From patchwork Thu Nov 28 15:37:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1202136 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="WxTjPiDk"; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47P1wp5SNZz9s3Z for ; Fri, 29 Nov 2019 02:37:30 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 3EFF6228B4; Thu, 28 Nov 2019 15:37:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LBliHGzULjLU; Thu, 28 Nov 2019 15:37:25 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 9EC4B203B8; Thu, 28 Nov 2019 15:37:25 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 794201BF3F4 for ; Thu, 28 Nov 2019 15:37:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7645C86A34 for ; Thu, 28 Nov 2019 15:37:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbxyox0bPxXm for ; Thu, 28 Nov 2019 15:37:23 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by fraxinus.osuosl.org (Postfix) with ESMTPS id D0AD286A2D for ; Thu, 28 Nov 2019 15:37:22 +0000 (UTC) Received: by mail-wr1-f67.google.com with SMTP id w15so706931wru.4 for ; Thu, 28 Nov 2019 07:37:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=QCovsmWvA9xr8W5NcIW1Y9NPzMUctX2zY/KiQyJX+mI=; b=WxTjPiDkMEbhUkHLp2GenzzzSvhu4OqoZgsz3CnXgK0/a6awnU9Bv4MPL9KIpZXKF0 wT7xP4lSYtqCos9JhUirwMFXj5ecJYmaU/I88iCwaIkuLHp/qrqYvZmzeNYfwMoQrqJD A2HhfaZ7NK+kfSnayfBg1ZHf3oQj0xpk2AVEc6Jy4s+lgBsHIk7zb3D1WxATs6LVGPWE DPSXCW+VQkYh/wl6i9/aT7jtMnIVG5tvwl0/dOKoAOfgw3CknC4dQ57uHJ8+s4yEvs1W wEoXVyyJlpm33KNPwFNq2O2Da8zp/5QvTY5k2coXXRjRKAudr/uCD78LNjzs1EgKMyoB RxqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=QCovsmWvA9xr8W5NcIW1Y9NPzMUctX2zY/KiQyJX+mI=; b=T0sfCNkmBPkWL+A+UwZygm5JZn521ktu3ikxEdgPPl60ji5kd7sswYuYn7qgsDZrz1 sy6DvEUoLWBfh1a8Yy8GOVVq42vaBvb7BltepqZa5vB+zw+rNE+AV5BEvY1XV4bL/DOn uRpwDy34Zi/kKj5eCqOL77tSvyJBWI4dv0v4/s3DhbRbsLW4PR9vq9I6CJv5H9wMh9Gd ppwbHw+/i2LgLpTI2l6fSOLjlAScBDKS+7Wcrjv+3FVUPtlyuVIurbUETtJs7ZM97x9k /XWL8nTZhm+pz1fjxeLK3HWt0x9xDE2lp+bTwEOkDxg6SaVJNfcVvTtW7olGDfE+CH5z NEYA== X-Gm-Message-State: APjAAAXDEL0IE/G55GdotdDeasEmuogpxGis3ylwCg8rXJcR6daKeQG3 HWKvfpTRFcPNuE0VEzARE0JhDJJe X-Google-Smtp-Source: APXvYqzduC83KXuyCNp6whBkv93KHqnIbFyWNoter+VWRgeKozcFHOuWtQeY4uxBFmBOG68+M0Mq6A== X-Received: by 2002:adf:f803:: with SMTP id s3mr27022903wrp.7.1574955440720; Thu, 28 Nov 2019 07:37:20 -0800 (PST) Received: from dell.be.48ers.dk (d528f5fe4.static.telenet.be. [82.143.95.228]) by smtp.gmail.com with ESMTPSA id z64sm9888506wmg.30.2019.11.28.07.37.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Nov 2019 07:37:20 -0800 (PST) Received: from peko by dell.be.48ers.dk with local (Exim 4.92) (envelope-from ) id 1iaLr5-0007yK-EM; Thu, 28 Nov 2019 16:37:19 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Thu, 28 Nov 2019 16:37:18 +0100 Message-Id: <20191128153718.30599-1-peter@korsgaard.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] =?utf-8?q?=5BPATCH=5D_package/wolfssl=3A_add_upstream?= =?utf-8?q?_security_fix_for_CVE-2019=E2=80=9318840?