2 files changed, 71 insertions, 0 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
new file mode 100644
index 0000000..5995cbe
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
@@ -0,0 +1,70 @@
+From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Fri, 5 Aug 2016 14:26:03 +0100
+Subject: [PATCH] Check for errors in BN_bn2dec()
+If an oversize BIGNUM is presented to BN_bn2dec() it can cause
+BN_div_word() to fail and not reduce the value of 't' resulting
+in OOB writes to the bn_data buffer and eventually crashing.
+Fix by checking return value of BN_div_word() and checking writes
+don't overflow buffer.
+Thanks to Shi Lei for reporting this bug.
+CVE-2016-2182
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
+Conflicts:
+        crypto/bn/bn_print.c
+Upstream-Status: Backport
+CVE: CVE-2016-2182
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ crypto/bn/bn_print.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
+index bfa31ef..b44403e 100644
+--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
+@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
+     char *p;
+     BIGNUM *t = NULL;
+     BN_ULONG *bn_data = NULL, *lp;
+    int bn_data_num;
+ 
+     /*-
+      * get an upper bound for the length of the decimal integer
+@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
+      */
+     i = BN_num_bits(a) * 3;
+     num = (i / 10 + i / 1000 + 1) + 1;
+-    bn_data =
+-        (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+-    buf = (char *)OPENSSL_malloc(num + 3);
+    bn_data_num = num / BN_DEC_NUM + 1;
+    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+    buf = OPENSSL_malloc(num + 3);
+     if ((buf == NULL) || (bn_data == NULL)) {
+         BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
+         goto err;
+@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
+         i = 0;
+         while (!BN_is_zero(t)) {
+             *lp = BN_div_word(t, BN_DEC_CONV);
+            if (*lp == (BN_ULONG)-1)
+                goto err;
+             lp++;
+            if (lp - bn_data >= bn_data_num)
+                goto err;
+         }
+         lp--;
+         /*
+-- 
+2.7.4
diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
index 196dc50..eb369e4 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
+++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://CVE-2016-2178.patch \
           file://CVE-2016-2181_p1.patch \
           file://CVE-2016-2181_p2.patch \
           file://CVE-2016-2181_p3.patch \
+           file://CVE-2016-2182.patch \
           "

diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch new file mode 100644 index 0000000..5995cbe --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
@@ -0,0 +1,70 @@
		1	From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
		2	From: "Dr. Stephen Henson" <steve@openssl.org>
		3	Date: Fri, 5 Aug 2016 14:26:03 +0100
		4	Subject: [PATCH] Check for errors in BN_bn2dec()
		5
		6	If an oversize BIGNUM is presented to BN_bn2dec() it can cause
		7	BN_div_word() to fail and not reduce the value of 't' resulting
		8	in OOB writes to the bn_data buffer and eventually crashing.
		9
		10	Fix by checking return value of BN_div_word() and checking writes
		11	don't overflow buffer.
		12
		13	Thanks to Shi Lei for reporting this bug.
		14
		15	CVE-2016-2182
		16
		17	Reviewed-by: Tim Hudson <tjh@openssl.org>
		18	(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
		19
		20	Conflicts:
		21	crypto/bn/bn_print.c
		22
		23	Upstream-Status: Backport
		24	CVE: CVE-2016-2182
		25	Signed-off-by: Armin Kuster <akuster@mvista.com>
		26
		27	---
		28	crypto/bn/bn_print.c \| 11 ++++++++---
		29	1 file changed, 8 insertions(+), 3 deletions(-)
		30
		31	diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
		32	index bfa31ef..b44403e 100644
		33	--- a/crypto/bn/bn_print.c
		34	+++ b/crypto/bn/bn_print.c
		35	@@ -111,6 +111,7 @@ char BN_bn2dec(const BIGNUM a)
		36	char *p;
		37	BIGNUM *t = NULL;
		38	BN_ULONG bn_data = NULL, lp;
		39	+ int bn_data_num;
		40
		41	/*-
		42	* get an upper bound for the length of the decimal integer
		43	@@ -120,9 +121,9 @@ char BN_bn2dec(const BIGNUM a)
		44	*/
		45	i = BN_num_bits(a) * 3;
		46	num = (i / 10 + i / 1000 + 1) + 1;
		47	- bn_data =
		48	- (BN_ULONG )OPENSSL_malloc((num / BN_DEC_NUM + 1) sizeof(BN_ULONG));
		49	- buf = (char *)OPENSSL_malloc(num + 3);
		50	+ bn_data_num = num / BN_DEC_NUM + 1;
		51	+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
		52	+ buf = OPENSSL_malloc(num + 3);
		53	if ((buf == NULL) \|\| (bn_data == NULL)) {
		54	BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
		55	goto err;
		56	@@ -143,7 +144,11 @@ char BN_bn2dec(const BIGNUM a)
		57	i = 0;
		58	while (!BN_is_zero(t)) {
		59	*lp = BN_div_word(t, BN_DEC_CONV);
		60	+ if (*lp == (BN_ULONG)-1)
		61	+ goto err;
		62	lp++;
		63	+ if (lp - bn_data >= bn_data_num)
		64	+ goto err;
		65	}
		66	lp--;
		67	/*
		68	--
		69	2.7.4
		70


diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend index 196dc50..eb369e4 100644 --- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend +++ b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://CVE-2016-2178.patch \
6	file://CVE-2016-2181_p1.patch \	6	file://CVE-2016-2181_p1.patch \
7	file://CVE-2016-2181_p2.patch \	7	file://CVE-2016-2181_p2.patch \
8	file://CVE-2016-2181_p3.patch \	8	file://CVE-2016-2181_p3.patch \
		9	file://CVE-2016-2182.patch \
9	"	10	"