openssl: Security fix CVE-2016-2180

affects openssl < 1.0.2i Reference: https://www.openssl.org/news/secadv/20160922.txt Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-09-26 12:18:16 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2016-09-26 12:49:28 +0200
commit: 5493231d1ff5e9b259cd074245e909b5e39d926e (patch)
tree: 4b5387ee260eef28fc49b040e26eaa89b9857f4d
parent: 331ca6f05824e5b005cbf504233b3c72275181d5 (diff)
download: meta-el-common-5493231d1ff5e9b259cd074245e909b5e39d926e.tar.gz
2 files changed, 45 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
new file mode 100644
index 0000000..c71aaa5
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
@@ -0,0 +1,44 @@
+From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 21 Jul 2016 15:24:16 +0100
+Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
+TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
+as a null terminated buffer. The length value returned is the total
+length the complete text reprsentation would need not the amount of
+data written.
+CVE-2016-2180
+Thanks to Shi Lei for reporting this bug.
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
+Upstream-Status: Backport
+CVE: CVE-2016-2180
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ crypto/ts/ts_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
+index c51538a..e0f1063 100644
+--- a/crypto/ts/ts_lib.c
+++ b/crypto/ts/ts_lib.c
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
+ {
+     char obj_txt[128];
+ 
+-    int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+-    BIO_write(bio, obj_txt, len);
+-    BIO_write(bio, "\n", 1);
+    OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+    BIO_printf(bio, "%s\n", obj_txt);
+ 
+     return 1;
+ }
+-- 
+2.7.4
diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
index 85d7990..ff2aa45 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
+++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -2,4 +2,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2016-2178.patch \
           file://CVE-2016-2179.patch \
+           file://CVE-2016-2180.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-09-26 12:18:16 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2016-09-26 12:49:28 +0200
commit	5493231d1ff5e9b259cd074245e909b5e39d926e (patch)
tree	4b5387ee260eef28fc49b040e26eaa89b9857f4d
parent	331ca6f05824e5b005cbf504233b3c72275181d5 (diff)
download	meta-el-common-5493231d1ff5e9b259cd074245e909b5e39d926e.tar.gz

diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch new file mode 100644 index 0000000..c71aaa5 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
@@ -0,0 +1,44 @@
		1	From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001
		2	From: "Dr. Stephen Henson" <steve@openssl.org>
		3	Date: Thu, 21 Jul 2016 15:24:16 +0100
		4	Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
		5
		6	TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
		7	as a null terminated buffer. The length value returned is the total
		8	length the complete text reprsentation would need not the amount of
		9	data written.
		10
		11	CVE-2016-2180
		12
		13	Thanks to Shi Lei for reporting this bug.
		14
		15	Reviewed-by: Matt Caswell <matt@openssl.org>
		16	(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2016-2180
		20	Signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	crypto/ts/ts_lib.c \| 5 ++---
		24	1 file changed, 2 insertions(+), 3 deletions(-)
		25
		26	diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
		27	index c51538a..e0f1063 100644
		28	--- a/crypto/ts/ts_lib.c
		29	+++ b/crypto/ts/ts_lib.c
		30	@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO bio, const ASN1_OBJECT obj)
		31	{
		32	char obj_txt[128];
		33
		34	- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
		35	- BIO_write(bio, obj_txt, len);
		36	- BIO_write(bio, "\n", 1);
		37	+ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
		38	+ BIO_printf(bio, "%s\n", obj_txt);
		39
		40	return 1;
		41	}
		42	--
		43	2.7.4
		44


diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend index 85d7990..ff2aa45 100644 --- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend +++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -2,4 +2,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
2		2
3	SRC_URI += "file://CVE-2016-2178.patch \	3	SRC_URI += "file://CVE-2016-2178.patch \
4	file://CVE-2016-2179.patch \	4	file://CVE-2016-2179.patch \
		5	file://CVE-2016-2180.patch \
5	"	6	"