From patchwork Tue Dec 27 22:07:21 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 709108
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3tp92s109tz9t0w
	for <incoming@patchwork.ozlabs.org>;
	Wed, 28 Dec 2016 09:07:33 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="ioNeQA1s"; dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id C9AB62A345;
	Tue, 27 Dec 2016 22:07:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id lvREYwErfIA9; Tue, 27 Dec 2016 22:07:29 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id C9ED12E2E4;
	Tue, 27 Dec 2016 22:07:28 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id 68D2B1BFC43
	for <buildroot@lists.busybox.net>;
	Tue, 27 Dec 2016 22:07:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 6471383F83
	for <buildroot@lists.busybox.net>;
	Tue, 27 Dec 2016 22:07:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id sRUGOugppB37 for <buildroot@lists.busybox.net>;
	Tue, 27 Dec 2016 22:07:26 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com
	[74.125.82.68])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 116A483F6B
	for <buildroot@buildroot.org>; Tue, 27 Dec 2016 22:07:26 +0000 (UTC)
Received: by mail-wm0-f68.google.com with SMTP id u144so59046728wmu.0
	for <buildroot@buildroot.org>; Tue, 27 Dec 2016 14:07:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=rn5GkSaTrjCHiuHEJNs1TRHHDY0F49JVuYOx6AQCKf4=;
	b=ioNeQA1sACcBgiD1rv6vWntsPapLEntiW9glcoEU9zC6lGlz04qSyGubwA//WXoOr+
	AX8XLnDEtcbe/M5Wo2LACxpTC5eqrOfKkVNquPBdOIg600VSHtSGIZoHKzP2YuhAxoXz
	PsXkBX+Awwpkt6FWtclAyJ3ge8NOIlGv34D4bEdri4rqZ93ddoS1lzR0JJDLqMEbc5yX
	XmSKazmmyLROTG9+kn8fv56i0zyW/wehlMBQSt1UGfUONe0VqRNVbQnK6lhgwbdq+nt4
	twW9VO8T70uqfJxGHt19Q5mwRdPb6xGeKMeTvHs0ieBAFy/qzDEXUum5k8TZfN6gtwiZ
	b8Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=rn5GkSaTrjCHiuHEJNs1TRHHDY0F49JVuYOx6AQCKf4=;
	b=jYxX4nkxHotOVJUyZXhH/c75p8a3qq9vTGQRbT7hvp+VqdPF23aQwJho3KIDhNiQiH
	34cOlg/zgjhcUPmVhy+flH2ewozbumTmqvWdjk6rwFqXKoOiqGZm9ern0dGHx9LbuIYf
	N7lRXuKemtLBocrLJQGN7ggDeDL8D5BEnZkucAz2T1AD4FTPE9W41zjeT5v2gkCUbcxY
	WCaMBOhdOLAmXRpLWdlak2L6VxNcQZrpHAyo8nts4ssvjcKfNVs78D1IporKCC7NdG0T
	Yeq4a4D/8J6+1ynqLRcLG3NjCgyIcgVZuQXATzYAQPxt8ToNJNLZY5wJsLavutV4aXu/
	Bgeg==
X-Gm-Message-State: 
 AIkVDXK0NNV9XbVdCO/KTZH5+gTZS6b/rVLsphI/5r6ec61Mv0/ou1uWcktVjIxM20oswg==
X-Received: by 10.28.196.207 with SMTP id
	u198mr30989154wmf.102.1482876444284;
	Tue, 27 Dec 2016 14:07:24 -0800 (PST)
Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be.
	[81.165.188.49]) by smtp.gmail.com with ESMTPSA id
	f10sm61222895wjl.28.2016.12.27.14.07.23
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 27 Dec 2016 14:07:23 -0800 (PST)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1cLzty-0007BJ-OH; Tue, 27 Dec 2016 23:07:22 +0100
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Tue, 27 Dec 2016 23:07:21 +0100
Message-Id: <20161227220721.27566-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.10.2
Subject: [Buildroot] [PATCH] cryptopp: add upstream security fix for
	CVE-2016-9939
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes security issue (DoS) in Crypto++ ASN1 decoder:

https://github.com/weidai11/cryptopp/issues/346

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...sible-DoS-in-ASN.1-decoders-CVE-2016-9939.patch | 69 ++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 package/cryptopp/0001-Fix-possible-DoS-in-ASN.1-decoders-CVE-2016-9939.patch

diff --git a/package/cryptopp/0001-Fix-possible-DoS-in-ASN.1-decoders-CVE-2016-9939.patch b/package/cryptopp/0001-Fix-possible-DoS-in-ASN.1-decoders-CVE-2016-9939.patch
new file mode 100644
index 0000000..2d0f1d9
--- /dev/null
+++ b/package/cryptopp/0001-Fix-possible-DoS-in-ASN.1-decoders-CVE-2016-9939.patch
@@ -0,0 +1,69 @@
+From 3d9181d7bdd8e491f745dbc9e34bd20b6f6da069 Mon Sep 17 00:00:00 2001
+From: Gergely Nagy <ngg@tresorit.com>
+Date: Wed, 14 Dec 2016 13:19:01 +0100
+Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ asn.cpp | 10 ++++++++++
+ asn.h   |  2 ++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/asn.cpp b/asn.cpp
+index 297ff01..2e923ef 100644
+--- a/asn.cpp
++++ b/asn.cpp
+@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
+ 	size_t bc;
+ 	if (!BERLengthDecode(bt, bc))
+ 		BERDecodeError();
++	if (bc > bt.MaxRetrievable())
++		BERDecodeError();
+ 
+ 	str.New(bc);
+ 	if (bc != bt.Get(str, bc))
+@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
+ 	size_t bc;
+ 	if (!BERLengthDecode(bt, bc))
+ 		BERDecodeError();
++	if (bc > bt.MaxRetrievable())
++		BERDecodeError();
+ 
+ 	bt.TransferTo(str, bc);
+ 	return bc;
+@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
+ 	size_t bc;
+ 	if (!BERLengthDecode(bt, bc))
+ 		BERDecodeError();
++	if (bc > bt.MaxRetrievable())
++		BERDecodeError();
+ 
+ 	SecByteBlock temp(bc);
+ 	if (bc != bt.Get(temp, bc))
+@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
+ 	size_t bc;
+ 	if (!BERLengthDecode(bt, bc))
+ 		BERDecodeError();
++	if (bc == 0)
++		BERDecodeError();
++	if (bc > bt.MaxRetrievable())
++		BERDecodeError();
+ 
+ 	byte unused;
+ 	if (!bt.Get(unused))
+diff --git a/asn.h b/asn.h
+index ed9de52..33f0dd0 100644
+--- a/asn.h
++++ b/asn.h
+@@ -498,6 +498,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
+ 	bool definite = BERLengthDecode(in, bc);
+ 	if (!definite)
+ 		BERDecodeError();
++	if (bc > in.MaxRetrievable())
++		BERDecodeError();
+ 
+ 	SecByteBlock buf(bc);
+ 
+-- 
+2.10.2
+