Hello community, here is the log from the commit of package gnutls checked in at Tue Jun 3 16:13:18 CEST 2008. -------- --- gnutls/gnutls.changes 2008-05-08 14:19:38.000000000 +0200 +++ /mounts/work_src_done/STABLE/gnutls/gnutls.changes 2008-05-26 10:22:04.000000000 +0200 @@ -1,0 +2,11 @@ +Wed May 21 16:32:26 CEST 2008 - mkoenig@suse.de + +- fix three security bugs [bnc#392947] + CVE-2008-1948 GNUTLS-SA-2008-1-1 + Fix crash when sending invalid server name + CVE-2008-1949 GNUTLS-SA-2008-1-2 + Fix crash when sending repeated client hellos + CVE-2008-1950 GNUTLS-SA-2008-1-3 + Fix crash in cipher padding decoding for invalid record lengths + +------------------------------------------------------------------- New: ---- gnutls-GNUTLS_SA_2008_1.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.V23585/_old 2008-06-03 16:13:00.000000000 +0200 +++ /var/tmp/diff_new_pack.V23585/_new 2008-06-03 16:13:00.000000000 +0200 @@ -14,7 +14,7 @@ Name: gnutls BuildRequires: gcc-c++ libgcrypt-devel libopencdk-devel Version: 2.2.2 -Release: 10 +Release: 16 License: GPL v3 or later; LGPL v2.1 or later BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://www.gnutls.org/ @@ -22,6 +22,7 @@ Patch0: gnutls-char-signedness.patch Patch1: gnutls-1.6.1-srptool.patch Patch2: gnutls-2.2.2-uninitialized.patch +Patch3: gnutls-GNUTLS_SA_2008_1.patch Summary: The GNU Transport Layer Security Library Group: Productivity/Networking/Security AutoReqProv: on @@ -125,6 +126,7 @@ %patch0 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build autoreconf -fi @@ -211,6 +213,14 @@ %_libdir/pkgconfig/gnutls-extra.pc %changelog +* Wed May 21 2008 mkoenig@suse.de +- fix three security bugs [bnc#392947] + CVE-2008-1948 GNUTLS-SA-2008-1-1 + Fix crash when sending invalid server name + CVE-2008-1949 GNUTLS-SA-2008-1-2 + Fix crash when sending repeated client hellos + CVE-2008-1950 GNUTLS-SA-2008-1-3 + Fix crash in cipher padding decoding for invalid record lengths * Thu May 08 2008 mkoenig@suse.de - fix build * Tue Apr 29 2008 cthiel@suse.de ++++++ gnutls-GNUTLS_SA_2008_1.patch ++++++ diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c index 72e42ff..a2db949 100644 --- a/lib/ext_server_name.c +++ b/lib/ext_server_name.c @@ -74,10 +74,27 @@ _gnutls_server_name_recv_params (gnutls_session_t session, len = _gnutls_read_uint16 (p); p += 2; - DECR_LENGTH_RET (data_size, len, 0); - server_names++; + if (len > 0) + { + DECR_LENGTH_RET (data_size, len, 0); + server_names++; + p += len; + } + else + _gnutls_handshake_log + ("HSK[%x]: Received zero size server name (under attack?)\n", + session); - p += len; + } + + /* we cannot accept more server names. + */ + if (server_names > MAX_SERVER_NAME_EXTENSIONS) + { + _gnutls_handshake_log + ("HSK[%x]: Too many server names received (under attack?)\n", + session); + server_names = MAX_SERVER_NAME_EXTENSIONS; } session->security_parameters.extensions.server_names_size = @@ -85,10 +102,6 @@ _gnutls_server_name_recv_params (gnutls_session_t session, if (server_names == 0) return 0; /* no names found */ - /* we cannot accept more server names. - */ - if (server_names > MAX_SERVER_NAME_EXTENSIONS) - server_names = MAX_SERVER_NAME_EXTENSIONS; p = data + 2; for (i = 0; i < server_names; i++) diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index e930c1d..e16ad1f 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -504,17 +503,20 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ - length = ciphertext.size - hash_size - pad; - - if (pad > ciphertext.size - hash_size) + if ((int)pad > (int)ciphertext.size - hash_size) { gnutls_assert (); + _gnutls_record_log + ("REC[%x]: Short record length %d > %d - %d (under attack?)\n", + session, pad, ciphertext.size, hash_size); /* We do not fail here. We check below for the * the pad_failed. If zero means success. */ pad_failed = GNUTLS_E_DECRYPTION_FAILED; } + length = ciphertext.size - hash_size - pad; + /* Check the pading bytes (TLS 1.x) */ if (ver >= GNUTLS_TLS1 && pad_failed == 0) diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 4ab6db6..d798180 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1003,6 +1003,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session, *recv_type = session->internals.handshake_header_buffer.recv_type; + if (*recv_type != type) + { + gnutls_assert (); + _gnutls_handshake_log + ("HSK[%x]: Handshake type mismatch (under attack?)\n", session); + return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; + } + return session->internals.handshake_header_buffer.packet_length; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org