Overview

File gnutls-CVE-2025-32990.patch of Package gnutls.39717

From 408bed40c36a4cc98f0c94a818f682810f731f32 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 7 Jul 2025 10:57:10 +0900
Subject: [PATCH] certtool: avoid 1-byte write buffer overrun when parsing
 template

Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 NEWS                                          |    4 +
 src/certtool-cfg.c                            |    4 +-
 tests/cert-tests/Makefile.am                  |    3 +-
 tests/cert-tests/template-test.sh             |   13 +
 .../template-too-many-othernames.tmpl         | 2003 +++++++++++++++++
 5 files changed, 2024 insertions(+), 3 deletions(-)
 create mode 100644 tests/cert-tests/templates/template-too-many-othernames.tmpl

Index: gnutls-3.6.7/src/certtool-cfg.c
===================================================================
--- gnutls-3.6.7.orig/src/certtool-cfg.c
+++ gnutls-3.6.7/src/certtool-cfg.c
@@ -244,7 +244,7 @@ void cfg_init(void)
   { \
     if (s_name == NULL) { \
       i = 0; \
-      s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
+      s_name = calloc(MAX_ENTRIES + 1, sizeof(char *));  \
       do { \
 	if (val && strcmp(val->pzName, name)!=0) \
 	  continue; \
@@ -265,7 +265,7 @@ void cfg_init(void)
     char *p; \
     if (s_name == NULL) { \
       i = 0; \
-      s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
+	  s_name = calloc(MAX_ENTRIES + 1, sizeof(char *));     \
       do { \
 	if (val && strcmp(val->pzName, name)!=0) \
 	  continue; \
openSUSE Build Service is sponsored by
Places