openssl: fix for CVE-2015-3195

(From OE-Core rev: 85841412db0b1e22c53e62a839d03f7672b07b64) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2015-12-07 16:57:45 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-14 15:18:27 +0000
commit: 9eb4ce0a81dc8b7c820a3a87cba8880ae2b6d356 (patch)
tree: 65af4433f0af4a234124cb17d4289ee9ed062635 /meta/recipes-connectivity
parent: 6880f826c3bc8cbcc6e54f7a6159d90a0fb89ecc (diff)
download: poky-9eb4ce0a81dc8b7c820a3a87cba8880ae2b6d356.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 0000000000..6fc4d0e839
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,66 @@
+From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 10 Nov 2015 19:03:07 +0000
+Subject: [PATCH] Fix leak with ASN.1 combine.
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+CVE-2015-3195.
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+PR#4131
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Upstream-Status: Backport
+This patch was imported from
+https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ crypto/asn1/tasn_dec.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+     int otag;
+     int ret = 0;
+     ASN1_VALUE **pchptr, *ptmpval;
+    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
+     if (!pval)
+         return 0;
+     if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+  auxerr:
+     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-    ASN1_item_ex_free(pval, it);
+    if (combine == 0)
+        ASN1_item_ex_free(pval, it);
+     if (errtt)
+         ERR_add_error_data(4, "Field=", errtt->field_name,
+                            ", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+     } else {
+         /* Nothing special */
+         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-                               -1, 0, opt, ctx);
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+-- 
+2.3.5
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 317de8d1b8..60d5676126 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://configure-targets.patch \
            file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
            file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
            file://0001-Add-test-for-CVE-2015-3194.patch \
+            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
           "
 SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
author	Armin Kuster <akuster@mvista.com>	2015-12-07 16:57:45 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-14 15:18:27 +0000
commit	9eb4ce0a81dc8b7c820a3a87cba8880ae2b6d356 (patch)
tree	65af4433f0af4a234124cb17d4289ee9ed062635 /meta/recipes-connectivity
parent	6880f826c3bc8cbcc6e54f7a6159d90a0fb89ecc (diff)
download	poky-9eb4ce0a81dc8b7c820a3a87cba8880ae2b6d356.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch new file mode 100644 index 0000000000..6fc4d0e839 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,66 @@
		1	From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
		2	From: "Dr. Stephen Henson" <steve@openssl.org>
		3	Date: Tue, 10 Nov 2015 19:03:07 +0000
		4	Subject: [PATCH] Fix leak with ASN.1 combine.
		5
		6	When parsing a combined structure pass a flag to the decode routine
		7	so on error a pointer to the parent structure is not zeroed as
		8	this will leak any additional components in the parent.
		9
		10	This can leak memory in any application parsing PKCS#7 or CMS structures.
		11
		12	CVE-2015-3195.
		13
		14	Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
		15	libFuzzer.
		16
		17	PR#4131
		18
		19	Reviewed-by: Richard Levitte <levitte@openssl.org>
		20
		21	Upstream-Status: Backport
		22
		23	This patch was imported from
		24	https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d
		25
		26	Signed-off-by: Armin Kuster <akuster@mvista.com>
		27
		28	---
		29	crypto/asn1/tasn_dec.c \| 7 +++++--
		30	1 file changed, 5 insertions(+), 2 deletions(-)
		31
		32	diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
		33	index febf605..9256049 100644
		34	--- a/crypto/asn1/tasn_dec.c
		35	+++ b/crypto/asn1/tasn_dec.c
		36	@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE pval, const unsigned char in, long len,
		37	int otag;
		38	int ret = 0;
		39	ASN1_VALUE *pchptr, ptmpval;
		40	+ int combine = aclass & ASN1_TFLG_COMBINE;
		41	+ aclass &= ~ASN1_TFLG_COMBINE;
		42	if (!pval)
		43	return 0;
		44	if (aux && aux->asn1_cb)
		45	@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE pval, const unsigned char in, long len,
		46	auxerr:
		47	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
		48	err:
		49	- ASN1_item_ex_free(pval, it);
		50	+ if (combine == 0)
		51	+ ASN1_item_ex_free(pval, it);
		52	if (errtt)
		53	ERR_add_error_data(4, "Field=", errtt->field_name,
		54	", Type=", it->sname);
		55	@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
		56	} else {
		57	/* Nothing special */
		58	ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
		59	- -1, 0, opt, ctx);
		60	+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
		61	if (!ret) {
		62	ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
		63	goto err;
		64	--
		65	2.3.5
		66


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index 317de8d1b8..60d5676126 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://configure-targets.patch \
40	file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \	40	file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
41	file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \	41	file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
42	file://0001-Add-test-for-CVE-2015-3194.patch \	42	file://0001-Add-test-for-CVE-2015-3194.patch \
		43	file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
43	"	44	"
44		45
45	SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"	46	SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"