From patchwork Fri Mar 7 10:39:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 58461 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49925C19F32 for ; Fri, 7 Mar 2025 10:40:08 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.8227.1741344005264804770 for ; Fri, 07 Mar 2025 02:40:05 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=516141550b=peng.zhang1.cn@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5275fHXf028452 for ; Fri, 7 Mar 2025 02:40:04 -0800 Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 456csa35b2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 07 Mar 2025 02:40:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=xLLHuxIG+Av+AL1dJ/3Gj7ZMA+RyD+AJIhml+VX8B9xfNqz0SyY08Ey8VqFa3bao7M95l8mWcKR7k5oLMalPKuvPk6cFM+W1GjMxUg953Ky5RIjtUQcUiejUCkOQHyXnNjPajtkT/wRS7/Y/YMd0xmkNAKIrBUW8jYpN+9T7/kjKEgFdPcUGrnvBY/63pWox5XyFTokwHoSUwYwDB6+gBOJRY0+WLQ0iCIU42Xjb9xs1s9LTTijBOs6ypu3eTwSNB44BVmCY07vhud8nleWWMz5qLKOUcS4szP9dSe7AamX3iikEBuOtvhCewUXJiYMmvDTdXwBoS8AVugKOK2XSvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=75sq6CFv2Mke6mgojVwQLakeWc9+iyGbMi5wYpNxSXc=; b=x72FcuEiGKxWTODBAGA5E7ORUBZJjPHJc5Wca8KsGXF9DGrKe8BBvDsNN1BXrFdkvtCLJxsvKCm06QIXgvwUYNmELx0+10q8+gU4KIoUzhhG1p/uFgMlrnORoslqSFpD+C/Zad9lhu2IBHJVP2zSb5S7TG255nXnAgQOBtT6IeIVobWAC5jqKLD94tOVUqUHSlESJI3FLQ6uoXlwRU8c9DIzqyjVM38872Uv0ZjV1wuH4ph6k3l653HBps3AwJiyuPLb2EEboOkWyJh8Jd7A1v6XPRyNlhda9WcWwD8/1aqvpzzK1WUnKl3mLBUV3JB1IdU/hUVIPEnlw5rEQyxdLg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) by BL4PR11MB8797.namprd11.prod.outlook.com (2603:10b6:208:5a7::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.16; Fri, 7 Mar 2025 10:40:00 +0000 Received: from CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f%5]) with mapi id 15.20.8511.017; Fri, 7 Mar 2025 10:40:00 +0000 From: peng.zhang1.cn@windriver.com To: openembedded-core@lists.openembedded.org Subject: =?utf-8?q?=5BOE-core=5D=5Bkirkstone=5D=5BPATCH=C2=A0=5D_libtasn1=3A?= =?utf-8?q?_fix_CVE-2024-12133?= Date: Fri, 7 Mar 2025 18:39:49 +0800 Message-ID: <20250307103950.3859258-1-peng.zhang1.cn@windriver.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: SJ0PR03CA0084.namprd03.prod.outlook.com (2603:10b6:a03:331::29) To CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|BL4PR11MB8797:EE_ X-MS-Office365-Filtering-Correlation-Id: dcbd41c3-f89e-4627-a9a7-08dd5d646967 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|10070799003|1800799024|13003099007; X-Microsoft-Antispam-Message-Info: =?utf-8?q?odC8s7q2DmCKHgIULZ+IGVIp+wyjvR1?= =?utf-8?q?edII/Dp/cAizduh+j8ZpBs48x5HRRboVFzlAGwI4H6LBs/HRj2MSdJW+NIiQiegAw?= =?utf-8?q?WX3w4/GLbzg4CHUC2M6UnonT2LkwIRQ3boAnfNPByMR+lRDSLmiVH9s95wU6vTrJN?= =?utf-8?q?obrbcoFoN4aH07US0nfZWBWOMamqhD9+5NzVXDtpC4eEuZTniBXXSfPfH9n7NKF4G?= =?utf-8?q?DQ92FqTq1PjlTtjrYCbbvmGntvG+muTTJLgL4R0IeKcO8RP12pwIEVjQXEA+wyc+w?= =?utf-8?q?xbqr9vmx/6zeM4x8vHtHQMlveKu4WlD0OtiMFZlqAOriRmEDB4muS8fQKe4PprfnZ?= =?utf-8?q?Bitmws75PJqCtb/yHPai3tV0COnDFHT6S9mZ2E6gBpjQU4mRGmobpgr0F1P9GOHD8?= =?utf-8?q?/EzGvFNR4JwKLRbZ4wSxN5JLNQEITZG+gHRNOvQSpLh8BR7LPcBNS1Wd1hrTxXKzO?= =?utf-8?q?+CgaUw2mhmOqchaPgqadnC++F0ZFI2AX5XNnjhEe83i6RBf1Mq7t09gUrEMrx6Iy0?= =?utf-8?q?aM1IFQFyxsMgE56J86hFkqH62J5Xo4CVTMfIoiXL5LDIDNn5QAJUjksJ1bLaf2Uy2?= =?utf-8?q?6jel5hspFXyDwOPpLQkdPgmg0QpSldFdCWeDUrH4TpUoIxVFCTZ90zjzArJFt7IlL?= =?utf-8?q?RGSfgIm8xYnczhaG1JYM2ZQzb3xEBobOSWQ2aLkojwHdv9LK6WBaO/FkyvW/vLrB+?= =?utf-8?q?e+5oquFirH7OcQsNyLEPB4Kmg6bS7ylxZ1sI/4fMLNE6pwhQlucesH9gWA0Y3pdbp?= =?utf-8?q?nhJiCfgpRIOwtedopFTws1Xgng/JpD6wXVoKm4EMtP3hFIaSnxlOR4xyRtniP+ti9?= =?utf-8?q?alAlUIruJChk1G5kZyUsKpFpfd3YnRiuZdbM7m0V2Cuuua/689ExCOEu5DIldvglx?= =?utf-8?q?QGz5G2KRSJwiJSX7HMFk4sgk6K1GL3kJT8n1R/FayWEExnhs6kvQtwF0efPgWTlqD?= =?utf-8?q?NywjTJrf8PkimoDgSpakm2EvSGZNF41YT09FOy29k/HFlDk0NvbYgDCT7w/Fq3x85?= =?utf-8?q?1hrfiV9dMDHrlu3Qzb/HLKlJipkye7+qWbe2DKX9gg9XVG6zYMNZ0kcP1pKseey5T?= =?utf-8?q?eYcNL/q7XKeTtEl545hp04Ytr7uOxgLFnIkUMdt5SzFkUP59/i9OfU2zLwmtG/B4B?= =?utf-8?q?FH68j03oFJ7ziplfNXfWCXLR+JD0tmoeb6NccNyp2h5q21de8h+GBNb3f8fnZhxBg?= =?utf-8?q?W5Ephvyw6OMdTTIPAdTKrjp2cnviZ6SaXRX0r5rW+fENcze/6CInDHYvLskfJSGy6?= =?utf-8?q?Y2vkHTdrB6V2u34uODtS179hlOolp07BBtcHyEnFF6+ekFnLjSczpEPAfM6zFys/D?= =?utf-8?q?Ep/cclAbKo535JpPvGUyuHqqG4tnvPreTQ=3D=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(10070799003)(1800799024)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?eW/51oKb9ShhEborlyh5czNVe/Rk?= =?utf-8?q?nOXQyqdFDUNJcWmx+FfOpuaaLHzsa2SmZGMIbz71gE2i6aJojm0ST2XiHZOif9t/h?= =?utf-8?q?E0Hkz6UlLFT3tCZ/uI/vzUca3xeb2AcamsMl+3yHEbHRf9M5wyWU4x4JZuZP+tZUa?= =?utf-8?q?R3aWNf8nYkhl1TfSMQBY/bqwQ8txd0e0pl6C0LnRKooPumkCXz4JER8NoGs5hVoKq?= =?utf-8?q?ZYgZWvpa4bI65A1q57QvrMIrRt8lnBykIf8ttQ5P/iIQDz9vNQeYRRuIA41USTj98?= =?utf-8?q?OTPz3PJgiLztOdojfdeazX/2tqk5EEKUe9wfUEV/kHGwqkONE7sF6mNbYLZ2f8+Pg?= =?utf-8?q?Xu98uGsSlBJ855eV1wT+VZULOiml54T4JW6Gwy7X9lpTCWQQeNvYHuF5Ft6tmZUqh?= =?utf-8?q?CN8+2S/uiUg95D5ch1Q1QMrsew9PbGHa4mQb1kQtPiAonptjo6SEExH1kg0Hd+xQH?= =?utf-8?q?reqbV5fWksSIBL0ewHQ+dbY1zc8nPSEkP0EdHApNd0jOaDqisjNqmtV7W92BYcfWL?= =?utf-8?q?vSSEf4aE8l/fL74cYJ0/GbqVEg9CcGDKe1EQsZJpFwq13ia4wHvUlv1xTZpOSVvqa?= =?utf-8?q?KhBiMAtrO0lxe94zi7k7x/wIby88sIPzIC0eHrLDU+gVlSF5/mwlfqG5KpOKMCpgz?= =?utf-8?q?b6oxS9hmq8y9rHGxKtNL6mn0ytfv4EcU5ezNPwJcwBriVjc32R6aXNcc1PH6gfy0E?= =?utf-8?q?xRWNaixHPImxT9FS0sX+IqS/53a2fVlOFNMuY5wCs2QzlBep/1tCW8cZlmg1H8YW6?= =?utf-8?q?AKn4nUZReMUI3oC2WjcEzEgUH4124cFMH63Rb/kG4DWPYMEeuuTnTS+YS7ioN1S4G?= =?utf-8?q?TAaHLD/QG6er/iDJpVU+fd7AJyLXGtSMSXca9p+Wnz6UwyzWkN1r6ZEQbeYviJd/D?= =?utf-8?q?8Tn+VoqHbtD1BI35aIYMq9ozqP6Ok79P4l6ozued6ZPkzbDCVq0DqEmxzG3OzJ58p?