x509: fix read buffer overrun in SCT timestamps

author Andrew Hamilton <adhamilt@gmail.com>

Mon, 7 Jul 2025 01:23:59 +0000 (10:23 +0900)

committer Daiki Ueno <ueno@gnu.org>

Mon, 7 Jul 2025 21:57:28 +0000 (06:57 +0900)
author Andrew Hamilton <adhamilt@gmail.com>
Mon, 7 Jul 2025 01:23:59 +0000 (10:23 +0900)
committer Daiki Ueno <ueno@gnu.org>
Mon, 7 Jul 2025 21:57:28 +0000 (06:57 +0900)
diff --git a/NEWS b/NEWS

index e75de1f4a57bb58c281e6288ad0203d3f8073b51..1f3dec4f0c55e4e717497baa1ba828211079b90d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,10 +7,14 @@ See the end for copying conditions.
  
  * Version 3.8.10 (unreleased)
  
+** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
+   Spotted by oss-fuzz and reported by OpenAI Security Research Team,
+   and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
+   CVSS: medium] [CVE-2025-32989]
+
  ** libgnutls: PKCS#11 modules can now be used to override the default
     cryptographic backend. Use the [provider] section in the system-wide config
     to specify path and pin to the module (see system-wide config Documentation).
-
  ** libgnutls: Linux kernel version 6.14 bring a Kernel TLS (kTLS) key update
     support. The library running on the aforementioned version now utilizes the
     kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
diff --git a/fuzz/gnutls_x509_parser_fuzzer.repro/04939b75417cc95b7372c6f208c4bda4579bdc34 b/fuzz/gnutls_x509_parser_fuzzer.repro/04939b75417cc95b7372c6f208c4bda4579bdc34

new file mode 100644 (file)

index 0000000..ffcfe23

Binary files /dev/null and b/fuzz/gnutls_x509_parser_fuzzer.repro/04939b75417cc95b7372c6f208c4bda4579bdc34 differ
diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c

index 0301a594c284af2830df14f3684058eccae54093..4b3e552536c73660c03fd240fd643f0122f3f9c0 100644 (file)
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -3760,7 +3760,7 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
         }
  
         length = _gnutls_read_uint16(scts_content.data);
-       if (length < 4) {
+       if (length < 4 || length > scts_content.size) {
                 gnutls_free(scts_content.data);
                 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
         }
author	Andrew Hamilton <adhamilt@gmail.com>
	Mon, 7 Jul 2025 01:23:59 +0000 (10:23 +0900)
committer	Daiki Ueno <ueno@gnu.org>
	Mon, 7 Jul 2025 21:57:28 +0000 (06:57 +0900)
NEWS		patch \| blob \| blame \| history
fuzz/gnutls_x509_parser_fuzzer.repro/04939b75417cc95b7372c6f208c4bda4579bdc34	[new file with mode: 0644]	patch \| blob
lib/x509/x509_ext.c		patch \| blob \| blame \| history