From f70c20ebcae23ef62f5daef86e26cf681f622e6d Mon Sep 17 00:00:00 2001
From: Alexander Pyhalov <apyhalov@gmail.com>
Date: Sat, 4 Feb 2017 20:30:37 +0300
Subject: [PATCH] gnutls-3: fix recent CVEs

---
 components/library/gnutls-3/Makefile               |   2 +-
 components/library/gnutls-3/gnutls-3.p5m           |  15 ++-
 .../library/gnutls-3/manifests/sample-manifest.p5m |  13 ++-
 .../gnutls-3/patches/04-CVE-2017-5334.patch        |  72 ++++++++++++
 .../gnutls-3/patches/05-CVE-2017-5335.patch        | 127 +++++++++++++++++++++
 .../gnutls-3/patches/06-CVE-2017-5336.patch        |  42 +++++++
 .../gnutls-3/patches/07-CVE-2017-5337.patch        |  95 +++++++++++++++
 7 files changed, 353 insertions(+), 13 deletions(-)
 create mode 100644 components/library/gnutls-3/patches/04-CVE-2017-5334.patch
 create mode 100644 components/library/gnutls-3/patches/05-CVE-2017-5335.patch
 create mode 100644 components/library/gnutls-3/patches/06-CVE-2017-5336.patch
 create mode 100644 components/library/gnutls-3/patches/07-CVE-2017-5337.patch

diff --git a/components/library/gnutls-3/Makefile b/components/library/gnutls-3/Makefile
index c6d1a6c65..a1a347d02 100644
--- a/components/library/gnutls-3/Makefile
+++ b/components/library/gnutls-3/Makefile
@@ -25,7 +25,7 @@
 include ../../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		gnutls
-COMPONENT_VERSION=	3.4.16
+COMPONENT_VERSION=	3.4.17
 COMPONENT_PROJECT_URL=  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4
 COMPONENT_SUMMARY=	GNU transport layer security library
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
diff --git a/components/library/gnutls-3/gnutls-3.p5m b/components/library/gnutls-3/gnutls-3.p5m
index c7fb52623..f43bb8712 100644
--- a/components/library/gnutls-3/gnutls-3.p5m
+++ b/components/library/gnutls-3/gnutls-3.p5m
@@ -46,19 +46,21 @@ file path=usr/include/gnutls-3/gnutls/tpm.h
 file path=usr/include/gnutls-3/gnutls/urls.h
 file path=usr/include/gnutls-3/gnutls/x509-ext.h
 file path=usr/include/gnutls-3/gnutls/x509.h
-link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so target=libgnutls.so.30.6.8
-link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.6.8
-file path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30.6.8
+link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so target=libgnutls.so.30.7.0
+link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.7.0
+file path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30.7.0
 link path=usr/lib/$(MACH64)/gnutls-3/libgnutlsxx.so target=libgnutlsxx.so.28.1.0
 link path=usr/lib/$(MACH64)/gnutls-3/libgnutlsxx.so.28 \
     target=libgnutlsxx.so.28.1.0
 file path=usr/lib/$(MACH64)/gnutls-3/libgnutlsxx.so.28.1.0
-link path=usr/lib/gnutls-3/libgnutls.so target=libgnutls.so.30.6.8
-link path=usr/lib/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.6.8
-file path=usr/lib/gnutls-3/libgnutls.so.30.6.8
+file path=usr/lib/$(MACH64)/gnutls-3/pkgconfig/gnutls.pc
+link path=usr/lib/gnutls-3/libgnutls.so target=libgnutls.so.30.7.0
+link path=usr/lib/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.7.0
+file path=usr/lib/gnutls-3/libgnutls.so.30.7.0
 link path=usr/lib/gnutls-3/libgnutlsxx.so target=libgnutlsxx.so.28.1.0
 link path=usr/lib/gnutls-3/libgnutlsxx.so.28 target=libgnutlsxx.so.28.1.0
 file path=usr/lib/gnutls-3/libgnutlsxx.so.28.1.0
+file path=usr/lib/gnutls-3/pkgconfig/gnutls.pc
 file path=usr/share/gnutls-3/man/man1/certtool.1
 file path=usr/share/gnutls-3/man/man1/gnutls-cli-debug.1
 file path=usr/share/gnutls-3/man/man1/gnutls-cli.1
@@ -552,6 +554,7 @@ file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_crt_count.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_crt_raw.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_crt_raw2.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_embedded_data.3
