Control: found -1 3.3.8-1
On 2017-06-10 Salvatore Bonaccorso <car...@debian.org> wrote:
> Source: gnutls28
> Version: 3.5.8-1
[...]
> the following vulnerability was published for gnutls28.
> CVE-2017-7507[0]:
> Crash upon receiving well-formed status_request extension
[...]
> Please adjust the affected versions in the BTS as needed, just checked
> 3.5.8 in unstable sourcewise. Not sure as well if it would need a DSA
> if older versions are affected as well.
Hello Salvatore,
thank you for notifying me, I somehow missed this when reading 3.5.13's
NEWS.
It does apply to stable. There is patchset on upstream's gnutls_3_3_x
branch which applies without fuzz to 3.3.8. (See attachment.)
If you are not doing a DSA I can try to fix this in jessie and stretch
point releases.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog 2017-04-27 18:10:54.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog 2017-06-11 18:07:39.000000000 +0200
@@ -1,3 +1,14 @@
+gnutls28 (3.3.8-6+deb8u6) UNRELEASED; urgency=medium
+
+ * 56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch
+ 56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch
+ 56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch
+ from upstream gnutls_3_3_x branch: Fix crash upon receiving
+ well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507
+ Closes: #864560
+
+ -- Andreas Metzler <ametz...@debian.org> Sun, 11 Jun 2017 11:31:58 +0200
+
gnutls28 (3.3.8-6+deb8u5) jessie; urgency=medium
* Pull multiple fixes from gnutls_3_3_x branch:
diff -Nru gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch
--- gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch 2017-06-11 18:03:10.000000000 +0200
@@ -0,0 +1,71 @@
+From 9d95c912b5843e664c8210887a6719f02a9028be Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Wed, 24 May 2017 10:46:03 +0200
+Subject: [PATCH 1/3] ext/status_request: ensure response IDs are properly
+ deinitialized
+
+That is, do not attempt to loop through the array if there is no array
+allocated.
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/ext/status_request.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
+index 8cefc617e..1340dbbb5 100644
+--- a/lib/ext/status_request.c
++++ b/lib/ext/status_request.c
+@@ -68,7 +68,10 @@ typedef struct {
+
+ static void deinit_responder_id(status_request_ext_st *priv)
+ {
+-unsigned i;
++ unsigned i;
++
++ if (priv->responder_id == NULL)
++ return;
+
+ for (i = 0; i < priv->responder_id_size; i++)
+ gnutls_free(priv->responder_id[i].data);
+@@ -134,6 +137,7 @@ server_recv(gnutls_session_t session,
+ {
+ size_t i;
+ ssize_t data_size = size;
++ unsigned responder_ids = 0;
+
+ /* minimum message is type (1) + responder_id_list (2) +
+ request_extension (2) = 5 */
+@@ -152,23 +156,24 @@ server_recv(gnutls_session_t session,
+ DECR_LEN(data_size, 1);
+ data++;
+
+- priv->responder_id_size = _gnutls_read_uint16(data);
++ responder_ids = _gnutls_read_uint16(data);
+
+ DECR_LEN(data_size, 2);
+ data += 2;
+
+- if (data_size <= (ssize_t) (priv->responder_id_size * 2))
++ if (data_size <= (ssize_t) (responder_ids * 2))
+ return
+ gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+- if (priv->responder_id != NULL)
+- deinit_responder_id(priv);
++ deinit_responder_id(priv);
+
+- priv->responder_id = gnutls_calloc(1, priv->responder_id_size
++ priv->responder_id = gnutls_calloc(1, responder_ids
+ * sizeof(*priv->responder_id));
+ if (priv->responder_id == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
++ priv->responder_id_size = responder_ids;
++
+ for (i = 0; i < priv->responder_id_size; i++) {
+ size_t l;
+
+--
+2.11.0
+
diff -Nru gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch
--- gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch 2017-06-11 18:03:10.000000000 +0200
@@ -0,0 +1,132 @@
+From 023a20d21b762918d3e1ab25a207ecf874ba21a9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Wed, 24 May 2017 11:38:16 +0200
+Subject: [PATCH 2/3] ext/status_request: Removed the parsing of responder IDs
+ from client extension
+
+These values were never used by gnutls, nor were accessible to applications,
+and as such there is not reason to parse them.
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/ext/status_request.c | 67 ++++++++++++------------------------------------
+ 1 file changed, 16 insertions(+), 51 deletions(-)
+
+diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
+index 1340dbbb5..c7c065e5e 100644
+--- a/lib/ext/status_request.c
++++ b/lib/ext/status_request.c
+@@ -1,5 +1,6 @@
+ /*
+- * Copyright (C) 2012 Free Software Foundation, Inc.
++ * Copyright (C) 2012-2017 Free Software Foundation, Inc.
++ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Simon Josefsson, Nikos Mavrogiannopoulos
+ *
+@@ -66,21 +67,6 @@ typedef struct {
+ opaque Extensions<0..2^16-1>;
+ */
+
+-static void deinit_responder_id(status_request_ext_st *priv)
+-{
+- unsigned i;
+-
+- if (priv->responder_id == NULL)
+- return;
+-
+- for (i = 0; i < priv->responder_id_size; i++)
+- gnutls_free(priv->responder_id[i].data);
+-
+- gnutls_free(priv->responder_id);
+- priv->responder_id = NULL;
+- priv->responder_id_size = 0;
+-}
+-
+
+ static int
+ client_send(gnutls_session_t session,
+@@ -135,9 +121,8 @@ server_recv(gnutls_session_t session,
+ status_request_ext_st * priv,
+ const uint8_t * data, size_t size)
+ {
+- size_t i;
+ ssize_t data_size = size;
+- unsigned responder_ids = 0;
++ unsigned rid_bytes = 0;
+
+ /* minimum message is type (1) + responder_id_list (2) +
+ request_extension (2) = 5 */
+@@ -156,44 +141,17 @@ server_recv(gnutls_session_t session,
+ DECR_LEN(data_size, 1);
+ data++;
+
+- responder_ids = _gnutls_read_uint16(data);
++ rid_bytes = _gnutls_read_uint16(data);
+
+ DECR_LEN(data_size, 2);
+- data += 2;
++ /*data += 2;*/
+
+- if (data_size <= (ssize_t) (responder_ids * 2))
++ /* sanity check only, we don't use any of the data below */
++
++ if (data_size < (ssize_t)rid_bytes)
+ return
+ gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+- deinit_responder_id(priv);
+-
+- priv->responder_id = gnutls_calloc(1, responder_ids
+- * sizeof(*priv->responder_id));
+- if (priv->responder_id == NULL)
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+- priv->responder_id_size = responder_ids;
+-
+- for (i = 0; i < priv->responder_id_size; i++) {
+- size_t l;
+-
+- DECR_LEN(data_size, 2);
+-
+- l = _gnutls_read_uint16(data);
+- data += 2;
+-
+- DECR_LEN(data_size, l);
+-
+- priv->responder_id[i].data = gnutls_malloc(l);
+- if (priv->responder_id[i].data == NULL)
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+- memcpy(priv->responder_id[i].data, data, l);
+- priv->responder_id[i].size = l;
+-
+- data += l;
+- }
+-
+ return 0;
+ }
+
+@@ -477,11 +435,18 @@ gnutls_certificate_set_ocsp_status_request_file
+ static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv)
+ {
+ status_request_ext_st *priv = epriv.ptr;
++ unsigned i;
+
+ if (priv == NULL)
+ return;
+
+- deinit_responder_id(priv);
++ if (priv->responder_id != NULL) {
++ for (i = 0; i < priv->responder_id_size; i++)
++ gnutls_free(priv->responder_id[i].data);
++
++ gnutls_free(priv->responder_id);
++ }
++
+ gnutls_free(priv->request_extensions.data);
+ gnutls_free(priv->response.data);
+ gnutls_free(priv);
+--
+2.11.0
+
diff -Nru gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch
--- gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch 2017-06-11 18:03:10.000000000 +0200
@@ -0,0 +1,40 @@
+From 3ade67eb6859a5a074f981480e5663ea92a59380 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Wed, 24 May 2017 11:48:24 +0200
+Subject: [PATCH 3/3] gnutls_ocsp_status_request_enable_client: documented
+ requirements for parameters
+
+That is, the fact that extensions and responder_id parameters must be
+allocated, and are assigned to the session.
+
+Signed-off-by: Nikos Mavrogiannopoulos <n...@redhat.com>
+---
+ lib/ext/status_request.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
+index c7c065e5e..a1f3521c8 100644
+--- a/lib/ext/status_request.c
++++ b/lib/ext/status_request.c
+@@ -266,9 +266,15 @@ _gnutls_status_request_recv_params(gnutls_session_t session,
+ *
+ * This function is to be used by clients to request OCSP response
+ * from the server, using the "status_request" TLS extension. Only
+- * OCSP status type is supported. A typical server has a single
+- * OCSP response cached, so @responder_id and @extensions
+- * should be null.
++ * OCSP status type is supported.
++ *
++ * The @responder_id array, its containing elements as well as
++ * the data of @extensions, must be allocated using gnutls_malloc(). They
++ * will be deinitialized on session cleanup.
++ *
++ * Due to the difficult semantics of the @responder_id and @extensions
++ * parameters, it is recommended to only call this function with these
++ * parameters set to %NULL.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
+--
+2.11.0
+
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series 2017-04-27 18:05:28.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series 2017-06-11 18:07:03.000000000 +0200
@@ -33,3 +33,6 @@
55_14_opencdk-read_attribute-account-buffer-size.patch
55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch
55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch
+56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch
+56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch
+56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch
