aboutsummaryrefslogtreecommitdiff
path: root/package
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2019-11-28 16:37:18 +0100
committerGravatar Peter Korsgaard <peter@korsgaard.com>2019-11-29 10:12:58 +0100
commit92327cd9e2c8779e0fadf42f4d41959c03991eab (patch)
tree07b97a6d71d54aaa74ce57b27ee61a5425449850 /package
parentab566a9acccc32658547c4028d1cd7447b7668b0 (diff)
downloadbuildroot-92327cd9e2c8779e0fadf42f4d41959c03991eab.tar.gz
buildroot-92327cd9e2c8779e0fadf42f4d41959c03991eab.tar.bz2
package/wolfssl: add upstream security fix for CVE-2019–18840
Fixes the following security vulnerability: - CVE-2019-18840: In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free. For details, see the writeup: https://medium.com/@social_62682/heap-overflow-in-wolfssl-cve-2019-18840-185d233c27de Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package')
-rw-r--r--package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch84
1 files changed, 84 insertions, 0 deletions
diff --git a/package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch b/package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch
new file mode 100644
index 0000000000..758992e148
--- /dev/null
+++ b/package/wolfssl/0001-Check-domain-name-location-index-hasn-t-exceed-maxim.patch
@@ -0,0 +1,84 @@
+From 52f28bd5149360f8e3bf8ca13d3fb9a77283df7c Mon Sep 17 00:00:00 2001
+From: Sean Parkinson <sean@wolfssl.com>
+Date: Wed, 6 Nov 2019 08:28:09 +1000
+Subject: [PATCH] Check domain name location index hasn't exceed maximum before
+ setting
+
+[CVE-2019–18840]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ wolfcrypt/src/asn.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
+index 637f4c355..d3793b7b3 100644
+--- a/wolfcrypt/src/asn.c
++++ b/wolfcrypt/src/asn.c
+@@ -5117,8 +5117,10 @@ static int GetName(DecodedCert* cert, int nameType)
+ XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
+ idx += strLen;
+ #if defined(OPENSSL_EXTRA)
+- /* store order that DN was parsed */
+- dName->loc[count++] = id;
++ if (count < DOMAIN_COMPONENT_MAX) {
++ /* store order that DN was parsed */
++ dName->loc[count++] = id;
++ }
+ #endif
+ }
+
+@@ -5191,8 +5193,10 @@ static int GetName(DecodedCert* cert, int nameType)
+ XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
+ idx += strLen;
+ #if defined(OPENSSL_EXTRA)
+- /* store order that DN was parsed */
+- dName->loc[count++] = id;
++ if (count < DOMAIN_COMPONENT_MAX) {
++ /* store order that DN was parsed */
++ dName->loc[count++] = id;
++ }
+ #endif
+ }
+
+@@ -5276,8 +5280,10 @@ static int GetName(DecodedCert* cert, int nameType)
+ XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
+ idx += adv;
+ #if defined(OPENSSL_EXTRA)
+- /* store order that DN was parsed */
+- dName->loc[count++] = ASN_EMAIL_NAME;
++ if (count < DOMAIN_COMPONENT_MAX) {
++ /* store order that DN was parsed */
++ dName->loc[count++] = ASN_EMAIL_NAME;
++ }
+ #endif
+ }
+ }
+@@ -5298,8 +5304,10 @@ static int GetName(DecodedCert* cert, int nameType)
+ dName->uidLen = adv;
+
+ #ifdef OPENSSL_EXTRA
+- /* store order that DN was parsed */
+- dName->loc[count++] = ASN_USER_ID;
++ if (count < DOMAIN_COMPONENT_MAX) {
++ /* store order that DN was parsed */
++ dName->loc[count++] = ASN_USER_ID;
++ }
+ #endif
+ #endif /* OPENSSL_EXTRA */
+ break;
+@@ -5315,8 +5323,10 @@ static int GetName(DecodedCert* cert, int nameType)
+ dcnum++;
+
+ #ifdef OPENSSL_EXTRA
+- /* store order that DN was parsed */
+- dName->loc[count++] = ASN_DOMAIN_COMPONENT;
++ if (count < DOMAIN_COMPONENT_MAX) {
++ /* store order that DN was parsed */
++ dName->loc[count++] = ASN_DOMAIN_COMPONENT;
++ }
+ #endif
+ #endif /* OPENSSL_EXTRA */
+ break;
+--
+2.20.1
+