+file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_embedded_data_oid.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_signature_count.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_signature_info.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_import.3
diff --git a/components/library/gnutls-3/manifests/sample-manifest.p5m b/components/library/gnutls-3/manifests/sample-manifest.p5m
index 08865a22a..653381178 100644
--- a/components/library/gnutls-3/manifests/sample-manifest.p5m
+++ b/components/library/gnutls-3/manifests/sample-manifest.p5m
@@ -57,17 +57,17 @@ file path=usr/include/gnutls-3/gnutls/tpm.h
 file path=usr/include/gnutls-3/gnutls/urls.h
 file path=usr/include/gnutls-3/gnutls/x509-ext.h
 file path=usr/include/gnutls-3/gnutls/x509.h
-link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so target=libgnutls.so.30.6.8
-link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.6.8
-file path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30.6.8
+link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so target=libgnutls.so.30.7.0
+link path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.7.0
+file path=usr/lib/$(MACH64)/gnutls-3/libgnutls.so.30.7.0
 link path=usr/lib/$(MACH64)/gnutls-3/libgnutlsxx.so target=libgnutlsxx.so.28.1.0
 link path=usr/lib/$(MACH64)/gnutls-3/libgnutlsxx.so.28 \
     target=libgnutlsxx.so.28.1.0
 file path=usr/lib/$(MACH64)/gnutls-3/libgnutlsxx.so.28.1.0
 file path=usr/lib/$(MACH64)/gnutls-3/pkgconfig/gnutls.pc
-link path=usr/lib/gnutls-3/libgnutls.so target=libgnutls.so.30.6.8
-link path=usr/lib/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.6.8
-file path=usr/lib/gnutls-3/libgnutls.so.30.6.8
+link path=usr/lib/gnutls-3/libgnutls.so target=libgnutls.so.30.7.0
+link path=usr/lib/gnutls-3/libgnutls.so.30 target=libgnutls.so.30.7.0
+file path=usr/lib/gnutls-3/libgnutls.so.30.7.0
 link path=usr/lib/gnutls-3/libgnutlsxx.so target=libgnutlsxx.so.28.1.0
 link path=usr/lib/gnutls-3/libgnutlsxx.so.28 target=libgnutlsxx.so.28.1.0
 file path=usr/lib/gnutls-3/libgnutlsxx.so.28.1.0
@@ -565,6 +565,7 @@ file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_crt_count.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_crt_raw.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_crt_raw2.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_embedded_data.3
+file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_embedded_data_oid.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_signature_count.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_get_signature_info.3
 file path=usr/share/gnutls-3/man/man3/gnutls_pkcs7_import.3
diff --git a/components/library/gnutls-3/patches/04-CVE-2017-5334.patch b/components/library/gnutls-3/patches/04-CVE-2017-5334.patch
new file mode 100644
index 000000000..c6564a690
--- /dev/null
+++ b/components/library/gnutls-3/patches/04-CVE-2017-5334.patch
@@ -0,0 +1,72 @@
+From bbfd47d4bb6935b3eddae227deb9f340e2c1a69d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Thu, 15 Dec 2016 15:02:18 +0100
+Subject: [PATCH] gnutls_x509_ext_import_proxy: fix issue reading the policy language
+
+If the language was set but the policy wasn't, that could lead to
+a double free, as the value returned to the user was freed.
+---
+ lib/x509/x509_ext.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+Index: gnutls28-3.4.10/lib/x509/x509_ext.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/x509/x509_ext.c	2017-01-26 10:10:40.316650700 -0500
++++ gnutls28-3.4.10/lib/x509/x509_ext.c	2017-01-26 10:10:40.312650643 -0500
+@@ -1415,7 +1415,8 @@
+ {
+ 	ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+ 	int result;
+-	gnutls_datum_t value = { NULL, 0 };
++	gnutls_datum_t value1 = { NULL, 0 };
++	gnutls_datum_t value2 = { NULL, 0 };
+ 
+ 	if ((result = asn1_create_element
