openssl: Security fix CVE-2016-6304

affects openssl < 1.0.2i Reference: https://www.openssl.org/news/secadv/20160922.txt Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-09-26 12:18:21 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2016-09-26 12:49:29 +0200
commit: 35f3007f0e0c56bc2f96ab5893686191d099949f (patch)
tree: 6fc964f38d1f8d3f45525537f91a241ffc991617
parent: 744b01090f6cf4984c11bb682693647a62103644 (diff)
download: meta-el-common-35f3007f0e0c56bc2f96ab5893686191d099949f.tar.gz
2 files changed, 76 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
new file mode 100644
index 0000000..64508b5
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
@@ -0,0 +1,75 @@
+From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 9 Sep 2016 10:08:45 +0100
+Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
+A malicious client can send an excessively large OCSP Status Request
+extension. If that client continually requests renegotiation,
+sending a large OCSP Status Request extension each time, then there will
+be unbounded memory growth on the server. This will eventually lead to a
+Denial Of Service attack through memory exhaustion. Servers with a
+default configuration are vulnerable even if they do not support OCSP.
+Builds using the "no-ocsp" build time option are not affected.
+I have also checked other extensions to see if they suffer from a similar
+problem but I could not find any other issues.
+CVE-2016-6304
+Issue reported by Shi Lei.
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Upstream-Status: Backport
+CVE: CVE-2016-6304
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ssl/t1_lib.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fbcf2e6..e4b4e27 100644
+--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
+@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+                 size -= 2;
+                 if (dsize > size)
+                     goto err;
+
+                /*
+                 * We remove any OCSP_RESPIDs from a previous handshake
+                 * to prevent unbounded memory growth - CVE-2016-6304
+                 */
+                sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
+                                        OCSP_RESPID_free);
+                if (dsize > 0) {
+                    s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
+                    if (s->tlsext_ocsp_ids == NULL) {
+                        *al = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                    }
+                } else {
+                    s->tlsext_ocsp_ids = NULL;
+                }
+
+                 while (dsize > 0) {
+                     OCSP_RESPID *id;
+                     int idsize;
+@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+                         OCSP_RESPID_free(id);
+                         goto err;
+                     }
+-                    if (!s->tlsext_ocsp_ids
+-                        && !(s->tlsext_ocsp_ids =
+-                             sk_OCSP_RESPID_new_null())) {
+-                        OCSP_RESPID_free(id);
+-                        *al = SSL_AD_INTERNAL_ERROR;
+-                        return 0;
+-                    }
+                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+                         OCSP_RESPID_free(id);
+                         *al = SSL_AD_INTERNAL_ERROR;
+-- 
+2.7.4
diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
index 528a77c..e4a9912 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
+++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -9,4 +9,5 @@ SRC_URI += "file://CVE-2016-2178.patch \
           file://CVE-2016-2182.patch \
           file://CVE-2016-6302.patch \
           file://CVE-2016-6303.patch \
+           file://CVE-2016-6304.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-09-26 12:18:21 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2016-09-26 12:49:29 +0200
commit	35f3007f0e0c56bc2f96ab5893686191d099949f (patch)
tree	6fc964f38d1f8d3f45525537f91a241ffc991617
parent	744b01090f6cf4984c11bb682693647a62103644 (diff)
download	meta-el-common-35f3007f0e0c56bc2f96ab5893686191d099949f.tar.gz

diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000..64508b5 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
@@ -0,0 +1,75 @@
		1	From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001
		2	From: Matt Caswell <matt@openssl.org>
		3	Date: Fri, 9 Sep 2016 10:08:45 +0100
		4	Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
		5
		6	A malicious client can send an excessively large OCSP Status Request
		7	extension. If that client continually requests renegotiation,
		8	sending a large OCSP Status Request extension each time, then there will
		9	be unbounded memory growth on the server. This will eventually lead to a
		10	Denial Of Service attack through memory exhaustion. Servers with a
		11	default configuration are vulnerable even if they do not support OCSP.
		12	Builds using the "no-ocsp" build time option are not affected.
		13
		14	I have also checked other extensions to see if they suffer from a similar
		15	problem but I could not find any other issues.
		16
		17	CVE-2016-6304
		18
		19	Issue reported by Shi Lei.
		20
		21	Reviewed-by: Rich Salz <rsalz@openssl.org>
		22
		23	Upstream-Status: Backport
		24	CVE: CVE-2016-6304
		25	Signed-off-by: Armin Kuster <akuster@mvista.com>
		26
		27	---
		28	ssl/t1_lib.c \| 24 +++++++++++++++++-------
		29	1 file changed, 17 insertions(+), 7 deletions(-)
		30
		31	diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
		32	index fbcf2e6..e4b4e27 100644
		33	--- a/ssl/t1_lib.c
		34	+++ b/ssl/t1_lib.c
		35	@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL s, unsigned char *p,
		36	size -= 2;
		37	if (dsize > size)
		38	goto err;
		39	+
		40	+ /*
		41	+ * We remove any OCSP_RESPIDs from a previous handshake
		42	+ * to prevent unbounded memory growth - CVE-2016-6304
		43	+ */
		44	+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
		45	+ OCSP_RESPID_free);
		46	+ if (dsize > 0) {
		47	+ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
		48	+ if (s->tlsext_ocsp_ids == NULL) {
		49	+ *al = SSL_AD_INTERNAL_ERROR;
		50	+ return 0;
		51	+ }
		52	+ } else {
		53	+ s->tlsext_ocsp_ids = NULL;
		54	+ }
		55	+
		56	while (dsize > 0) {
		57	OCSP_RESPID *id;
		58	int idsize;
		59	@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL s, unsigned char *p,
		60	OCSP_RESPID_free(id);
		61	goto err;
		62	}
		63	- if (!s->tlsext_ocsp_ids
		64	- && !(s->tlsext_ocsp_ids =
		65	- sk_OCSP_RESPID_new_null())) {
		66	- OCSP_RESPID_free(id);
		67	- *al = SSL_AD_INTERNAL_ERROR;
		68	- return 0;
		69	- }
		70	if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
		71	OCSP_RESPID_free(id);
		72	*al = SSL_AD_INTERNAL_ERROR;
		73	--
		74	2.7.4
		75


diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend index 528a77c..e4a9912 100644 --- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend +++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -9,4 +9,5 @@ SRC_URI += "file://CVE-2016-2178.patch \
9	file://CVE-2016-2182.patch \	9	file://CVE-2016-2182.patch \
10	file://CVE-2016-6302.patch \	10	file://CVE-2016-6302.patch \
11	file://CVE-2016-6303.patch \	11	file://CVE-2016-6303.patch \
		12	file://CVE-2016-6304.patch \
12	"	13	"