From 8df8e70f96bbf48b75c8ebba604b608bc30b63b2 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 23 Sep 2016 23:16:30 -0700 Subject: openssl: Security fix CVE-2016-6304 affects openssl < 1.0.1i (From OE-Core rev: d6e1a56f4e764832ac84b842fa2696b56d850ee9) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../openssl/openssl/CVE-2016-6304.patch | 75 ++++++++++++++++++++++ .../recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 + 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000000..64508b57c2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch @@ -0,0 +1,75 @@ +From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 9 Sep 2016 10:08:45 +0100 +Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth + +A malicious client can send an excessively large OCSP Status Request +extension. If that client continually requests renegotiation, +sending a large OCSP Status Request extension each time, then there will +be unbounded memory growth on the server. This will eventually lead to a +Denial Of Service attack through memory exhaustion. Servers with a +default configuration are vulnerable even if they do not support OCSP. +Builds using the "no-ocsp" build time option are not affected. + +I have also checked other extensions to see if they suffer from a similar +problem but I could not find any other issues. + +CVE-2016-6304 + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz + +Upstream-Status: Backport +CVE: CVE-2016-6304 +Signed-off-by: Armin Kuster + +--- + ssl/t1_lib.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fbcf2e6..e4b4e27 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + size -= 2; + if (dsize > size) + goto err; ++ ++ /* ++ * We remove any OCSP_RESPIDs from a previous handshake ++ * to prevent unbounded memory growth - CVE-2016-6304 ++ */ ++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, ++ OCSP_RESPID_free); ++ if (dsize > 0) { ++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); ++ if (s->tlsext_ocsp_ids == NULL) { ++ *al = SSL_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } else { ++ s->tlsext_ocsp_ids = NULL; ++ } ++ + while (dsize > 0) { + OCSP_RESPID *id; + int idsize; +@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + OCSP_RESPID_free(id); + goto err; + } +- if (!s->tlsext_ocsp_ids +- && !(s->tlsext_ocsp_ids = +- sk_OCSP_RESPID_new_null())) { +- OCSP_RESPID_free(id); +- *al = SSL_AD_INTERNAL_ERROR; +- return 0; +- } + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { + OCSP_RESPID_free(id); + *al = SSL_AD_INTERNAL_ERROR; +-- +2.7.4 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 436b37c69c..1fe0cb20b7 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb @@ -47,6 +47,7 @@ SRC_URI += "file://configure-targets.patch \ file://CVE-2016-2182.patch \ file://CVE-2016-6302.patch \ file://CVE-2016-6303.patch \ + file://CVE-2016-6304.patch \ " SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" -- cgit v1.2.3-54-g00ecf