From 96cf162f9d9e83121ec43a8baf940d4ebc75b811 Mon Sep 17 00:00:00 2001 From: Adrian Dudau Date: Tue, 27 Sep 2016 16:38:51 +0200 Subject: openssl: Revert 9 CVE fixes merged upstream Revert "openssl: Security fix CVE-2016-6306" This reverts commit f73e0eb5d77764c00d6ae8db10528522fc8516bc. Revert "openssl: Security fix CVE-2016-6304" This reverts commit 35f3007f0e0c56bc2f96ab5893686191d099949f. Revert "openssl: Security fix CVE-2016-6303" This reverts commit 744b01090f6cf4984c11bb682693647a62103644. Revert "openssl: Security fix CVE-2016-6302" This reverts commit 8ac9ad185c0889af0bfb2fcd90a6987cb972eb0a. Revert "openssl: Security fix CVE-2016-2182" This reverts commit c95a5d22dedc5701d18e91e40a0c54802915187d. Revert "openssl: Security fix CVE-2016-2181" This reverts commit f0e2e3d84763477138d902f7d48ac2658266aa2b. Revert "openssl: Security fix CVE-2016-2180" This reverts commit 5493231d1ff5e9b259cd074245e909b5e39d926e. Revert "openssl: Security fix CVE-2016-2179" This reverts commit 331ca6f05824e5b005cbf504233b3c72275181d5. Revert "openssl: Security fix CVE-2016-2178" This reverts commit ac47871dfb962355c3c8971cd2fde2e4d03c9790. Signed-off-by: Adrian Dudau Signed-off-by: Martin Borg --- .../openssl/openssl/CVE-2016-2182.patch | 70 ---------------------- 1 file changed, 70 deletions(-) delete mode 100644 recipes-connectivity/openssl/openssl/CVE-2016-2182.patch (limited to 'recipes-connectivity/openssl/openssl/CVE-2016-2182.patch') diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch deleted file mode 100644 index 5995cbe..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" -Date: Fri, 5 Aug 2016 14:26:03 +0100 -Subject: [PATCH] Check for errors in BN_bn2dec() - -If an oversize BIGNUM is presented to BN_bn2dec() it can cause -BN_div_word() to fail and not reduce the value of 't' resulting -in OOB writes to the bn_data buffer and eventually crashing. - -Fix by checking return value of BN_div_word() and checking writes -don't overflow buffer. - -Thanks to Shi Lei for reporting this bug. - -CVE-2016-2182 - -Reviewed-by: Tim Hudson -(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) - -Conflicts: - crypto/bn/bn_print.c - -Upstream-Status: Backport -CVE: CVE-2016-2182 -Signed-off-by: Armin Kuster - ---- - crypto/bn/bn_print.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c -index bfa31ef..b44403e 100644 ---- a/crypto/bn/bn_print.c -+++ b/crypto/bn/bn_print.c -@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) - char *p; - BIGNUM *t = NULL; - BN_ULONG *bn_data = NULL, *lp; -+ int bn_data_num; - - /*- - * get an upper bound for the length of the decimal integer -@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) - */ - i = BN_num_bits(a) * 3; - num = (i / 10 + i / 1000 + 1) + 1; -- bn_data = -- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); -- buf = (char *)OPENSSL_malloc(num + 3); -+ bn_data_num = num / BN_DEC_NUM + 1; -+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); -+ buf = OPENSSL_malloc(num + 3); - if ((buf == NULL) || (bn_data == NULL)) { - BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); - goto err; -@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) - i = 0; - while (!BN_is_zero(t)) { - *lp = BN_div_word(t, BN_DEC_CONV); -+ if (*lp == (BN_ULONG)-1) -+ goto err; - lp++; -+ if (lp - bn_data >= bn_data_num) -+ goto err; - } - lp--; - /* --- -2.7.4 - -- cgit v1.2.3-54-g00ecf