diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2016-09-27 16:38:51 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2016-09-29 13:37:39 +0200 |
commit | 96cf162f9d9e83121ec43a8baf940d4ebc75b811 (patch) | |
tree | b9f2df27caa54035f33f4aba79bcc060804c0dd4 /recipes-connectivity/openssl/openssl/CVE-2016-6304.patch | |
parent | f73e0eb5d77764c00d6ae8db10528522fc8516bc (diff) | |
download | meta-el-common-krogoth.tar.gz |
openssl: Revert 9 CVE fixes merged upstreamkrogoth
Revert "openssl: Security fix CVE-2016-6306"
This reverts commit f73e0eb5d77764c00d6ae8db10528522fc8516bc.
Revert "openssl: Security fix CVE-2016-6304"
This reverts commit 35f3007f0e0c56bc2f96ab5893686191d099949f.
Revert "openssl: Security fix CVE-2016-6303"
This reverts commit 744b01090f6cf4984c11bb682693647a62103644.
Revert "openssl: Security fix CVE-2016-6302"
This reverts commit 8ac9ad185c0889af0bfb2fcd90a6987cb972eb0a.
Revert "openssl: Security fix CVE-2016-2182"
This reverts commit c95a5d22dedc5701d18e91e40a0c54802915187d.
Revert "openssl: Security fix CVE-2016-2181"
This reverts commit f0e2e3d84763477138d902f7d48ac2658266aa2b.
Revert "openssl: Security fix CVE-2016-2180"
This reverts commit 5493231d1ff5e9b259cd074245e909b5e39d926e.
Revert "openssl: Security fix CVE-2016-2179"
This reverts commit 331ca6f05824e5b005cbf504233b3c72275181d5.
Revert "openssl: Security fix CVE-2016-2178"
This reverts commit ac47871dfb962355c3c8971cd2fde2e4d03c9790.
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-connectivity/openssl/openssl/CVE-2016-6304.patch')
-rw-r--r-- | recipes-connectivity/openssl/openssl/CVE-2016-6304.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch deleted file mode 100644 index 64508b5..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Fri, 9 Sep 2016 10:08:45 +0100 | ||
4 | Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth | ||
5 | |||
6 | A malicious client can send an excessively large OCSP Status Request | ||
7 | extension. If that client continually requests renegotiation, | ||
8 | sending a large OCSP Status Request extension each time, then there will | ||
9 | be unbounded memory growth on the server. This will eventually lead to a | ||
10 | Denial Of Service attack through memory exhaustion. Servers with a | ||
11 | default configuration are vulnerable even if they do not support OCSP. | ||
12 | Builds using the "no-ocsp" build time option are not affected. | ||
13 | |||
14 | I have also checked other extensions to see if they suffer from a similar | ||
15 | problem but I could not find any other issues. | ||
16 | |||
17 | CVE-2016-6304 | ||
18 | |||
19 | Issue reported by Shi Lei. | ||
20 | |||
21 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2016-6304 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | ssl/t1_lib.c | 24 +++++++++++++++++------- | ||
29 | 1 file changed, 17 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c | ||
32 | index fbcf2e6..e4b4e27 100644 | ||
33 | --- a/ssl/t1_lib.c | ||
34 | +++ b/ssl/t1_lib.c | ||
35 | @@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, | ||
36 | size -= 2; | ||
37 | if (dsize > size) | ||
38 | goto err; | ||
39 | + | ||
40 | + /* | ||
41 | + * We remove any OCSP_RESPIDs from a previous handshake | ||
42 | + * to prevent unbounded memory growth - CVE-2016-6304 | ||
43 | + */ | ||
44 | + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, | ||
45 | + OCSP_RESPID_free); | ||
46 | + if (dsize > 0) { | ||
47 | + s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); | ||
48 | + if (s->tlsext_ocsp_ids == NULL) { | ||
49 | + *al = SSL_AD_INTERNAL_ERROR; | ||
50 | + return 0; | ||
51 | + } | ||
52 | + } else { | ||
53 | + s->tlsext_ocsp_ids = NULL; | ||
54 | + } | ||
55 | + | ||
56 | while (dsize > 0) { | ||
57 | OCSP_RESPID *id; | ||
58 | int idsize; | ||
59 | @@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, | ||
60 | OCSP_RESPID_free(id); | ||
61 | goto err; | ||
62 | } | ||
63 | - if (!s->tlsext_ocsp_ids | ||
64 | - && !(s->tlsext_ocsp_ids = | ||
65 | - sk_OCSP_RESPID_new_null())) { | ||
66 | - OCSP_RESPID_free(id); | ||
67 | - *al = SSL_AD_INTERNAL_ERROR; | ||
68 | - return 0; | ||
69 | - } | ||
70 | if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { | ||
71 | OCSP_RESPID_free(id); | ||
72 | *al = SSL_AD_INTERNAL_ERROR; | ||
73 | -- | ||
74 | 2.7.4 | ||
75 | |||