From 67bf19aee9acf9344472afec0d81e0f608fe192b Mon Sep 17 00:00:00 2001 From: yeah_wang <1485652911@qq.com> Date: Fri, 20 Mar 2020 15:37:18 +0800 Subject: [PATCH] fix CVE-2018-1000654 --- CVE-2018-1000654.spec | 121 ++++++++++++++++++++++++++++++++++++++++++ libtasn1.spec | 7 ++- 2 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 CVE-2018-1000654.spec diff --git a/CVE-2018-1000654.spec b/CVE-2018-1000654.spec new file mode 100644 index 0000000..d0629c7 --- /dev/null +++ b/CVE-2018-1000654.spec @@ -0,0 +1,121 @@ +From 9c40f7796c9d33179b602f65f4b587d175fba23c Mon Sep 17 00:00:00 2001 +From: Mike Gorse +Date: Thu, 11 Apr 2019 11:14:58 -0500 +Subject: [PATCH 1/2] _asn1_expand_object_id: Limit recursion + +Resolves #4 +--- + lib/parser_aux.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index 786ea64..08c2167 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -675,7 +675,7 @@ _asn1_expand_object_id (asn1_node node) + { + asn1_node p, p2, p3, p4, p5; + char name_root[ASN1_MAX_NAME_SIZE], name2[2 * ASN1_MAX_NAME_SIZE + 1]; +- int move, tlen; ++ int move, tlen, tries; + + if (node == NULL) + return ASN1_ELEMENT_NOT_FOUND; +@@ -684,6 +684,7 @@ _asn1_expand_object_id (asn1_node node) + + p = node; + move = DOWN; ++ tries = 0; + + while (!((p == node) && (move == UP))) + { +@@ -738,7 +739,9 @@ _asn1_expand_object_id (asn1_node node) + p4 = p4->right; + } + move = DOWN; +- continue; ++ tries++; ++ if (tries < 3) ++ continue; + } + } + } +@@ -747,6 +750,7 @@ _asn1_expand_object_id (asn1_node node) + else + move = RIGHT; + ++ tries = 0; + if (move == DOWN) + { + if (p->down) +-- +From 57d6bc19d44b0693023031c6dbc0d21a36550f34 Mon Sep 17 00:00:00 2001 +From: Mike Gorse +Date: Thu, 25 Apr 2019 16:40:18 -0500 +Subject: [PATCH 2/2] Add reproducer for issues/4 to Test_tree.asn + +--- + tests/Test_tree.asn | 9 +++++++++ + tests/Test_tree_asn1_tab.c | 13 +++++++++++-- + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/tests/Test_tree.asn b/tests/Test_tree.asn +index 0ad0dc5..a253bc8 100644 +--- a/tests/Test_tree.asn ++++ b/tests/Test_tree.asn +@@ -154,6 +154,15 @@ X520LocalityName ::= CHOICE { + bmpString BMPString } + + ++id-xnyTest OBJECT IDENTIFIER ::= {id-ix 29 1} ++id-ix OBJECR ::= {id-ix 29 2} ++BMPString ::= OCTET S ++} ++UniversalString : BY id O} ++id-ix OBJECT IDENTIFIER ::= {2 5} ++id-xnyTest OBJECT IDENTIFIER ::= {id-ix 29 1} ++anyTest2 ::= INTEGER ++ + id-Test OBJECT IDENTIFIER ::= {1 2 29 2} + + END +diff --git a/tests/Test_tree_asn1_tab.c b/tests/Test_tree_asn1_tab.c +index 7869f85..0f211c8 100644 +--- a/tests/Test_tree_asn1_tab.c ++++ b/tests/Test_tree_asn1_tab.c +@@ -68,7 +68,7 @@ const asn1_static_node Test_tree_asn1_tab[] = { + { "set", 1610612751, NULL }, + { NULL, 3, NULL }, + { "oid", 1073741836, NULL }, +- { "time2", 1082130449, NULL }, ++ { "time2", 1073741861, NULL }, + { "bol", 1073741828, NULL }, + { "oct", 1073741831, NULL }, + { "bit", 1073758214, NULL }, +@@ -81,7 +81,7 @@ const asn1_static_node Test_tree_asn1_tab[] = { + { "any", 1610637325, NULL }, + { NULL, 4104, "1"}, + { "gen", 1073758235, NULL }, +- { "time1", 16777233, NULL }, ++ { "time1", 36, NULL }, + { "SequenceTestTag", 1610612741, NULL }, + { "int1", 1610620931, NULL }, + { NULL, 2056, "2"}, +@@ -160,6 +160,15 @@ const asn1_static_node Test_tree_asn1_tab[] = { + { "universalString", 1073741856, NULL }, + { "utf8String", 1073741858, NULL }, + { "bmpString", 33, NULL }, ++ { "id-xnyTest", 1879048204, NULL }, ++ { NULL, 1073741825, "id-ix"}, ++ { NULL, 1073741825, "29"}, ++ { NULL, 1, "1"}, ++ { "id-ix", 1880096780, "OBJECR"}, ++ { NULL, 1073741825, "id-ix"}, ++ { NULL, 1073741825, "29"}, ++ { NULL, 1, "2"}, ++ { "BMPString", 1073741827, NULL }, + { "id-Test", 805306380, NULL }, + { NULL, 1073741825, "1"}, + { NULL, 1073741825, "2"}, +-- +2.20.1 diff --git a/libtasn1.spec b/libtasn1.spec index f006713..da7087f 100644 --- a/libtasn1.spec +++ b/libtasn1.spec @@ -1,7 +1,7 @@ Summary: Libtasn1 is a ASN.1 parsing library Name: libtasn1 Version: 4.13 -Release: 6 +Release: 7 # The libtasn1 library is LGPLv2+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ @@ -9,6 +9,8 @@ URL: http://www.gnu.org/software/libtasn1/ Source0: http://ftp.gnu.org/gnu/libtasn1/%name-%version.tar.gz Source1: http://ftp.gnu.org/gnu/libtasn1/%name-%version.tar.gz.sig +Patch0000: CVE-2018-1000654.spec + BuildRequires: gcc, autoconf, automake, libtool, gnupg2, bison, pkgconfig, help2man, valgrind-devel Provides: bundled(gnulib) = 20130324 Provides: %{name}-tools = %{version}-%{release} @@ -78,6 +80,9 @@ test "$1" = 0 -a -f %_infodir/%name.info.gz && \ %{_infodir}/*.info.* %changelog +* Fri Mar 20 2020 wangye - 4.13-7 +- Fix CVE-2018-1000654 + * Sun Jan 12 2020 openEuler Buildteam - 4.13-6 - simplify functions -- Gitee