summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-12-15 10:07:48 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-30 12:03:14 (GMT)
commit1930286e3fa4a144dae963fb531e7caa1311c225 (patch)
tree19dc7efc4fb501afd46b544ff1daf163424d5c23
parentd4db68ae6bae2d9c6d7ed17a0dbce17477b84c9d (diff)
downloadpoky-1930286e3fa4a144dae963fb531e7caa1311c225.tar.gz
openssl: CVE-2015-3194, CVE-2015-3195
Fixes following vulnerabilities: Certificate verify crash with missing PSS parameter (CVE-2015-3194) X509_ATTRIBUTE memory leak (CVE-2015-3195) References: https://openssl.org/news/secadv/20151203.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195 Upstream patches: CVE-2015-3194: https://git.openssl.org/?p=openssl.git;a=commit;h= d8541d7e9e63bf5f343af24644046c8d96498c17 CVE-2015-3195: https://git.openssl.org/?p=openssl.git;a=commit;h= b29ffa392e839d05171206523e84909146f7a77c (From OE-Core rev: 09c3a0f01572a6a65e9f87ce16817ee7de3296f1) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch37
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch61
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.1p.bb2
3 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
new file mode 100644
index 0000000..a6697ca
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
@@ -0,0 +1,37 @@
1From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001
2From: "Dr. Stephen Henson" <steve@openssl.org>
3Date: Fri, 2 Oct 2015 13:10:29 +0100
4Subject:Add PSS parameter check.
5
6Avoid seg fault by checking mgf1 parameter is not NULL. This can be
7triggered during certificate verification so could be a DoS attack
8against a client or a server enabling client authentication.
9
10Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
11
12CVE-2015-3194
13
14Upstream-Status: Backport
15
16Reviewed-by: Matt Caswell <matt@openssl.org>
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 crypto/rsa/rsa_ameth.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
23index 93e071d..c7f1148 100644
24--- a/crypto/rsa/rsa_ameth.c
25+++ b/crypto/rsa/rsa_ameth.c
26@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
27 if (pss->maskGenAlgorithm) {
28 ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
29 if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
30- && param->type == V_ASN1_SEQUENCE) {
31+ && param && param->type == V_ASN1_SEQUENCE) {
32 p = param->value.sequence->data;
33 plen = param->value.sequence->length;
34 *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
35--
361.9.1
37
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 0000000..be705c0
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,61 @@
1commit b29ffa392e839d05171206523e84909146f7a77c
2Author: Dr. Stephen Henson <steve@openssl.org>
3Date: Tue, 10 Nov 2015 19:03:07 +0000
4Subject: Fix leak with ASN.1 combine.
5
6When parsing a combined structure pass a flag to the decode routine
7so on error a pointer to the parent structure is not zeroed as
8this will leak any additional components in the parent.
9
10This can leak memory in any application parsing PKCS#7 or CMS structures.
11
12CVE-2015-3195.
13
14Upstream-Status: Backport
15
16Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
17libFuzzer.
18
19PR#4131
20
21Reviewed-by: Richard Levitte <levitte@openssl.org>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 crypto/asn1/tasn_dec.c | 7 +++++--
25 1 file changed, 5 insertions(+), 2 deletions(-)
26
27diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
28index febf605..9256049 100644
29--- a/crypto/asn1/tasn_dec.c
30+++ b/crypto/asn1/tasn_dec.c
31@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
32 int otag;
33 int ret = 0;
34 ASN1_VALUE **pchptr, *ptmpval;
35+ int combine = aclass & ASN1_TFLG_COMBINE;
36+ aclass &= ~ASN1_TFLG_COMBINE;
37 if (!pval)
38 return 0;
39 if (aux && aux->asn1_cb)
40@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
41 auxerr:
42 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
43 err:
44- ASN1_item_ex_free(pval, it);
45+ if (combine == 0)
46+ ASN1_item_ex_free(pval, it);
47 if (errtt)
48 ERR_add_error_data(4, "Field=", errtt->field_name,
49 ", Type=", it->sname);
50@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
51 } else {
52 /* Nothing special */
53 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
54- -1, 0, opt, ctx);
55+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
56 if (!ret) {
57 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
58 goto err;
59--
601.9.1
61
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
index 3f61790..1d0242f 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
@@ -34,6 +34,8 @@ SRC_URI += "file://configure-targets.patch \
34 file://Makefiles-ptest.patch \ 34 file://Makefiles-ptest.patch \
35 file://ptest-deps.patch \ 35 file://ptest-deps.patch \
36 file://run-ptest \ 36 file://run-ptest \
37 file://CVE-2015-3194-Add-PSS-parameter-check.patch \
38 file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
37 " 39 "
38 40
39SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976" 41SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976"