+ 	     (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo",
+@@ -1445,20 +1446,18 @@
+ 	}
+ 
+ 	result = _gnutls_x509_read_value(c2, "proxyPolicy.policyLanguage",
+-					 &value);
++					 &value1);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
+ 
+ 	if (policyLanguage) {
+-		*policyLanguage = (char *)value.data;
+-	} else {
+-		gnutls_free(value.data);
+-		value.data = NULL;
++		*policyLanguage = (char *)value1.data;
++		value1.data = NULL;
+ 	}
+ 
+-	result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value);
++	result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value2);
+ 	if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
+ 		if (policy)
+ 			*policy = NULL;
+@@ -1469,16 +1468,17 @@
+ 		goto cleanup;
+ 	} else {
+ 		if (policy) {
+-			*policy = (char *)value.data;
+-			value.data = NULL;
++			*policy = (char *)value2.data;
++			value2.data = NULL;
+ 		}
+ 		if (sizeof_policy)
+-			*sizeof_policy = value.size;
++			*sizeof_policy = value2.size;
+ 	}
+ 
+ 	result = 0;
+  cleanup:
+-	gnutls_free(value.data);
++	gnutls_free(value1.data);
++	gnutls_free(value2.data);
+ 	asn1_delete_structure(&c2);
+ 
+ 	return result;
diff --git a/components/library/gnutls-3/patches/05-CVE-2017-5335.patch b/components/library/gnutls-3/patches/05-CVE-2017-5335.patch
new file mode 100644
index 000000000..eb96dea04
--- /dev/null
+++ b/components/library/gnutls-3/patches/05-CVE-2017-5335.patch
@@ -0,0 +1,127 @@
+From 785af1ab577f899d2e54172ff120f404709bf172 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 15:22:13 +0100
+Subject: [PATCH] opencdk: added error checking in the stream reading functions
+
+This addresses an out of memory error. Issue found using oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 5 deletions(-)
+
+Index: gnutls28-3.4.10/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c	2017-01-26 10:10:49.072776537 -0500
++++ gnutls28-3.4.10/lib/opencdk/read-packet.c	2017-01-26 10:10:49.072776537 -0500
+@@ -50,13 +50,13 @@
+ static u32 read_32(cdk_stream_t s)
+ {
+ 	byte buf[4];
+-	size_t nread;
++	size_t nread = 0;
+ 
+ 	assert(s != NULL);
+ 
+ 	stream_read(s, buf, 4, &nread);
+ 	if (nread != 4)
+-		return (u32) - 1;
++		return (u32) -1;
+ 	return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+ }
+ 
+@@ -65,7 +65,7 @@
+ static u16 read_16(cdk_stream_t s)
+ {
+ 	byte buf[2];
+-	size_t nread;
++	size_t nread = 0;
+ 
+ 	assert(s != NULL);
+ 
+@@ -547,7 +547,7 @@
+ static cdk_error_t
+ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ {
+-	byte c, c1;
++	int c, c1;
+ 	size_t size, nread, n;
+ 	cdk_subpkt_t node;
+ 	cdk_error_t rc;
+@@ -562,11 +562,18 @@
+ 	*r_nbytes = 0;
+ 	c = cdk_stream_getc(inp);
+ 	n++;
++
+ 	if (c == 255) {
+ 		size = read_32(inp);
++		if (size == (u32)-1)
++			return CDK_Inv_Packet;
++
+ 		n += 4;
+ 	} else if (c >= 192 && c < 255) {
+ 		c1 = cdk_stream_getc(inp);
++		if (c1 == EOF)
++			return CDK_Inv_Packet;
++
+ 		n++;
+ 		if (c1 == 0)
+ 			return 0;
+@@ -831,17 +838,29 @@
+ read_old_length(cdk_stream_t inp, int ctb, size_t * r_len, size_t * r_size)
+ {
+ 	int llen = ctb & 0x03;
++	int c;
+ 
+ 	if (llen == 0) {
+-		*r_len = cdk_stream_getc(inp);
++		c = cdk_stream_getc(inp);
++		if (c == EOF)
++			goto fail;
++
++		*r_len = c;
+ 		(*r_size)++;
+ 	} else if (llen == 1) {
+ 		*r_len = read_16(inp);
++		if (*r_len == (u16)-1)
++			goto fail;
+ 		(*r_size) += 2;
+ 	} else if (llen == 2) {
+ 		*r_len = read_32(inp);
++		if (*r_len == (u32)-1) {
++			goto fail;
++		}
++
+ 		(*r_size) += 4;
+ 	} else {
++ fail:
+ 		*r_len = 0;
+ 		*r_size = 0;
+ 	}
+@@ -856,15 +875,25 @@
+ 	int c, c1;
+ 
+ 	c = cdk_stream_getc(inp);
++	if (c == EOF)
++		return;
++
+ 	(*r_size)++;
+ 	if (c < 192)
+ 		*r_len = c;
+ 	else if (c >= 192 && c <= 223) {
+ 		c1 = cdk_stream_getc(inp);
++		if (c1 == EOF)
++			return;
++
+ 		(*r_size)++;
