocsp_status_reque + static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv) + { + status_request_ext_st *priv = epriv; ++ unsigned i; + + if (priv == NULL) + return; + +- deinit_responder_id(priv); ++ if (priv->responder_id != NULL) { ++ for (i = 0; i < priv->responder_id_size; i++) ++ gnutls_free(priv->responder_id[i].data); ++ ++ gnutls_free(priv->responder_id); ++ } ++ + gnutls_free(priv->request_extensions.data); + gnutls_free(priv->response.data); + gnutls_free(priv); diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7507-3.patch 2017-06-12 13:32:34.000000000 +0000 @@ -0,0 +1,36 @@ +From e1d6c59a7b0392fb3b8b75035614084a53e2c8c9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 24 May 2017 11:48:24 +0200 +Subject: [PATCH] gnutls_ocsp_status_request_enable_client: documented requirements for parameters + +That is, the fact that extensions and responder_id parameters must be +allocated, and are assigned to the session. + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/ext/status_request.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +Index: gnutls28-3.4.10/lib/ext/status_request.c +=================================================================== +--- gnutls28-3.4.10.orig/lib/ext/status_request.c 2017-06-12 09:32:31.988618904 -0400 ++++ gnutls28-3.4.10/lib/ext/status_request.c 2017-06-12 09:32:31.984618855 -0400 +@@ -265,9 +265,15 @@ _gnutls_status_request_recv_params(gnutl + * + * This function is to be used by clients to request OCSP response + * from the server, using the "status_request" TLS extension. Only +- * OCSP status type is supported. A typical server has a single +- * OCSP response cached, so @responder_id and @extensions +- * should be null. ++ * OCSP status type is supported. ++ * ++ * The @responder_id array, its containing elements as well as ++ * the data of @extensions, must be allocated using gnutls_malloc(). They ++ * will be deinitialized on session cleanup. ++ * ++ * Due to the difficult semantics of the @responder_id and @extensions ++ * parameters, it is recommended to only call this function with these ++ * parameters set to %NULL. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, + * otherwise a negative error code is returned. diff -Nru gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch --- gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/CVE-2017-7869.patch 2017-06-12 13:31:43.000000000 +0000 @@ -0,0 +1,54 @@ +Backport of: + +From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Mon, 20 Feb 2017 11:13:08 +0100 +Subject: [PATCH] cdk_pkt_read: enforce packet limits + +That ensures that there are no overflows in the subsequent +calculations. + +Resolves the oss-fuzz found bug: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 + +Relates: #159 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + lib/opencdk/read-packet.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: gnutls28-3.5.6/lib/opencdk/read-packet.c +=================================================================== +--- gnutls28-3.5.6.orig/lib/opencdk/read-packet.c 2017-06-12 09:25:46.991757303 -0400 ++++ gnutls28-3.5.6/lib/opencdk/read-packet.c 2017-06-12 09:25:46.987757255 -0400 +@@ -936,6 +936,7 @@ static void skip_packet(cdk_stream_t inp + assert(pktlen == 0); + } + ++#define MAX_PACKET_LEN (1<<24) + + /** + * cdk_pkt_read: +@@ -988,6 +989,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t in + else + read_old_length(inp, ctb, &pktlen, &pktsize); + ++ /* enforce limits to ensure that the following calculations ++ * do not overflow */ ++ if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { ++ _cdk_log_info("cdk_pkt_read: too long packet\n"); ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } ++ + pkt->pkttype = pkttype; + pkt->pktlen = pktlen; + pkt->pktsize = pktsize + pktlen; +@@ -1012,6 +1020,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t in + break; + + case CDK_PKT_USER_ID: ++ + pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id + + pkt->pktlen + 1); + if (!pkt->pkt.user_id) diff -Nru gnutls28-3.4.10/debian/patches/series gnutls28-3.4.10/debian/patches/series --- gnutls28-3.4.10/debian/patches/series 2017-01-26 16:28:49.000000000 +0000 +++ gnutls28-3.4.10/debian/patches/series 2017-06-12 13:32:30.000000000 +0000 @@ -12,3 +12,7 @@ CVE-2017-5336.patch CVE-2017-5337.patch fix_expired_certs.patch +CVE-2017-7869.patch +CVE-2017-7507-1.patch +CVE-2017-7507-2.patch +CVE-2017-7507-3.patch