diff -Nru p11-kit-0.23.20/debian/changelog p11-kit-0.23.20/debian/changelog --- p11-kit-0.23.20/debian/changelog 2020-02-09 20:16:56.000000000 +0000 +++ p11-kit-0.23.20/debian/changelog 2021-10-30 16:09:54.000000000 +0000 @@ -1,10 +1,37 @@ -p11-kit (0.23.20-1~18.04.sav0) bionic; urgency=low +p11-kit (0.23.20-1ubuntu0.1~18.04.sav0) bionic; urgency=low * Backport to Bionic * debian/control: Set debhelper-compat (= 11) BD * Revert "Use DH12 compat. Adapt p11-kit.examples and p11-kit.install" - -- Rob Savoury Sun, 09 Feb 2020 12:16:56 -0800 + -- Rob Savoury Sat, 30 Oct 2021 09:09:54 -0700 + +p11-kit (0.23.20-1ubuntu0.1) focal-security; urgency=medium + + * SECURITY UPDATE: multiple integer overflows + - debian/patches/CVE-2020-29361-1.patch: check for arithmetic overflows + before allocating in p11-kit/iter.c, p11-kit/lists.c, + p11-kit/proxy.c, p11-kit/rpc-message.c, p11-kit/rpc-message.h, + p11-kit/rpc-server.c, trust/index.c. + - debian/patches/CVE-2020-29361-2.patch: follow-up to arithmetic + overflow fix in common/compat.c, p11-kit/rpc-message.c. + - CVE-2020-29361 + * SECURITY UPDATE: heap over-read in the RPC protocol + - debian/patches/CVE-2020-29362.patch: fix bounds check in + p11-kit/rpc-message.c. + - CVE-2020-29362 + * SECURITY UPDATE: heap overflow in RPC protocol + - debian/patches/CVE-2020-29363.patch: check attribute length against + buffer size in p11-kit/rpc-message.c. + - CVE-2020-29363 + + -- Marc Deslauriers Mon, 04 Jan 2021 14:04:11 -0500 + +p11-kit (0.23.20-1build1) focal; urgency=medium + + * No-change rebuild with fixed binutils on arm64. + + -- Matthias Klose Sat, 08 Feb 2020 11:14:59 +0000 p11-kit (0.23.20-1) unstable; urgency=low diff -Nru p11-kit-0.23.20/debian/control p11-kit-0.23.20/debian/control --- p11-kit-0.23.20/debian/control 2020-02-09 20:16:56.000000000 +0000 +++ p11-kit-0.23.20/debian/control 2021-10-30 16:09:54.000000000 +0000 @@ -1,6 +1,7 @@ Source: p11-kit Priority: optional -Maintainer: Debian GnuTLS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler Build-Depends: debhelper-compat (= 11), diff -Nru p11-kit-0.23.20/debian/patches/CVE-2020-29361-1.patch p11-kit-0.23.20/debian/patches/CVE-2020-29361-1.patch --- p11-kit-0.23.20/debian/patches/CVE-2020-29361-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ p11-kit-0.23.20/debian/patches/CVE-2020-29361-1.patch 2021-01-04 19:03:37.000000000 +0000 @@ -0,0 +1,159 @@ +Backport of: + +From 5307a1d21a50cacd06f471a873a018d23ba4b963 Mon Sep 17 00:00:00 2001 +From: David Cook +Date: Sat, 7 Nov 2020 10:12:44 -0600 +Subject: [PATCH] Check for arithmetic overflows before allocating + +--- + p11-kit/iter.c | 4 ++-- + p11-kit/lists.c | 2 ++ + p11-kit/proxy.c | 2 +- + p11-kit/rpc-message.c | 13 +++++++++++++ + p11-kit/rpc-message.h | 4 ++++ + p11-kit/rpc-server.c | 8 ++++---- + trust/index.c | 4 ++-- + 7 files changed, 28 insertions(+), 9 deletions(-) + +--- a/p11-kit/iter.c ++++ b/p11-kit/iter.c +@@ -549,7 +549,7 @@ move_next_session (P11KitIter *iter) + if (rv != CKR_OK) + return finish_iterating (iter, rv); + +- slots = realloc (iter->slots, sizeof (CK_SLOT_ID) * (num_slots + 1)); ++ slots = reallocarray (iter->slots, num_slots + 1, sizeof (CK_SLOT_ID)); + return_val_if_fail (slots != NULL, CKR_HOST_MEMORY); + iter->slots = slots; + +@@ -705,7 +705,7 @@ p11_kit_iter_next (P11KitIter *iter) + CK_OBJECT_HANDLE *objects; + + iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64; +- objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG)); ++ objects = reallocarray (iter->objects, iter->max_objects, sizeof (CK_ULONG)); + return_val_if_fail (objects != NULL, CKR_HOST_MEMORY); + iter->objects = objects; + } +--- a/p11-kit/lists.c ++++ b/p11-kit/lists.c +@@ -64,6 +64,8 @@ hex_encode (const unsigned char *data, + size_t i; + size_t o; + ++ if ((SIZE_MAX - 1) / 3 < n_data) ++ return NULL; + result = malloc (n_data * 3 + 