openssl: Security fix CVE-2016-2180

affects openssl < 1.0.1i (From OE-Core rev: 94b44f40fb52f642eeab1211bd5fc57ceba29f7e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-09-23 23:06:10 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-27 09:05:57 +0100
commit: 82017f236748c3b84815100a7a4ba5397de1dc7d (patch)
tree: 66e66c5bd2b046348d12e682b3bec0319bf45e47
parent: e1e5b18a5e41369a951b724886476d7de825ee44 (diff)
download: poky-82017f236748c3b84815100a7a4ba5397de1dc7d.tar.gz
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
new file mode 100644
index 0000000000..c71aaa5e51
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
@@ -0,0 +1,44 @@
+From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 21 Jul 2016 15:24:16 +0100
+Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
+TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
+as a null terminated buffer. The length value returned is the total
+length the complete text reprsentation would need not the amount of
+data written.
+CVE-2016-2180
+Thanks to Shi Lei for reporting this bug.
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
+Upstream-Status: Backport
+CVE: CVE-2016-2180
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ crypto/ts/ts_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
+index c51538a..e0f1063 100644
+--- a/crypto/ts/ts_lib.c
+++ b/crypto/ts/ts_lib.c
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
+ {
+     char obj_txt[128];
+ 
+-    int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+-    BIO_write(bio, obj_txt, len);
+-    BIO_write(bio, "\n", 1);
+    OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+    BIO_printf(bio, "%s\n", obj_txt);
+ 
+     return 1;
+ }
+-- 
+2.7.4
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 0e4dfeeb24..8a04ff6c8f 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
            file://parallel.patch \
            file://CVE-2016-2178.patch \
            file://CVE-2016-2179.patch \
+            file://CVE-2016-2180.patch \
           "
 SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
 SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
author	Armin Kuster <akuster@mvista.com>	2016-09-23 23:06:10 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-27 09:05:57 +0100
commit	82017f236748c3b84815100a7a4ba5397de1dc7d (patch)
tree	66e66c5bd2b046348d12e682b3bec0319bf45e47
parent	e1e5b18a5e41369a951b724886476d7de825ee44 (diff)
download	poky-82017f236748c3b84815100a7a4ba5397de1dc7d.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch new file mode 100644 index 0000000000..c71aaa5e51 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch
@@ -0,0 +1,44 @@
		1	From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001
		2	From: "Dr. Stephen Henson" <steve@openssl.org>
		3	Date: Thu, 21 Jul 2016 15:24:16 +0100
		4	Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
		5
		6	TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
		7	as a null terminated buffer. The length value returned is the total
		8	length the complete text reprsentation would need not the amount of
		9	data written.
		10
		11	CVE-2016-2180
		12
		13	Thanks to Shi Lei for reporting this bug.
		14
		15	Reviewed-by: Matt Caswell <matt@openssl.org>
		16	(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2016-2180
		20	Signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	crypto/ts/ts_lib.c \| 5 ++---
		24	1 file changed, 2 insertions(+), 3 deletions(-)
		25
		26	diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
		27	index c51538a..e0f1063 100644
		28	--- a/crypto/ts/ts_lib.c
		29	+++ b/crypto/ts/ts_lib.c
		30	@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO bio, const ASN1_OBJECT obj)
		31	{
		32	char obj_txt[128];
		33
		34	- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
		35	- BIO_write(bio, obj_txt, len);
		36	- BIO_write(bio, "\n", 1);
		37	+ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
		38	+ BIO_printf(bio, "%s\n", obj_txt);
		39
		40	return 1;
		41	}
		42	--
		43	2.7.4
		44


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 0e4dfeeb24..8a04ff6c8f 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
40	file://parallel.patch \	40	file://parallel.patch \
41	file://CVE-2016-2178.patch \	41	file://CVE-2016-2178.patch \
42	file://CVE-2016-2179.patch \	42	file://CVE-2016-2179.patch \
		43	file://CVE-2016-2180.patch \
43	"	44	"
44	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"	45	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
45	SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"	46	SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"