gnutls: CVE-2015-3308

Fixes use-after-free flaw in CRL distribution points parsing Reference: https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9 https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02 http://www.openwall.com/lists/oss-security/2015/04/15/6 (From OE-Core rev: 4db630c0cd7988c923eb3f48153a6cedafd6a139) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-31 12:49:46 +00:00 · 2015-09-03 13:54:21 +02:00
parent d6dcddbb3d
commit 6516ecd075
3 changed files with 100 additions and 0 deletions
@@ -0,0 +1,65 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 	int len, ret;
+ 	uint8_t reasons[2];
+ 	unsigned i, type, rflags, j;
+-	gnutls_datum_t san;
+	gnutls_datum_t san = {NULL, 0};
+ 
+ 	result = asn1_create_element
+ 	    (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 	i = 0;
+ 	do {
+-		san.data = NULL;
+-		san.size = 0;
+-
+ 		snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+ 
+ 		len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 		j = 0;
+ 		do {
+			san.data = NULL;
+			san.size = 0;
+
+ 			ret =
+ 			    _gnutls_parse_general_name2(c2, name, j, &san,
+ 							&type, 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 			ret = crl_dist_points_set(cdp, type, &san, rflags);
+ 			if (ret < 0)
+ 				break;
+			san.data = NULL; /* it is now in cdp */
+ 
+ 			j++;
+ 		} while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ 		gnutls_assert();
+		gnutls_free(san.data);
+ 		goto cleanup;
+ 	}
+ 
+-- 
+1.9.1
+
@@ -0,0 +1,33 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert Święcki.
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
+ 
+ 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ 		gnutls_assert();
+-		gnutls_free(san.data);
+ 		goto cleanup;
+ 	}
+ 
+-- 
+1.9.1
+
@@ -3,6 +3,8 @@ require gnutls.inc
 SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
            file://configure.ac-fix-sed-command.patch \
            file://use-pkg-config-to-locate-zlib.patch \
+            file://eliminated-double-free-CVE-2015-3308.patch \
+            file://better-fix-for-double-free-CVE-2015-3308.patch \
           "
 SRC_URI[md5sum] = "a37b20b4352a5f542367ded904729c90"
 SRC_URI[sha256sum] = "67ab3e92c5d48f3323b897d7c1aa0bb2af6f3a84f5bd9931cda163a7ff32299b"