1); + if (result == NULL) + return NULL; +--- a/p11-kit/proxy.c ++++ b/p11-kit/proxy.c +@@ -280,7 +280,7 @@ proxy_list_slots (Proxy *py, Mapping *ma + if (count > 0) { + Mapping *new_mappings; + +- new_mappings = realloc (py->mappings, sizeof (Mapping) * (py->n_mappings + count)); ++ new_mappings = reallocarray (py->mappings, (py->n_mappings + count), sizeof (Mapping)); + return_val_if_fail (new_mappings != NULL, CKR_HOST_MEMORY); + py->mappings = new_mappings; + +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -43,6 +43,7 @@ + #include "rpc-message.h" + + #include ++#include + #include + + #define ELEMS(x) (sizeof (x) / sizeof (x[0])) +@@ -114,6 +115,18 @@ p11_rpc_message_alloc_extra (p11_rpc_mes + return (void *)(data + 1); + } + ++void * ++p11_rpc_message_alloc_extra_array (p11_rpc_message *msg, ++ size_t nmemb, ++ size_t size) ++{ ++ if ((SIZE_MAX - sizeof (void *)) / nmemb < size) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ return p11_rpc_message_alloc_extra (msg, nmemb * size); ++} ++ + bool + p11_rpc_message_prep (p11_rpc_message *msg, + int call_id, +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -255,6 +255,10 @@ void p11_rpc_message_clear + void * p11_rpc_message_alloc_extra (p11_rpc_message *msg, + size_t length); + ++void * p11_rpc_message_alloc_extra_array (p11_rpc_message *msg, ++ size_t nmemb, ++ size_t size); ++ + bool p11_rpc_message_prep (p11_rpc_message *msg, + int call_id, + p11_rpc_message_type type); +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -88,7 +88,7 @@ proto_read_byte_buffer (p11_rpc_message + if (length == 0) + return CKR_OK; + +- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_BYTE)); ++ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_BYTE)); + if (*buffer == NULL) + return CKR_DEVICE_MEMORY; + +@@ -186,7 +186,7 @@ proto_read_ulong_buffer (p11_rpc_message + if (length == 0) + return CKR_OK; + +- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_ULONG)); ++ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_ULONG)); + if (!*buffer) + return CKR_DEVICE_MEMORY; + +@@ -246,7 +246,7 @@ proto_read_attribute_buffer (p11_rpc_mes + return PARSE_ERROR; + + /* Allocate memory for the attribute structures */ +- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE)); ++ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE)); + if (attrs == NULL) + return CKR_DEVICE_MEMORY; + +@@ -300,7 +300,7 @@ proto_read_attribute_array (p11_rpc_mess + return PARSE_ERROR; + + /* Allocate memory for the attribute structures */ +- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE)); ++ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE)); + if (attrs == NULL) + return CKR_DEVICE_MEMORY; + +--- a/trust/index.c ++++ b/trust/index.c +@@ -273,7 +273,7 @@ bucket_insert (index_bucket *bucket, + + alloc = alloc ? alloc * 2 : 1; + return_if_fail (alloc != 0); +- elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); ++ elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE)); + return_if_fail (elem != NULL); + bucket->elem = elem; + } +@@ -297,7 +297,7 @@ bucket_push (index_bucket *bucket, + + alloc = alloc ? alloc * 2 : 1; + return_val_if_fail (alloc != 0, false); +- elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); ++ elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE)); + return_val_if_fail (elem != NULL, false); + bucket->elem = elem; + } diff -Nru p11-kit-0.23.20/debian/patches/CVE-2020-29361-2.patch p11-kit-0.23.20/debian/patches/CVE-2020-29361-2.patch --- p11-kit-0.23.20/debian/patches/CVE-2020-29361-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ p11-kit-0.23.20/debian/patches/CVE-2020-29361-2.patch 2021-01-04 19:03:57.000000000 +0000 @@ -0,0 +1,38 @@ +From bd670b1d4984b27d6a397b9ddafaf89ab26e4e7f Mon Sep 17 00:00:00 2001 +From: David Cook +Date: Sat, 14 Nov 2020 13:10:29 -0600 +Subject: [PATCH] Follow-up to arithmetic overflow fix + +Check if nmemb is zero in p11_rpc_message_alloc_extra_array to avoid a +division by zero trap. Additionally, change the reallocarray +compatibility shim so that it won't assert when resizing an array to +zero, and add the same nmemb != 0 check there. +--- + common/compat.c | 4 ++-- + p11-kit/rpc-message.