aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/crypto.scm32
-rw-r--r--gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch65
3 files changed, 98 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index f2044c9857..f318bcd497 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -579,6 +579,7 @@ dist_patch_DATA = \
%D%/packages/patches/crawl-upgrade-saves.patch \
%D%/packages/patches/crda-optional-gcrypt.patch \
%D%/packages/patches/crossmap-allow-system-pysam.patch \
+ %D%/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cursynth-wave-rand.patch \
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index 549955d7b4..0021bee7b4 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
;;; Copyright © 2016, 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2017 Pierre Langlois <pierre.langlois@gmx.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -29,6 +30,7 @@
#:use-module (gnu packages attr)
#:use-module (gnu packages autotools)
#:use-module (gnu packages boost)
+ #:use-module (gnu packages compression)
#:use-module (gnu packages cryptsetup)
#:use-module (gnu packages gettext)
#:use-module (gnu packages gnupg)
@@ -632,3 +634,33 @@ data on your platform, so the seed itself will be as random as possible.
Networking and Cryptography library. These libraries have a stated goal
of improving usability, security and speed.")
(license license:asl2.0)))
+
+(define-public crypto++
+ (package
+ (name "crypto++")
+ (version "5.6.5")
+ (source (origin
+ (method url-fetch/zipbomb)
+ (uri (string-append "https://cryptopp.com/cryptopp"
+ (string-join (string-split version #\.) "")
+ ".zip"))
+ (sha256
+ (base32
+ "0d1cqdz369ivi082k59025wvxzywvkizw7i0pf5h0a1izs3g8pm7"))
+ (patches
+ (search-patches "crypto++-fix-dos-in-asn.1-decoders.patch"))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:make-flags
+ (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
+ #:phases
+ (modify-phases %standard-phases
+ (delete 'configure))))
+ (native-inputs
+ `(("unzip" ,unzip)))
+ (home-page "https://cryptopp.com/")
+ (synopsis "C++ class library of cryptographic schemes")
+ (description "Crypto++ is a C++ class library of cryptographic schemes.")
+ ;; The compilation is distributed under the Boost license; the individual
+ ;; files in the compilation are in the public domain.
+ (license (list license:boost1.0 license:public-domain))))
diff --git a/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch b/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch
new file mode 100644
index 0000000000..88b2e7f25a
--- /dev/null
+++ b/gnu/packages/patches/crypto++-fix-dos-in-asn.1-decoders.patch
@@ -0,0 +1,65 @@
+From 3d9181d7bdd8e491f745dbc9e34bd20b6f6da069 Mon Sep 17 00:00:00 2001
+From: Gergely Nagy <ngg@tresorit.com>
+Date: Wed, 14 Dec 2016 13:19:01 +0100
+Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)
+
+---
+ asn.cpp | 10 ++++++++++
+ asn.h | 2 ++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/asn.cpp b/asn.cpp
+index 297ff010..2e923ef7 100644
+--- a/asn.cpp
++++ b/asn.cpp
+@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ str.New(bc);
+ if (bc != bt.Get(str, bc))
+@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ bt.TransferTo(str, bc);
+ return bc;
+@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ SecByteBlock temp(bc);
+ if (bc != bt.Get(temp, bc))
+@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
+ size_t bc;
+ if (!BERLengthDecode(bt, bc))
+ BERDecodeError();
++ if (bc == 0)
++ BERDecodeError();
++ if (bc > bt.MaxRetrievable())
++ BERDecodeError();
+
+ byte unused;
+ if (!bt.Get(unused))
+diff --git a/asn.h b/asn.h
+index ed9de52c..33f0dd09 100644
+--- a/asn.h
++++ b/asn.h
+@@ -498,6 +498,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
+ bool definite = BERLengthDecode(in, bc);
+ if (!definite)
+ BERDecodeError();
++ if (bc > in.MaxRetrievable())
++ BERDecodeError();
+
+ SecByteBlock buf(bc);
+