libtasn1/patches/libtasn1-04-cve-2014-3469.patch

Source:
Internal

Info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1
before 3.6 allows context-dependent attackers to cause a denial of service
(NULL pointer dereference and crash) via a NULL value in an ivalue argument.

Status:
Need to determine if this patch has been sent upstream.

--- libtasn1-2.8/lib/element.c.orig 2014-06-05 10:41:52.955725412 +0530
+++ libtasn1-2.8/lib/element.c  2014-06-05 11:09:52.177695875 +0530
@@ -113,8 +113,11 @@ _asn1_convert_integer (const char *value
     /* VALUE_OUT is too short to contain the value conversion */
     return ASN1_MEM_ERROR;

-  for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+  if (value_out != NULL)
+  {
+    for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
     value_out[k2 - k] = val[k2];
+  }

 #if 0
   printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
@@ -622,7 +625,8 @@ asn1_write_value (ASN1_TYPE node_root, c
    if (ptr_size < data_size) { \
        return ASN1_MEM_ERROR; \
    } else { \
-       memcpy( ptr, data, data_size); \
+       if (ptr && data_size > 0) \
+           memcpy( ptr, data, data_size); \
    }

 #define PUT_STR_VALUE( ptr, ptr_size, data) \
@@ -631,36 +635,39 @@ asn1_write_value (ASN1_TYPE node_root, c
        return ASN1_MEM_ERROR; \
    } else { \
        /* this strcpy is checked */ \
-       strcpy(ptr, data); \
+       if (ptr) { \
+           strcpy(ptr, data); \
+       } \
    }

 #define ADD_STR_VALUE( ptr, ptr_size, data) \
-   *len = (int) strlen(data) + 1; \
-   if (ptr_size < (int) strlen(ptr)+(*len)) { \
+   *len += strlen(data); \
+   if (ptr_size < (int) *len) { \
+       (*len)++; \
        return ASN1_MEM_ERROR; \
    } else { \
        /* this strcat is checked */ \
-       strcat(ptr, data); \
+       if (ptr) strcat (ptr, data); \
    }
-
 /**
  * asn1_read_value:
  * @root: pointer to a structure.
  * @name: the name of the element inside a structure that you want to read.
  * @ivalue: vector that will contain the element's content, must be a
- *   pointer to memory cells already allocated.
+ *   pointer to memory cells already allocated (may be %NULL).
  * @len: number of bytes of *value: value[0]..value[len-1]. Initialy
  *   holds the sizeof value.
  *
  * Returns the value of one element inside a structure.
- *
- * If an element is OPTIONAL and the function "read_value" returns
+ * If an element is OPTIONAL and this returns
  * %ASN1_ELEMENT_NOT_FOUND, it means that this element wasn't present
  * in the der encoding that created the structure.  The first element
  * of a SEQUENCE_OF or SET_OF is named "?1". The second one "?2" and
  * so on.
  *
- * INTEGER: VALUE will contain a two's complement form integer.
+ * Note that there can be valid values with length zero. In these case
+ * this function will succeed and @len will be zero.
+ *
  *
  *            integer=-1  -> value[0]=0xFF , len=1.
  *            integer=1   -> value[0]=0x01 , len=1.