From 96cf162f9d9e83121ec43a8baf940d4ebc75b811 Mon Sep 17 00:00:00 2001 From: Adrian Dudau Date: Tue, 27 Sep 2016 16:38:51 +0200 Subject: openssl: Revert 9 CVE fixes merged upstream Revert "openssl: Security fix CVE-2016-6306" This reverts commit f73e0eb5d77764c00d6ae8db10528522fc8516bc. Revert "openssl: Security fix CVE-2016-6304" This reverts commit 35f3007f0e0c56bc2f96ab5893686191d099949f. Revert "openssl: Security fix CVE-2016-6303" This reverts commit 744b01090f6cf4984c11bb682693647a62103644. Revert "openssl: Security fix CVE-2016-6302" This reverts commit 8ac9ad185c0889af0bfb2fcd90a6987cb972eb0a. Revert "openssl: Security fix CVE-2016-2182" This reverts commit c95a5d22dedc5701d18e91e40a0c54802915187d. Revert "openssl: Security fix CVE-2016-2181" This reverts commit f0e2e3d84763477138d902f7d48ac2658266aa2b. Revert "openssl: Security fix CVE-2016-2180" This reverts commit 5493231d1ff5e9b259cd074245e909b5e39d926e. Revert "openssl: Security fix CVE-2016-2179" This reverts commit 331ca6f05824e5b005cbf504233b3c72275181d5. Revert "openssl: Security fix CVE-2016-2178" This reverts commit ac47871dfb962355c3c8971cd2fde2e4d03c9790. Signed-off-by: Adrian Dudau Signed-off-by: Martin Borg --- .../openssl/openssl/CVE-2016-6304.patch | 75 ---------------------- 1 file changed, 75 deletions(-) delete mode 100644 recipes-connectivity/openssl/openssl/CVE-2016-6304.patch (limited to 'recipes-connectivity/openssl/openssl/CVE-2016-6304.patch') diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch deleted file mode 100644 index 64508b5..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 9 Sep 2016 10:08:45 +0100 -Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth - -A malicious client can send an excessively large OCSP Status Request -extension. If that client continually requests renegotiation, -sending a large OCSP Status Request extension each time, then there will -be unbounded memory growth on the server. This will eventually lead to a -Denial Of Service attack through memory exhaustion. Servers with a -default configuration are vulnerable even if they do not support OCSP. -Builds using the "no-ocsp" build time option are not affected. - -I have also checked other extensions to see if they suffer from a similar -problem but I could not find any other issues. - -CVE-2016-6304 - -Issue reported by Shi Lei. - -Reviewed-by: Rich Salz - -Upstream-Status: Backport -CVE: CVE-2016-6304 -Signed-off-by: Armin Kuster - ---- - ssl/t1_lib.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fbcf2e6..e4b4e27 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - size -= 2; - if (dsize > size) - goto err; -+ -+ /* -+ * We remove any OCSP_RESPIDs from a previous handshake -+ * to prevent unbounded memory growth - CVE-2016-6304 -+ */ -+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, -+ OCSP_RESPID_free); -+ if (dsize > 0) { -+ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); -+ if (s->tlsext_ocsp_ids == NULL) { -+ *al = SSL_AD_INTERNAL_ERROR; -+ return 0; -+ } -+ } else { -+ s->tlsext_ocsp_ids = NULL; -+ } -+ - while (dsize > 0) { - OCSP_RESPID *id; - int idsize; -@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - OCSP_RESPID_free(id); - goto err; - } -- if (!s->tlsext_ocsp_ids -- && !(s->tlsext_ocsp_ids = -- sk_OCSP_RESPID_new_null())) { -- OCSP_RESPID_free(id); -- *al = SSL_AD_INTERNAL_ERROR; -- return 0; -- } - if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; --- -2.7.4 - -- cgit v1.2.3-54-g00ecf