2011-09-24 Jeff Cai <
[email protected]>
* base-specs/libtasn1.spec:
* patches/libtasn1-01-buffer-overflow.diff: Fix bug #7093667
--- a/ChangeLog Fri Sep 23 15:19:12 2011 +0000
+++ b/ChangeLog Sat Sep 24 02:52:34 2011 +0000
@@ -1,3 +1,8 @@
+2011-09-24 Jeff Cai <[email protected]>
+
+ * base-specs/libtasn1.spec:
+ * patches/libtasn1-01-buffer-overflow.diff: Fix bug #7093667
+
2011-09-24 Laszlo (Laca) Peter <[email protected]>
* specs/SUNWcompiz.spec: add gnome-incorporation build dep for sparc
--- a/base-specs/libtasn1.spec Fri Sep 23 15:19:12 2011 +0000
+++ b/base-specs/libtasn1.spec Sat Sep 24 02:52:34 2011 +0000
@@ -24,6 +24,9 @@
Summary: Libtasn is a library C for manipulating ASN.1 objects.
+# date:2011-09-02 owner:qc161282 bugster:7085293 type:bug
+Patch1: libtasn1-01-buffer-overflow.diff
+
%description
Libtasn is a library written in C for manipulating ASN.1 objects including
DER/BER encoding and DER/BER decoding. Libtasn is used by GnuTLS to manipulate X.509 objects and by GNU Shishi to handle Kerberos V5 packets.
@@ -44,6 +47,7 @@
%prep
%setup -q -n %{name}-%{version}
+%patch1 -p1
%build
%ifos linux
@@ -81,6 +85,8 @@
rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Sep 02 2011 - [email protected]
+- Add patch -01-buffer-overflow to fix security bug #7085293 and #7093667.
* Thu Oct 28 2010 - [email protected]
- Bump to 2.8.
* Wed Jun 02 2010 - [email protected]
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libtasn1-01-buffer-overflow.diff Sat Sep 24 02:52:34 2011 +0000
@@ -0,0 +1,35 @@
+ lib/coding.c | 13 +++++++++----
+ 1 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/coding.c b/lib/coding.c
+index 111e063..367dada 100644
+--- a/lib/coding.c
++++ b/lib/coding.c
+@@ -253,18 +253,23 @@ static asn1_retCode
+ _asn1_objectid_der (unsigned char *str, unsigned char *der, int *der_len)
+ {
+ int len_len, counter, k, first, max_len;
+- char *temp, *n_end, *n_start;
++ char *temp = NULL, *n_end, *n_start;
+ unsigned char bit7;
+ unsigned long val, val1 = 0;
++ size_t temp_size = str ? strlen (str) : 0;
++
++ temp_size += 2;
++ if (temp_size < 2)
++ return ASN1_MEM_ALLOC_ERROR;
+
+ max_len = *der_len;
+
+- temp = (char *) _asn1_malloc (strlen (str) + 2);
++ temp = (char *) _asn1_malloc (temp_size);
+ if (temp == NULL)
+ return ASN1_MEM_ALLOC_ERROR;
+
+- strcpy (temp, str);
+- strcat (temp, ".");
++ strncpy (temp, str ? (const char *)str : "", temp_size);
++ strncat (temp, ".", 1);
+
+ counter = 0;
+ n_start = temp;