[dunfell] gnutls: Backport of CVE-2024-0567

From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS)
rejects a certificate chain with distributed trust. This issue occurs
when validating a certificate chain with cockpit-certificate-ensure.
This flaw allows an unauthenticated, remote client or attacker to
initiate a denial of service attack.

Link: https://nvd.nist.gov/vuln/detail/CVE-2024-0567
Link: https://gitlab.com/gnutls/gnutls/-/issues/1521
Link: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
---
 .../gnutls/gnutls/CVE-2024-0567.patch         | 190 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 2 files changed, 191 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch

Hi

On Fri, 2024-02-23 at 13:42 +0530, Ranjitsinh Rathod wrote:
> From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> 
> A vulnerability was found in GnuTLS, where a cockpit (which uses
> gnuTLS)
> rejects a certificate chain with distributed trust. This issue occurs
> when validating a certificate chain with cockpit-certificate-ensure.
> This flaw allows an unauthenticated, remote client or attacker to
> initiate a denial of service attack.
> 
> Link: https://nvd.nist.gov/vuln/detail/CVE-2024-0567
> Link: https://gitlab.com/gnutls/gnutls/-/issues/1521

Did you check whether the reproducer in this issue crashes for this
version of GnuTLS as well and gets fixed after applying this modified
patch? The code looks different so it'd be good to check if you haven't
already.

It doesn't seem to be reproducible in 3.6.13 for Ubuntu:
https://ubuntu.com/security/CVE-2024-0567