= =?utf-8?q?dUtE4ZIrW1I9ekfifI5u9MTMm8mnWCT25/CxFFzhhPOrTvPUksXlFz0+qsOZdYQMg?= =?utf-8?q?3aSzhxqRu1tZNC9R9+5zG0N+OcsGmeONXomNfOjV8eSUEJIFgVJ9+JwyKO7eaN7bT?= =?utf-8?q?o4SuQCdvwADBHjAqJLsp97Iler8a+JnSJjsqtADVlB8hlEZ5gfaUvKxCKQGZYf50v?= =?utf-8?q?u3yE/t1gHluHEieC/L/LUrx9GEtMRAcBbyovjh6lk/Bw+hK4LXHnwoeNtiWnBGQ7+?= =?utf-8?q?wOVC20hh8RURRMjGPV/1jQ8MEQJN87c3VeSEZYodGG/CNRzSyICNsM4tPpmL5TIhQ?= =?utf-8?q?8GO1WbWmuTw2RxUb1y6pxBm/aP4dcyfdWgp2m+P928nB0lBnGoyy6FEbXzplUTg6S?= =?utf-8?q?sjnVE+uhWllvwFBkAmKh0t4ARE9K7WwiMhgno9oZFpSS6cByU30lrpze1Ri4770Za?= =?utf-8?q?8ykQyoRtgfgtlNftIfUNmi/MToAfmvbL8iJqEdGBmArotj+6RMOH4Ba2j3wi2g1VA?= =?utf-8?q?5WEJE0b2uyQosRDnP0benS/kKzQbSs4jWbJG4Szp2/TjFBsK93b/kSJw0Fo7H+Hg2?= =?utf-8?q?KD8/9CR2nZX3XuXK4dcv+GECeUtXiNwqm/cZe+WElTfc4YLG1l93SLXhvpfhKAsPO?= =?utf-8?q?esgqVjKkrpWKVUds6yC2lmoTVdQ0zIl8tlof4kvn8rpr0juCh9x6Rc=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: dcbd41c3-f89e-4627-a9a7-08dd5d646967 X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Mar 2025 10:40:00.6839 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yfT3QW7hS8Dn2OjPB6nrrT8XHpuPN9dIDuaS/ffpEKs26uYRoDqy9qn+r613HT2JfbFWEV7Yc7xSZw8JFjsddQGM/xGnYTeVmH4N7ZjX0cE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL4PR11MB8797 X-Proofpoint-ORIG-GUID: 4wg0OSX6CunHSFhLih7TqYpECBDa8n5h X-Proofpoint-GUID: 4wg0OSX6CunHSFhLih7TqYpECBDa8n5h X-Authority-Analysis: v=2.4 cv=d4wPyQjE c=1 sm=1 tr=0 ts=67cacd04 cx=c_pps a=2bhcDDF4uZIgm5IDeBgkqw==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=5KLPUuaC_9wA:10 a=PYnjg3YJAAAA:8 a=p0WdMEafAAAA:8 a=t7CeM3EgAAAA:8 a=mDV3o1hIAAAA:8 a=H2kMXXDjAAAA:8 a=24xW3R4Yw-gLoYaI9NAA:9 a=QEXdDO2ut3YA:10 a=h0CFQEqI0dcA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=UQGQp_6C1EM-8DAw1ZOj:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1093,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-07_04,2025-03-06_04,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 spamscore=0 impostorscore=0 mlxscore=0 mlxlogscore=493 clxscore=1015 priorityscore=1501 phishscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2503070076 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Mar 2025 10:40:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212428 From: Zhang Peng CVE-2024-12133: A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-12133] Upstream patches: [https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a] [https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d] Signed-off-by: Zhang Peng --- .../gnutls/libtasn1/CVE-2024-12133-0001.patch | 43 ++++ .../gnutls/libtasn1/CVE-2024-12133-0002.patch | 235 ++++++++++++++++++ .../recipes-support/gnutls/libtasn1_4.19.0.bb | 2 + 3 files changed, 280 insertions(+) create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch new file mode 100644 index 0000000000..d843b6dc92 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch @@ -0,0 +1,43 @@ +From 4082ca2220b5ba910b546afddf7780fc4a51f75a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 19 Oct 2024 02:47:04 +0900 +Subject: [PATCH] asn1_der_decoding2: optimize _asn1_find_up call with node + cache + +If we are parsing a sequence or set and the current node is a direct +child of it, there is no need to traverse the list back to the +leftmost one as we have a node cache. + +Signed-off-by: Daiki Ueno +Signed-off-by: Simon Josefsson + +CVE: CVE-2024-12133 +Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a] + +Signed-off-by: Zhang Peng +--- + lib/decoding.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index d2f6dea..1e0fcb3 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -1570,7 +1570,14 @@ asn1_der_decoding2 (asn1_node *element, const void *ider, int *max_ider_len, + move = UP; + } + if (move == UP) +- p = _asn1_find_up (p); ++ { ++ /* If we are parsing a sequence or set and p is a direct ++ child of it, no need to traverse the list back to the leftmost node. */ ++ if (tcache.tail == p) ++ p = tcache.head; ++ else ++ p = _asn1_find_up (p); ++ } + } + + _asn1_delete_not_used (*element); +-- +GitLab diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch new file mode 100644 index 0000000000..a3a6af2920 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch @@ -0,0 +1,235 @@ +From 869a97aa259dffa2620dabcad84e1c22545ffc3d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 8 Nov 2024 16:05:32 +0900 +Subject: [PATCH] asn1_find_node: optimize "?NUMBER" node lookup with indexing + +To avoid linear search of named nodes, this adds a array of child +nodes to their parent nodes as a cache. + +Signed-off-by: Daiki Ueno +Signed-off-by: Simon Josefsson + +CVE: CVE-2024-12133 +Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d] + +Signed-off-by: Zhang Peng +--- + lib/element.c | 56 ++++++++++++++++++++++++++++++++++++++++++------ + lib/element.h | 10 +++++++++ + lib/int.h | 8 +++++++ + lib/parser_aux.c | 10 +++++++++ + lib/structure.c | 13 +++++++++++ + 5 files changed, 90 insertions(+), 7 deletions(-) + +diff --git a/lib/element.c b/lib/element.c +index 850bef4a..528df418 100644 +--- a/lib/element.c ++++ b/lib/element.c +@@ -33,6 +33,8 @@ + #include "structure.h" + #include "c-ctype.h" + #include "element.h" ++#include ++#include "intprops.h" + + void + _asn1_hierarchical_name (asn1_node_const node, char *name, int name_size) +@@ -129,6 +131,41 @@ _asn1_convert_integer (const unsigned char *value, unsigned char *value_out, + return ASN1_SUCCESS; + } + ++int ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position, ++ asn1_node node) ++{ ++ if (position >= array->size) ++ { ++ size_t new_size = position, i; ++ asn1_node *new_nodes; ++ ++ if (INT_MULTIPLY_OVERFLOW (new_size, 2)) ++ return ASN1_GENERIC_ERROR; ++ new_size *= 2; ++ ++ if (INT_ADD_OVERFLOW (new_size, 1)) ++ return ASN1_GENERIC_ERROR; ++ new_size += 1; ++ ++ if (INT_MULTIPLY_OVERFLOW (new_size, sizeof (*new_nodes))) ++ return ASN1_GENERIC_ERROR; ++ ++ new_nodes = realloc (array->nodes, new_size * sizeof (*new_nodes)); ++ if (!new_nodes) ++ return ASN1_MEM_ALLOC_ERROR; ++ ++ for (i = array->size; i < new_size; i++) ++ new_nodes[i] = NULL; ++ ++ array->nodes = new_nodes; ++ array->size = new_size; ++ } ++ ++ array->nodes[position] = node; ++ return ASN1_SUCCESS; ++} ++ + /* Appends a new element into the sequence (or set) defined by this + * node. The new element will have a name of '?number', where number + * is a monotonically increased serial number. +@@ -145,6 +182,7 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache) + asn1_node p, p2; + char temp[LTOSTR_MAX_SIZE + 1]; + long n; ++ int result; + + if (!node || !(node->down)) + return ASN1_GENERIC_ERROR; +@@ -177,17 +215,21 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache) + pcache->tail = p2; + } + +- if (p->name[0] == 0) +- _asn1_str_cpy (temp, sizeof (temp), "?1"); +- else ++ n = 0; ++ if (p->name[0] != 0) + { +- n = strtol (p->name + 1, NULL, 0); +- n++; +- temp[0] = '?'; +- _asn1_ltostr (n, temp + 1); ++ n = strtol (p->name + 1, NULL, 10); ++ if (n <= 0 || n >= LONG_MAX - 1) ++ return ASN1_GENERIC_ERROR; + } ++ temp[0] = '?'; ++ _asn1_ltostr (n + 1, temp + 1); + _asn1_set_name (p2, temp); + /* p2->type |= CONST_OPTION; */ ++ result = _asn1_node_array_set (&node->numbered_children, n, p2); ++ if (result != ASN1_SUCCESS) ++ return result; ++ p2->parent = node; + + return ASN1_SUCCESS; + } +diff --git a/lib/element.h b/lib/element.h +index 732054e9..b84e3a27 100644 +--- a/lib/element.h ++++ b/lib/element.h +@@ -38,4 +38,14 @@ int _asn1_convert_integer (const unsigned char *value, + void _asn1_hierarchical_name (asn1_node_const node, char *name, + int name_size); + ++static inline asn1_node_const ++_asn1_node_array_get (const struct asn1_node_array_st *array, size_t position) ++{ ++ return position < array->size ? array->nodes[position] : NULL; ++} ++ ++int ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position, ++ asn1_node node); ++ + #endif +diff --git a/lib/int.h b/lib/int.h +index 4f2d98d1..41b12b0b 100644 +--- a/lib/int.h ++++ b/lib/int.h +@@ -31,6 +31,12 @@ + + # define ASN1_SMALL_VALUE_SIZE 16 + ++struct asn1_node_array_st ++{ ++ asn1_node *nodes; ++ size_t size; ++}; ++ + /* This structure is also in libtasn1.h, but then contains less + fields. You cannot make any modifications to these first fields + without breaking ABI. */ +@@ -47,6 +53,8 @@ struct asn1_node_st + asn1_node left; /* Pointer to the next list element */ + /* private fields: */ + unsigned char small_value[ASN1_SMALL_VALUE_SIZE]; /* For small values */ ++ asn1_node parent; /* Pointer to the parent node */ ++ struct asn1_node_array_st numbered_children; /* Array of unnamed child nodes for caching */ + + /* values used during decoding/coding */ + int tmp_ival; +diff --git a/lib/parser_aux.c b/lib/parser_aux.c +index 415905a0..4281cc97 100644 +--- a/lib/parser_aux.c ++++ b/lib/parser_aux.c +@@ -126,6 +126,7 @@ asn1_find_node (asn1_node_const pointer, const char *name) + const char *n_start; + unsigned int nsize; + unsigned int nhash; ++ const struct asn1_node_array_st *numbered_children; + + if (pointer == NULL) + return NULL; +@@ -209,6 +210,7 @@ asn1_find_node (asn1_node_const pointer, const char *name) + if (p->down == NULL) + return NULL; + ++ numbered_children = &p->numbered_children; + p = p->down; + if (p == NULL) + return NULL; +@@ -222,6 +224,12 @@ asn1_find_node (asn1_node_const pointer, const char *name) + } + else + { /* no "?LAST" */ ++ if (n[0] == '?' && c_isdigit (n[1])) ++ { ++ long position = strtol (n + 1, NULL, 10); ++ if (position > 0 && position < LONG_MAX) ++ p = _asn1_node_array_get (numbered_children, position - 1); ++ } + while (p) + { + if (p->name_hash == nhash && !strcmp (p->name, n)) +@@ -509,6 +517,8 @@ _asn1_remove_node (asn1_node node, unsigned int flags) + if (node->value != node->small_value) + free (node->value); + } ++ ++ free (node->numbered_children.nodes); + free (node); + } + +diff --git a/lib/structure.c b/lib/structure.c +index 9c95b9e2..32692ad2 100644 +--- a/lib/structure.c ++++ b/lib/structure.c +@@ -31,6 +31,9 @@ + #include + #include "parser_aux.h" + #include ++#include "c-ctype.h" ++#include "element.h" ++#include + + + extern char _asn1_identifierMissing[]; +@@ -391,6 +394,16 @@ asn1_delete_element (asn1_node structure, const char *element_name) + if (source_node == NULL) + return ASN1_ELEMENT_NOT_FOUND; + ++ if (source_node->parent ++ && source_node->name[0] == '?' ++ && c_isdigit (source_node->name[1])) ++ { ++ long position = strtol (source_node->name + 1, NULL, 10); ++ if (position > 0 && position < LONG_MAX) ++ _asn1_node_array_set (&source_node->parent->numbered_children, ++ position - 1, NULL); ++ } ++ + p2 = source_node->right; + p3 = _asn1_find_left (source_node); + if (!p3) +-- +GitLab diff --git a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb index 5fb8b54c06..d5bc1e408e 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \ SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ file://dont-depend-on-help2man.patch \ + file://CVE-2024-12133-0001.patch \ + file://CVE-2024-12133-0002.patch \ " DEPENDS = "bison-native"