+ 		*r_len = ((c - 192) << 8) + c1 + 192;
+ 	} else if (c == 255) {
+ 		*r_len = read_32(inp);
++		if (*r_len == (u32)-1) {
++			return;
++		}
++
+ 		(*r_size) += 4;
+ 	} else {
+ 		*r_len = 1 << (c & 0x1f);
diff --git a/components/library/gnutls-3/patches/06-CVE-2017-5336.patch b/components/library/gnutls-3/patches/06-CVE-2017-5336.patch
new file mode 100644
index 000000000..6e5cbe267
--- /dev/null
+++ b/components/library/gnutls-3/patches/06-CVE-2017-5336.patch
@@ -0,0 +1,42 @@
+From 7dec871f82e205107a81281e3286f0aa9caa93b3 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 14:56:50 +0100
+Subject: [PATCH] opencdk: cdk_pk_get_keyid: fix stack overflow
+
+Issue found using oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c
+index 6e753bd..da43129 100644
+--- a/lib/opencdk/pubkey.c
++++ b/lib/opencdk/pubkey.c
+@@ -518,6 +518,7 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
+ {
+ 	u32 lowbits = 0;
+ 	byte buf[24];
++	int rc;
+ 
+ 	if (pk && (!pk->keyid[0] || !pk->keyid[1])) {
+ 		if (pk->version < 4 && is_RSA(pk->pubkey_algo)) {
+@@ -525,7 +526,12 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
+ 			size_t n;
+ 
+ 			n = MAX_MPI_BYTES;
+-			_gnutls_mpi_print(pk->mpi[0], p, &n);
++			rc = _gnutls_mpi_print(pk->mpi[0], p, &n);
++			if (rc < 0 || n < 8) {
++				keyid[0] = keyid[1] = (u32)-1;
++				return (u32)-1;
++			}
++
+ 			pk->keyid[0] =
+ 			    p[n - 8] << 24 | p[n - 7] << 16 | p[n -
+ 								6] << 8 |
+--
+libgit2 0.24.0
+
diff --git a/components/library/gnutls-3/patches/07-CVE-2017-5337.patch b/components/library/gnutls-3/patches/07-CVE-2017-5337.patch
new file mode 100644
index 000000000..102cb0561
--- /dev/null
+++ b/components/library/gnutls-3/patches/07-CVE-2017-5337.patch
@@ -0,0 +1,95 @@
+Backport of:
+
+From 6231a4a087f9fdbd5f5f274e80c7a71e3e45b9c8 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 4 Jan 2017 14:42:03 +0100
+Subject: [PATCH] opencdk: read_attribute: added more precise checks when reading stream
+
+That addresses heap read overflows found using oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+---
+ lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+Index: gnutls28-3.4.10/lib/opencdk/read-packet.c
+===================================================================
+--- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c	2017-01-26 10:11:21.437289687 -0500
++++ gnutls28-3.4.10/lib/opencdk/read-packet.c	2017-01-26 10:13:07.566968471 -0500
+@@ -477,44 +477,63 @@
+ 		return CDK_Out_Of_Core;
+ 	rc = stream_read(inp, buf, pktlen, &nread);
+ 	if (rc) {
+-		cdk_free(buf);
+-		return CDK_Inv_Packet;
++		gnutls_assert();
++		rc = CDK_Inv_Packet;
++		goto error;
+ 	}
++
+ 	p = buf;
+ 	len = *p++;
+ 	pktlen--;
++
+ 	if (len == 255) {
++		if (pktlen < 4) {
++			gnutls_assert();
++			rc = CDK_Inv_Packet;
++			goto error;
++		}
++
+ 		len = _cdk_buftou32(p);
+ 		p += 4;
+ 		pktlen -= 4;
+ 	} else if (len >= 192) {
+ 		if (pktlen < 2) {
+-			cdk_free(buf);
+-			return CDK_Inv_Packet;
++			gnutls_assert();
++			rc = CDK_Inv_Packet;
++			goto error;
+ 		}
+ 		len = ((len - 192) << 8) + *p + 192;
+ 		p++;
+ 		pktlen--;
+ 	}
+ 
+-	if (*p != 1) {		/* Currently only 1, meaning an image, is defined. */
+-		cdk_free(buf);
+-		return CDK_Inv_Packet;
++	if (!len || *p != 1) {		/* Currently only 1, meaning an image, is defined. */
++		rc = CDK_Inv_Packet;
++		goto error;
+ 	}
++
+ 	p++;
+ 	len--;
+ 
+-	if (len >= pktlen)
+-		return CDK_Inv_Packet;
++	if (len >= pktlen) {
++		rc = CDK_Inv_Packet;
++		goto error;
++	}
++
+ 	attr->attrib_img = cdk_calloc(1, len);
+ 	if (!attr->attrib_img) {
+-		cdk_free(buf);
+-		return CDK_Out_Of_Core;
++		rc = CDK_Out_Of_Core;
++		goto error;
+ 	}
++
+ 	attr->attrib_len = len;
+ 	memcpy(attr->attrib_img, p, len);
+ 	cdk_free(buf);
+ 	return rc;
++
++ error:
++	cdk_free(buf);
++	return rc;
+ }
+ 
+ 
-- 
2.11.4.GIT