Thanks,

Anuj

> Link:
> https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
> 
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
> ---
>  .../gnutls/gnutls/CVE-2024-0567.patch         | 190
> ++++++++++++++++++
>  meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
>  2 files changed, 191 insertions(+)
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-
> 0567.patch
> 
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch
> b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch
> new file mode 100644
> index 0000000000..1580cab277
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch
> @@ -0,0 +1,190 @@
> +From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00
> 2001
> +From: Daiki Ueno <ueno@gnu.org>
> +Date: Thu, 11 Jan 2024 15:45:11 +0900
> +Subject: [PATCH] x509: detect loop in certificate chain
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +There can be a loop in a certificate chain, when multiple CA
> +certificates are cross-signed with each other, such as A → B, B → C,
> +and C → A.  Previously, the verification logic was not capable of
> +handling this scenario while sorting the certificates in the chain
> in
> +_gnutls_sort_clist, resulting in an assertion failure.  This patch
> +properly detects such loop and aborts further processing in a
> graceful
> +manner.
> +
> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
> +
> +CVE: CVE-2024-0567
> +Upstream-Status: Backport
> [https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1
> de44f8de373405]
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +Comment: Hunks refreshed to fix error during backporting this patch
> +
> +---
> + lib/x509/common.c   |   4 ++
> + tests/test-chains.h | 125
> ++++++++++++++++++++++++++++++++++++++++++++
> + 2 files changed, 129 insertions(+)
> +
> +diff --git a/lib/x509/common.c b/lib/x509/common.c
> +index 861cace4c8..d749a062cd 100644
> +--- a/lib/x509/common.c
> ++++ b/lib/x509/common.c
> +@@ -1761,6 +1761,11 @@ gnutls_x509_crt_t *_gnutls_sort_clist(gn
> + 			*clist_size = i;
> + 			break;
> + 		}
> ++
> ++		if (insorted[prev]) { /* loop detected */
> ++			break;
> ++		}
> ++
> + 		sorted[i] = clist[prev];
> + 		insorted[prev] = 1;
> + 	}
> +diff --git a/tests/test-chains.h b/tests/test-chains.h
> +index 9ce23764da..3e559fecd5 100644
> +--- a/tests/test-chains.h
> ++++ b/tests/test-chains.h
> +@@ -4106,6 +4106,129 @@ static const char *superseding_ca[] = {
> + 	NULL
> + };
> + 
> ++static const char *cross_signed[] = {
> ++	/* server (signed by A1) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBo
> xGDAW\n"
> ++	"BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk
> 5MTIz\n"
> ++	"MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgY
> DVQQD\n"
> ++	"Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz8
> 2AHrj\n"
> ++	"qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBG
> CD3Rl\n"
> ++	"c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBa
> AFPnY\n"
> ++	"v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDw
> UYxPA\n"
> ++	"CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* A1 (signed by A) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBE
> xDzAN\n"
> ++	"BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk
> 1OVow\n"
> ++	"GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz
> 973sy\n"
> ++	"u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8
> wDgYD\n"
> ++	"VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzA
> fBgNV\n"
> ++	"HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVP
> d3cTJ\n"
> ++	"DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnk
> fyLi0\n"
> ++	"TLVBHvUJ\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* A (signed by B) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2h
> Bs32p\n"
> ++	"WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBa
> AFJFA\n"
> ++	"s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+
> kQlHU\n"
> ++	"u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* A (signed by C) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7Re
> VifwM\n"
> ++	"3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBa
> AFEh/\n"
> ++	"XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb
> 0+EBv\n"
> ++	"BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* B1 (signed by B) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBE
> xDzAN\n"
> ++	"BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk
> 1OVow\n"
> ++	"GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJW
> sweVB\n"
> ++	"a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8
> wDgYD\n"
> ++	"VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jA
> fBgNV\n"
> ++	"HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+l
> nYvOK\n"
> ++	"rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1
> qdewh\n"
> ++	"/e+0cgQB\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* B (signed by A) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7Re
> VifwM\n"
> ++	"3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBa
> AFFti\n"
> ++	"A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPc
> PsCHe\n"
> ++	"3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* B (signed by C) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7Re
> VifwM\n"
> ++	"3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBa
> AFEh/\n"
> ++	"XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb
> 0+EBv\n"
> ++	"BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* C1 (signed by C) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBE
> xDzAN\n"
> ++	"BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk
> 1OVow\n"
> ++	"GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1ch
> ZlKkV\n"
> ++	"qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8
> wDgYD\n"
> ++	"VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjA
> fBgNV\n"
> ++	"HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WC
> TOp0G\n"
> ++	"3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9D
> XKBi0\n"
> ++	"725XUUYO\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* C (signed by A) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e
> +qZEH\n"
> ++	"8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBa
> AFFti\n"
> ++	"A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7
> w92mn\n"
> ++	"tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	/* C (signed by B) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e
> +qZEH\n"
> ++	"8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBa
> AFJFA\n"
> ++	"s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwm
> Jl0gN\n"
> ++	"bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4
> =\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	NULL
> ++};
> ++
> ++static const char *cross_signed_ca[] = {
> ++	/* A (self-signed) */
> ++	"-----BEGIN CERTIFICATE-----\n"
> ++	"MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETE
> PMA0G\n"
> ++	"A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU
> 5WjAR\n"
> ++	"MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2h
> Bs32p\n"
> ++	"WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8
> EBAMC\n"
> ++	"AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHr
> Vv7E9\n"
> ++	"5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2F
> apgpL\n"
> ++	"bDeZ2XJH+BdVFwg=\n"
> ++	"-----END CERTIFICATE-----\n",
> ++	NULL
> ++};
> ++
> + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 &&
> __GNUC_MINOR__ >= 5)
> + #  pragma GCC diagnostic push
> + #  pragma GCC diagnostic ignored "-Wunused-variable"
> +@@ -4275,6 +4398,8 @@ static struct
> +   { "ed448 - ok", ed448, &ed448[0],
> GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
> +     0, NULL, 1584352960, 1},
> +   { "superseding - ok", superseding, superseding_ca, 0, 0, 0,
> 1590928011 },
> ++  { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
> ++    1704955300 },
> +   { NULL, NULL, NULL, 0, 0}
> + };
> + 
> +-- 
> +GitLab
> +
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> index a1451daf2c..66700ac1b4 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> @@ -30,6 +30,7 @@ SRC_URI =
> "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.ta
> r
>             file://CVE-2023-0361.patch \
>             file://CVE-2023-5981.patch \
>             file://CVE-2024-0553.patch \
> +           file://CVE-2024-0567.patch \
>  "
>  
>  SRC_URI[sha256sum] =
> "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196050):
> https://lists.openembedded.org/g/openembedded-core/message/196050
> Mute This Topic: https://lists.openembedded.org/mt/104524743/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi Anuj,

I didn't checked after applying patch if the crash went away or not.


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403