= X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Korsgaard , Sergio Prado Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security vulnerability: - CVE-2019-18840: In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free. For details, see the writeup: https://medium.com/@social_62682/heap-overflow-in-wolfssl-cve-2019-18840-185d233c27de Signed-off-by: Peter Korsgaard --- ...e-location-index-hasn-t-exceed-maxim.patch | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch diff --git a/package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch b/package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch new file mode 100644 index 0000000000..758992e148 --- /dev/null +++ b/package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch @@ -0,0 +1,84 @@ +From 52f28bd5149360f8e3bf8ca13d3fb9a77283df7c Mon Sep 17 00:00:00 2001 +From: Sean Parkinson +Date: Wed, 6 Nov 2019 08:28:09 +1000 +Subject: [PATCH] Check domain name location index hasn't exceed maximum before + setting + +[CVE-2019–18840] +Signed-off-by: Peter Korsgaard +--- + wolfcrypt/src/asn.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c +index 637f4c355..d3793b7b3 100644 +--- a/wolfcrypt/src/asn.c ++++ b/wolfcrypt/src/asn.c +@@ -5117,8 +5117,10 @@ static int GetName(DecodedCert* cert, int nameType) + XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); + idx += strLen; + #if defined(OPENSSL_EXTRA) +- /* store order that DN was parsed */ +- dName->loc[count++] = id; ++ if (count < DOMAIN_COMPONENT_MAX) { ++ /* store order that DN was parsed */ ++ dName->loc[count++] = id; ++ } + #endif + } + +@@ -5191,8 +5193,10 @@ static int GetName(DecodedCert* cert, int nameType) + XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); + idx += strLen; + #if defined(OPENSSL_EXTRA) +- /* store order that DN was parsed */ +- dName->loc[count++] = id; ++ if (count < DOMAIN_COMPONENT_MAX) { ++ /* store order that DN was parsed */ ++ dName->loc[count++] = id; ++ } + #endif + } + +@@ -5276,8 +5280,10 @@ static int GetName(DecodedCert* cert, int nameType) + XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); + idx += adv; + #if defined(OPENSSL_EXTRA) +- /* store order that DN was parsed */ +- dName->loc[count++] = ASN_EMAIL_NAME; ++ if (count < DOMAIN_COMPONENT_MAX) { ++ /* store order that DN was parsed */ ++ dName->loc[count++] = ASN_EMAIL_NAME; ++ } + #endif + } + } +@@ -5298,8 +5304,10 @@ static int GetName(DecodedCert* cert, int nameType) + dName->uidLen = adv; + + #ifdef OPENSSL_EXTRA +- /* store order that DN was parsed */ +- dName->loc[count++] = ASN_USER_ID; ++ if (count < DOMAIN_COMPONENT_MAX) { ++ /* store order that DN was parsed */ ++ dName->loc[count++] = ASN_USER_ID; ++ } + #endif + #endif /* OPENSSL_EXTRA */ + break; +@@ -5315,8 +5323,10 @@ static int GetName(DecodedCert* cert, int nameType) + dcnum++; + + #ifdef OPENSSL_EXTRA +- /* store order that DN was parsed */ +- dName->loc[count++] = ASN_DOMAIN_COMPONENT; ++ if (count < DOMAIN_COMPONENT_MAX) { ++ /* store order that DN was parsed */ ++ dName->loc[count++] = ASN_DOMAIN_COMPONENT; ++ } + #endif + #endif /* OPENSSL_EXTRA */ + break; +-- +2.20.1 +