From 35f3007f0e0c56bc2f96ab5893686191d099949f Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 26 Sep 2016 12:18:21 +0200 Subject: openssl: Security fix CVE-2016-6304 affects openssl < 1.0.2i Reference: https://www.openssl.org/news/secadv/20160922.txt Signed-off-by: Armin Kuster Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../openssl/openssl/CVE-2016-6304.patch | 75 ++++++++++++++++++++++ .../openssl/openssl_1.0.2h.bbappend | 1 + 2 files changed, 76 insertions(+) create mode 100644 recipes-connectivity/openssl/openssl/CVE-2016-6304.patch diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000..64508b5 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch @@ -0,0 +1,75 @@ +From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 9 Sep 2016 10:08:45 +0100 +Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth + +A malicious client can send an excessively large OCSP Status Request +extension. If that client continually requests renegotiation, +sending a large OCSP Status Request extension each time, then there will +be unbounded memory growth on the server. This will eventually lead to a +Denial Of Service attack through memory exhaustion. Servers with a +default configuration are vulnerable even if they do not support OCSP. +Builds using the "no-ocsp" build time option are not affected. + +I have also checked other extensions to see if they suffer from a similar +problem but I could not find any other issues. + +CVE-2016-6304 + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz + +Upstream-Status: Backport +CVE: CVE-2016-6304 +Signed-off-by: Armin Kuster + +--- + ssl/t1_lib.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fbcf2e6..e4b4e27 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + size -= 2; + if (dsize > size) + goto err; ++ ++ /* ++ * We remove any OCSP_RESPIDs from a previous handshake ++ * to prevent unbounded memory growth - CVE-2016-6304 ++ */ ++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, ++ OCSP_RESPID_free); ++ if (dsize > 0) { ++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); ++ if (s->tlsext_ocsp_ids == NULL) { ++ *al = SSL_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } else { ++ s->tlsext_ocsp_ids = NULL; ++ } ++ + while (dsize > 0) { + OCSP_RESPID *id; + int idsize; +@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + OCSP_RESPID_free(id); + goto err; + } +- if (!s->tlsext_ocsp_ids +- && !(s->tlsext_ocsp_ids = +- sk_OCSP_RESPID_new_null())) { +- OCSP_RESPID_free(id); +- *al = SSL_AD_INTERNAL_ERROR; +- return 0; +- } + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { + OCSP_RESPID_free(id); + *al = SSL_AD_INTERNAL_ERROR; +-- +2.7.4 + diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend index 528a77c..e4a9912 100644 --- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend +++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend @@ -9,4 +9,5 @@ SRC_URI += "file://CVE-2016-2178.patch \ file://CVE-2016-2182.patch \ file://CVE-2016-6302.patch \ file://CVE-2016-6303.patch \ + file://CVE-2016-6304.patch \ " -- cgit v1.2.3-54-g00ecf