fix CVE-2024-12243

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

backport-CVE-2024-12243-0001-mem-add-_gnutls_reallocarray-and-_gnutls_reallocarra.patch

@@ -0,0 +1,96 @@
+From af780dd2298ac8faed43d688a44287fae6aeed0d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 15 Mar 2025 00:36:00 +0800
+Subject: [PATCH 1/2] mem: add _gnutls_reallocarray and
+ _gnutls_reallocarray_fast
+
+CVE: CVE-2024-12243
+
+Reference to upstream patch:
+https://gitlab.com/gnutls/gnutls/-/commit/94d2192a37efc9b94f59fb0ba474a7be8b6895d4
+
+[sbg: patch was slightly adjusted for 3.6.14 context
+_gnutls_reallocarray is needed by CVE-2024-12243 patch]
+
+Signed-off-by: baogen shang <baogen.shang@windriver.com>
+---
+ lib/mem.c | 24 ++++++++++++++++++++++++
+ lib/mem.h |  7 +++++--
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/lib/mem.c b/lib/mem.c
+index 32cab5a..c2f05ad 100644
+--- a/lib/mem.c
++++ b/lib/mem.c
+@@ -24,6 +24,7 @@
+ #include "errors.h"
+ #include <num.h>
+ #include <xsize.h>
++#include "../src/gl/xalloc-oversized.h"
+ 
+ gnutls_alloc_function gnutls_secure_malloc = malloc;
+ gnutls_alloc_function gnutls_malloc = malloc;
+@@ -61,6 +62,23 @@ void *gnutls_realloc_fast(void *ptr, size_t size)
+ 	return ret;
+ }
+ 
++/* This will free ptr in case reallocarray fails.
++ */
++void *_gnutls_reallocarray_fast(void *ptr, size_t nmemb, size_t size)
++{
++	void *ret;
++
++	if (size == 0)
++		return ptr;
++
++	ret = _gnutls_reallocarray(ptr, nmemb, size);
++	if (ret == NULL) {
++		gnutls_free(ptr);
++	}
++
++	return ret;
++}
++
+ char *_gnutls_strdup(const char *str)
+ {
+ 	size_t siz;
+@@ -77,6 +95,12 @@ char *_gnutls_strdup(const char *str)
+ 	return ret;
+ }
+ 
++void *_gnutls_reallocarray(void *ptr, size_t nmemb, size_t size)
++{
++	return xalloc_oversized(nmemb, size) ? NULL :
++		gnutls_realloc(ptr, nmemb * size);
++}
++
+ #if 0
+ /* don't use them. They are included for documentation.
+  */
+diff --git a/lib/mem.h b/lib/mem.h
+index dc838a2..ec96578 100644
+--- a/lib/mem.h
++++ b/lib/mem.h
+@@ -25,14 +25,17 @@
+ 
+ #include <config.h>
+ 
+-/* this realloc function will return ptr if size==0, and
+- * will free the ptr if the new allocation failed.
++/* These realloc functions will return ptr if size==0, and will free
++ * the ptr if the new allocation failed.
+  */
+ void *gnutls_realloc_fast(void *ptr, size_t size);
++void *_gnutls_reallocarray_fast(void *ptr, size_t nmemb, size_t size);
+ 
+ void *_gnutls_calloc(size_t nmemb, size_t size);
+ char *_gnutls_strdup(const char *);
+ 
++void *_gnutls_reallocarray(void *, size_t, size_t);
++
+ unsigned _gnutls_mem_is_zero(const uint8_t *ptr, unsigned size);
+ 
+ /* To avoid undefined behavior when s1 or s2 are null and n = 0 */
+-- 
+2.27.0
+

gnutls.spec

@@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.6.14
-Release: 16
+Release: 17
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -23,6 +23,8 @@ Patch12: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.pa
 Patch13: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
 Patch14: backport-x86-add-detection-of-instruction-set-on-Zhaoxin-CPU.patch
 Patch15: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
+Patch16: backport-CVE-2024-12243-0001-mem-add-_gnutls_reallocarray-and-_gnutls_reallocarra.patch
+Patch17: backport-CVE-2024-12243-0002-x509-optimize-name-constraints-processing.patch
 
 %bcond_without dane
 %bcond_with guile
@@ -228,6 +230,9 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Thu Feb 13 2025 xuraoqing <xuraoqing@huawei.com> - 3.6.14-17
+- fix CVE-2024-12243
+
 * Tue Mar 26 2024 xuraoqing <xuraoqing@huawei.com> - 3.6.14-16
 - update patch to remove function declare in header file