diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2016-09-27 16:38:51 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2016-09-29 13:37:39 +0200 |
commit | 96cf162f9d9e83121ec43a8baf940d4ebc75b811 (patch) | |
tree | b9f2df27caa54035f33f4aba79bcc060804c0dd4 /recipes-connectivity/openssl/openssl/CVE-2016-2182.patch | |
parent | f73e0eb5d77764c00d6ae8db10528522fc8516bc (diff) | |
download | meta-el-common-krogoth.tar.gz |
openssl: Revert 9 CVE fixes merged upstreamkrogoth
Revert "openssl: Security fix CVE-2016-6306"
This reverts commit f73e0eb5d77764c00d6ae8db10528522fc8516bc.
Revert "openssl: Security fix CVE-2016-6304"
This reverts commit 35f3007f0e0c56bc2f96ab5893686191d099949f.
Revert "openssl: Security fix CVE-2016-6303"
This reverts commit 744b01090f6cf4984c11bb682693647a62103644.
Revert "openssl: Security fix CVE-2016-6302"
This reverts commit 8ac9ad185c0889af0bfb2fcd90a6987cb972eb0a.
Revert "openssl: Security fix CVE-2016-2182"
This reverts commit c95a5d22dedc5701d18e91e40a0c54802915187d.
Revert "openssl: Security fix CVE-2016-2181"
This reverts commit f0e2e3d84763477138d902f7d48ac2658266aa2b.
Revert "openssl: Security fix CVE-2016-2180"
This reverts commit 5493231d1ff5e9b259cd074245e909b5e39d926e.
Revert "openssl: Security fix CVE-2016-2179"
This reverts commit 331ca6f05824e5b005cbf504233b3c72275181d5.
Revert "openssl: Security fix CVE-2016-2178"
This reverts commit ac47871dfb962355c3c8971cd2fde2e4d03c9790.
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-connectivity/openssl/openssl/CVE-2016-2182.patch')
-rw-r--r-- | recipes-connectivity/openssl/openssl/CVE-2016-2182.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch deleted file mode 100644 index 5995cbe..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
3 | Date: Fri, 5 Aug 2016 14:26:03 +0100 | ||
4 | Subject: [PATCH] Check for errors in BN_bn2dec() | ||
5 | |||
6 | If an oversize BIGNUM is presented to BN_bn2dec() it can cause | ||
7 | BN_div_word() to fail and not reduce the value of 't' resulting | ||
8 | in OOB writes to the bn_data buffer and eventually crashing. | ||
9 | |||
10 | Fix by checking return value of BN_div_word() and checking writes | ||
11 | don't overflow buffer. | ||
12 | |||
13 | Thanks to Shi Lei for reporting this bug. | ||
14 | |||
15 | CVE-2016-2182 | ||
16 | |||
17 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
18 | (cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) | ||
19 | |||
20 | Conflicts: | ||
21 | crypto/bn/bn_print.c | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2016-2182 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | crypto/bn/bn_print.c | 11 ++++++++--- | ||
29 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
30 | |||
31 | diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c | ||
32 | index bfa31ef..b44403e 100644 | ||
33 | --- a/crypto/bn/bn_print.c | ||
34 | +++ b/crypto/bn/bn_print.c | ||
35 | @@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) | ||
36 | char *p; | ||
37 | BIGNUM *t = NULL; | ||
38 | BN_ULONG *bn_data = NULL, *lp; | ||
39 | + int bn_data_num; | ||
40 | |||
41 | /*- | ||
42 | * get an upper bound for the length of the decimal integer | ||
43 | @@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) | ||
44 | */ | ||
45 | i = BN_num_bits(a) * 3; | ||
46 | num = (i / 10 + i / 1000 + 1) + 1; | ||
47 | - bn_data = | ||
48 | - (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); | ||
49 | - buf = (char *)OPENSSL_malloc(num + 3); | ||
50 | + bn_data_num = num / BN_DEC_NUM + 1; | ||
51 | + bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); | ||
52 | + buf = OPENSSL_malloc(num + 3); | ||
53 | if ((buf == NULL) || (bn_data == NULL)) { | ||
54 | BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); | ||
55 | goto err; | ||
56 | @@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) | ||
57 | i = 0; | ||
58 | while (!BN_is_zero(t)) { | ||
59 | *lp = BN_div_word(t, BN_DEC_CONV); | ||
60 | + if (*lp == (BN_ULONG)-1) | ||
61 | + goto err; | ||
62 | lp++; | ||
63 | + if (lp - bn_data >= bn_data_num) | ||
64 | + goto err; | ||
65 | } | ||
66 | lp--; | ||
67 | /* | ||
68 | -- | ||
69 | 2.7.4 | ||
70 | |||