[vlc-commits] contrib/gnutls: add security patches

Felix Paul Kühne git at videolan.org
Tue Mar 4 10:48:58 CET 2014 

vlc/vlc-2.0 | branch: master | Felix Paul Kühne <fkuehne at videolan.org> | Tue Mar  4 10:48:45 2014 +0100| [b244e1a2f2b1cc89b5daa2d02a38768667a17cd1] | committer: Felix Paul Kühne

contrib/gnutls: add security patches

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=b244e1a2f2b1cc89b5daa2d02a38768667a17cd1
---

 contrib/src/gnutls/gnutls-sa-2013-2.patch |   24 +++++++
 contrib/src/gnutls/gnutls-sa-2014-2.patch |  101 +++++++++++++++++++++++++++++
 contrib/src/gnutls/rules.mak              |    2 +
 3 files changed, 127 insertions(+)

diff --git a/contrib/src/gnutls/gnutls-sa-2013-2.patch b/contrib/src/gnutls/gnutls-sa-2013-2.patch
new file mode 100644
index 0000000..d211333
--- /dev/null
+++ b/contrib/src/gnutls/gnutls-sa-2013-2.patch
@@ -0,0 +1,24 @@
+From 5164d5a1d57cd0372a5dd074382ca960ca18b27d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 23 May 2013 09:54:37 +0200
+Subject: [PATCH] re-applied sanity check patch
+
+---
+ lib/gnutls_cipher.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
+index 2835121..71f5a98 100644
+--- a/lib/gnutls_cipher.c
++++ b/lib/gnutls_cipher.c
+@@ -561,6 +561,8 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
+           return GNUTLS_E_DECRYPTION_FAILED;
+         }
+       pad = ciphertext.data[ciphertext.size - 1];   /* pad */
++      if (pad+1 > ciphertext.size-hash_size)
++        pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ 
+       /* Check the pading bytes (TLS 1.x). 
+        * Note that we access all 256 bytes of ciphertext for padding check
+-- 
+1.7.1
diff --git a/contrib/src/gnutls/gnutls-sa-2014-2.patch b/contrib/src/gnutls/gnutls-sa-2014-2.patch
new file mode 100644
index 0000000..f48487d
--- /dev/null
+++ b/contrib/src/gnutls/gnutls-sa-2014-2.patch
@@ -0,0 +1,101 @@
+From 6aa26f78150ccbdf0aec1878a41c17c41d358a3b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
+Date: Thu, 27 Feb 2014 19:42:26 +0100
+Subject: [PATCH] corrected return codes
+
+---
+ lib/x509/verify.c |   16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index c9a6b0d..eef85a8 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   result =
+@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   result =
+@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   result =
+@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   if (result < 0)
+     {
+       gnutls_assert ();
+-      goto cleanup;
++      goto fail;
+     }
+ 
+   /* If the subject certificate is the same as the issuer
+@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+   else
+     gnutls_assert ();
+ 
++fail:
+   result = 0;
+ 
+ cleanup:
+@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   gnutls_datum_t cert_signed_data = { NULL, 0 };
+   gnutls_datum_t cert_signature = { NULL, 0 };
+   gnutls_x509_crt_t issuer = NULL;
+-  int issuer_version, result;
++  int issuer_version, result = 0;
+ 
+   if (output)
+     *output = 0;
+@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   if (issuer_version < 0)
+     {
+       gnutls_assert ();
+-      return issuer_version;
++      return 0;
+     }
+ 
+   if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   if (result < 0)
+     {
+       gnutls_assert ();
++      result = 0;
+       goto cleanup;
+     }
+ 
+@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   if (result < 0)
+     {
+       gnutls_assert ();
++      result = 0;
+       goto cleanup;
+     }
+ 
+@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+   else if (result < 0)
+     {
+       gnutls_assert();
++      result = 0;
+       goto cleanup;
+     }
+ 
+-- 
+1.7.1
diff --git a/contrib/src/gnutls/rules.mak b/contrib/src/gnutls/rules.mak
index d3a5ce2..252a190 100644
--- a/contrib/src/gnutls/rules.mak
+++ b/contrib/src/gnutls/rules.mak
@@ -23,6 +23,8 @@ ifdef HAVE_ANDROID
 endif
 	$(APPLY) $(SRC)/gnutls/gnutls-no-egd.patch
 	$(APPLY) $(SRC)/gnutls/read-file-limits.h.patch
+	$(APPLY) $(SRC)/gnutls/gnutls-sa-2013-2.patch
+	$(APPLY) $(SRC)/gnutls/gnutls-sa-2014-2.patch
 	$(UPDATE_AUTOCONFIG)
 	$(MOVE)

More information about the vlc-commits mailing list