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/common/compat.c ++++ b/common/compat.c +@@ -496,8 +496,8 @@ reallocarray (void *ptr, + size_t nmemb, + size_t size) + { +- assert (nmemb > 0 && size > 0); +- if (SIZE_MAX / nmemb < size) { ++ assert (nmemb >= 0 && size >= 0); ++ if (nmemb != 0 && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -120,7 +120,7 @@ p11_rpc_message_alloc_extra_array (p11_r + size_t nmemb, + size_t size) + { +- if ((SIZE_MAX - sizeof (void *)) / nmemb < size) { ++ if (nmemb != 0 && (SIZE_MAX - sizeof (void *)) / nmemb < size) { + errno = ENOMEM; + return NULL; + } diff -Nru p11-kit-0.23.20/debian/patches/CVE-2020-29362.patch p11-kit-0.23.20/debian/patches/CVE-2020-29362.patch --- p11-kit-0.23.20/debian/patches/CVE-2020-29362.patch 1970-01-01 00:00:00.000000000 +0000 +++ p11-kit-0.23.20/debian/patches/CVE-2020-29362.patch 2021-01-04 19:03:59.000000000 +0000 @@ -0,0 +1,24 @@ +From bda2f543ff8e0195c90e849379ef1585d00677bc Mon Sep 17 00:00:00 2001 +From: David Cook +Date: Fri, 6 Nov 2020 23:42:38 -0600 +Subject: [PATCH] Fix bounds check in p11_rpc_buffer_get_byte_array + +This bounds check should be using off, not *offset, because it has been +advanced four bytes from reading a uint32 earlier in the function. +Additionally, the pointer that is returned is computed using off, not +*offset. +--- + p11-kit/rpc-message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -757,7 +757,7 @@ p11_rpc_buffer_get_byte_array (p11_buffe + return false; + } + +- if (buf->len < len || *offset > buf->len - len) { ++ if (buf->len < len || off > buf->len - len) { + p11_buffer_fail (buf); + return false; + } diff -Nru p11-kit-0.23.20/debian/patches/CVE-2020-29363.patch p11-kit-0.23.20/debian/patches/CVE-2020-29363.patch --- p11-kit-0.23.20/debian/patches/CVE-2020-29363.patch 1970-01-01 00:00:00.000000000 +0000 +++ p11-kit-0.23.20/debian/patches/CVE-2020-29363.patch 2021-01-04 19:04:06.000000000 +0000 @@ -0,0 +1,39 @@ +From 2617f3ef888e103324a28811886b99ed0a56346d Mon Sep 17 00:00:00 2001 +From: David Cook +Date: Sat, 7 Nov 2020 00:06:01 -0600 +Subject: [PATCH] Check attribute length against buffer size + +If an attribute's length does not match the length of the byte array +inside it, one length was used for allocation, and the other was used +for memcpy. This additional check will instead return an error on +malformed messages. +--- + p11-kit/rpc-message.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1225,7 +1225,7 @@ p11_rpc_buffer_get_attribute (p11_buffer + size_t *offset, + CK_ATTRIBUTE *attr) + { +- uint32_t type, length; ++ uint32_t type, length, decode_length; + unsigned char validity; + p11_rpc_attribute_serializer *serializer; + p11_rpc_value_type value_type; +@@ -1255,8 +1255,13 @@ p11_rpc_buffer_get_attribute (p11_buffer + assert (serializer != NULL); + if (!serializer->decode (buffer, offset, attr->pValue, &attr->ulValueLen)) + return false; +- if (!attr->pValue) ++ if (!attr->pValue) { ++ decode_length = attr->ulValueLen; + attr->ulValueLen = length; ++ if (decode_length > length) { ++ return false; ++ } ++ } + attr->type = type; + return true; + } diff -Nru p11-kit-0.23.20/debian/patches/series p11-kit-0.23.20/debian/patches/series --- p11-kit-0.23.20/debian/patches/series 2019-08-14 05:44:33.000000000 +0000 +++ p11-kit-0.23.20/debian/patches/series 2021-01-04 19:04:03.000000000 +0000 @@ -2,3 +2,7 @@ 35_hurd_enable_secure.diff 41_kfreebsd_LOCAL_PEERCRED.diff enable_locale.diff +CVE-2020-29361-1.patch +CVE-2020-29361-2.patch +CVE-2020-29362.patch +CVE-2020-29363.patch