summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch70
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.2h.bb1
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
new file mode 100644
index 0000000000..5995cbea18
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
@@ -0,0 +1,70 @@
1From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
2From: "Dr. Stephen Henson" <steve@openssl.org>
3Date: Fri, 5 Aug 2016 14:26:03 +0100
4Subject: [PATCH] Check for errors in BN_bn2dec()
5
6If an oversize BIGNUM is presented to BN_bn2dec() it can cause
7BN_div_word() to fail and not reduce the value of 't' resulting
8in OOB writes to the bn_data buffer and eventually crashing.
9
10Fix by checking return value of BN_div_word() and checking writes
11don't overflow buffer.
12
13Thanks to Shi Lei for reporting this bug.
14
15CVE-2016-2182
16
17Reviewed-by: Tim Hudson <tjh@openssl.org>
18(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
19
20Conflicts:
21 crypto/bn/bn_print.c
22
23Upstream-Status: Backport
24CVE: CVE-2016-2182
25Signed-off-by: Armin Kuster <akuster@mvista.com>
26
27---
28 crypto/bn/bn_print.c | 11 ++++++++---
29 1 file changed, 8 insertions(+), 3 deletions(-)
30
31diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
32index bfa31ef..b44403e 100644
33--- a/crypto/bn/bn_print.c
34+++ b/crypto/bn/bn_print.c
35@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
36 char *p;
37 BIGNUM *t = NULL;
38 BN_ULONG *bn_data = NULL, *lp;
39+ int bn_data_num;
40
41 /*-
42 * get an upper bound for the length of the decimal integer
43@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
44 */
45 i = BN_num_bits(a) * 3;
46 num = (i / 10 + i / 1000 + 1) + 1;
47- bn_data =
48- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
49- buf = (char *)OPENSSL_malloc(num + 3);
50+ bn_data_num = num / BN_DEC_NUM + 1;
51+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
52+ buf = OPENSSL_malloc(num + 3);
53 if ((buf == NULL) || (bn_data == NULL)) {
54 BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
55 goto err;
56@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
57 i = 0;
58 while (!BN_is_zero(t)) {
59 *lp = BN_div_word(t, BN_DEC_CONV);
60+ if (*lp == (BN_ULONG)-1)
61+ goto err;
62 lp++;
63+ if (lp - bn_data >= bn_data_num)
64+ goto err;
65 }
66 lp--;
67 /*
68--
692.7.4
70
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index d97b771748..da40a9b48d 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -44,6 +44,7 @@ SRC_URI += "file://configure-targets.patch \
44 file://CVE-2016-2181_p1.patch \ 44 file://CVE-2016-2181_p1.patch \
45 file://CVE-2016-2181_p2.patch \ 45 file://CVE-2016-2181_p2.patch \
46 file://CVE-2016-2181_p3.patch \ 46 file://CVE-2016-2181_p3.patch \
47 file://CVE-2016-2182.patch \
47 " 48 "
48 49
49SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" 50SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"