diff options
Diffstat (limited to 'X.509-Fix-the-time-validation-ver-3.patch')
-rw-r--r-- | X.509-Fix-the-time-validation-ver-3.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/X.509-Fix-the-time-validation-ver-3.patch b/X.509-Fix-the-time-validation-ver-3.patch new file mode 100644 index 000000000..40c50c9ec --- /dev/null +++ b/X.509-Fix-the-time-validation-ver-3.patch @@ -0,0 +1,85 @@ +From 7db4b65eb11683e19ecb607501fa96a8cfac835f Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Thu, 12 Nov 2015 11:38:40 +0000 +Subject: [PATCH] X.509: Fix the time validation [ver #3] + +This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. + +Fix the X.509 time validation to use month number-1 when looking up the +number of days in that month. Also put the month number validation before +doing the lookup so as not to risk overrunning the array. + +This can be tested by doing the following: + +cat <<EOF | openssl x509 -outform DER | keyctl padd asymmetric "" @s +-----BEGIN CERTIFICATE----- +MIIDbjCCAlagAwIBAgIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV +BAoMCGxvY2FsLWNhMRQwEgYDVQQDDAtzaWduaW5nIGtleTAeFw0xNTA5MDEyMTMw +MThaFw0xNjA4MzEyMTMwMThaMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQwEgYDVQQD +DAtzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrn +crcMfMeG67nagX4+m02Xk9rkmsMKI5XTUxbikROe7GSUVJ27sPVPZp4mgzoWlvhh +jfK8CC/qhEhwep8Pgg4EJZyWOjhZb7R97ckGvLIoUC6IO3FC2ZnR7WtmWDgo2Jcj +VlXwJdHhKU1VZwulh81O61N8IBKqz2r/kDhIWiicUCUkI/Do/RMRfKAoDBcSh86m +gOeIAGfq62vbiZhVsX5dOE8Oo2TK5weAvwUIOR7OuGBl5AqwFlPnXQolewiHzKry +THg9e44HfzG4Mi6wUvcJxVaQT1h5SrKD779Z5+8+wf1JLaooetcEUArvWyuxCU59 +qxA4lsTjBwl4cmEki+cCAwEAAaOBmDCBlTAMBgNVHRMEBTADAQH/MAsGA1UdDwQE +AwIHgDAdBgNVHQ4EFgQUyND/eKUis7ep/hXMJ8iZMdUhI+IwWQYDVR0jBFIwUIAU +yND/eKUis7ep/hXMJ8iZMdUhI+KhLaQrMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQw +EgYDVQQDDAtzaWduaW5nIGtleYIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAA4IB +AQAMqm1N1yD5pimUELLhT5eO2lRdGUfTozljRxc7e2QT3RLk2TtGhg65JFFN6eml +XS58AEPVcAsSLDlR6WpOpOLB2giM0+fV/eYFHHmh22yqTJl4YgkdUwyzPdCHNOZL +hmSKeY9xliHb6PNrNWWtZwhYYvRaO2DX4GXOMR0Oa2O4vaYu6/qGlZOZv3U6qZLY +wwHEJSrqeBDyMuwN+eANHpoSpiBzD77S4e+7hUDJnql4j6xzJ65+nWJ89fCrQypR +4sN5R3aGeIh3QAQUIKpHilwek0CtEaYERgc5m+jGyKSc1rezJW62hWRTaitOc+d5 +G5hh+9YpnYcxQHEKnZ7rFNKJ +-----END CERTIFICATE----- +EOF + +If the patch works, the above should emit a key ID from the new key being +accepted; without the patch, it will give a bad message error. + +Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Acked-by: David Woodhouse <David.Woodhouse@intel.com> +--- + crypto/asymmetric_keys/x509_cert_parser.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c +index 3000ea3b6687..021d39c0ba75 100644 +--- a/crypto/asymmetric_keys/x509_cert_parser.c ++++ b/crypto/asymmetric_keys/x509_cert_parser.c +@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t, size_t hdrlen, + if (*p != 'Z') + goto unsupported_time; + +- mon_len = month_lengths[mon]; ++ if (year < 1970 || ++ mon < 1 || mon > 12) ++ goto invalid_time; ++ ++ mon_len = month_lengths[mon - 1]; + if (mon == 2) { + if (year % 4 == 0) { + mon_len = 29; +@@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t, size_t hdrlen, + } + } + +- if (year < 1970 || +- mon < 1 || mon > 12 || +- day < 1 || day > mon_len || ++ if (day < 1 || day > mon_len || + hour > 23 || + min > 59 || + sec > 59) + goto invalid_time; +- ++ + *_t = mktime64(year, mon, day, hour, min, sec); + return 0; + +-- +2.4.3 + |