Hi Armin I noticed that my patch does not have reference to the original commit hash, I will create a new patch and send it to you, sorry about this.
commit b29ffa392e839d05171206523e84909146f7a77c Author: Dr. Stephen Henson <st...@openssl.org> //Sona > -----Original Message----- > From: openembedded-core-boun...@lists.openembedded.org > [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf > Of Sona Sarmadi > Sent: den 14 december 2015 11:25 > To: openembedded-core@lists.openembedded.org > Subject: [OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195 > > Fixes following vulnerabilities: > Certificate verify crash with missing PSS parameter (CVE-2015-3194) > X509_ATTRIBUTE memory leak (CVE-2015-3195) > > References: > https://openssl.org/news/secadv/20151203.txt > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195 > > Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> > --- > .../CVE-2015-3194-Add-PSS-parameter-check.patch | 35 +++++++++++++ > ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59 > ++++++++++++++++++++++ .../recipes- > connectivity/openssl/openssl_1.0.1p.bb | 2 + > 3 files changed, 96 insertions(+) > create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015- > 3194-Add-PSS-parameter-check.patch > create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015- > 3195-Fix-leak-with-ASN.1-combine.patch > > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add- > PSS-parameter-check.patch b/meta/recipes- > connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter- > check.patch > new file mode 100644 > index 0000000..3c00bc1 > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS- > pa > +++ rameter-check.patch > @@ -0,0 +1,35 @@ > +Date: Fri, 2 Oct 2015 13:10:29 +0100 > +Subject: [PATCH] Add PSS parameter check. > + > +Avoid seg fault by checking mgf1 parameter is not NULL. This can be > +triggered during certificate verification so could be a DoS attack > +against a client or a server enabling client authentication. > + > +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. > + > +CVE-2015-3194 > + > +Upstream-Status: Backport > + > +Reviewed-by: Matt Caswell <m...@openssl.org> > +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> > +--- > + crypto/rsa/rsa_ameth.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index > +93e071d..c7f1148 100644 > +--- a/crypto/rsa/rsa_ameth.c > ++++ b/crypto/rsa/rsa_ameth.c > +@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const > X509_ALGOR *alg, > + if (pss->maskGenAlgorithm) { > + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; > + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 > +- && param->type == V_ASN1_SEQUENCE) { > ++ && param && param->type == V_ASN1_SEQUENCE) { > + p = param->value.sequence->data; > + plen = param->value.sequence->length; > + *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); > +-- > +1.9.1 > + > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix- > leak-with-ASN.1-combine.patch b/meta/recipes- > connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1- > combine.patch > new file mode 100644 > index 0000000..87c4c6c > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak- > w > +++ ith-ASN.1-combine.patch > @@ -0,0 +1,59 @@ > +Date: Tue, 10 Nov 2015 19:03:07 +0000 > +Subject: [PATCH] Fix leak with ASN.1 combine. > + > +When parsing a combined structure pass a flag to the decode routine so > +on error a pointer to the parent structure is not zeroed as this will > +leak any additional components in the parent. > + > +This can leak memory in any application parsing PKCS#7 or CMS structures. > + > +CVE-2015-3195. > + > +Upstream-Status: Backport > + > +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug > +using libFuzzer. > + > +PR#4131 > + > +Reviewed-by: Richard Levitte <levi...@openssl.org> > +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> > +--- > + crypto/asn1/tasn_dec.c | 7 +++++-- > + 1 file changed, 5 insertions(+), 2 deletions(-) > + > +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index > +febf605..9256049 100644 > +--- a/crypto/asn1/tasn_dec.c > ++++ b/crypto/asn1/tasn_dec.c > +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const > unsigned char **in, long len, > + int otag; > + int ret = 0; > + ASN1_VALUE **pchptr, *ptmpval; > ++ int combine = aclass & ASN1_TFLG_COMBINE; > ++ aclass &= ~ASN1_TFLG_COMBINE; > + if (!pval) > + return 0; > + if (aux && aux->asn1_cb) > +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const > +unsigned char **in, long len, > + auxerr: > + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); > + err: > +- ASN1_item_ex_free(pval, it); > ++ if (combine == 0) > ++ ASN1_item_ex_free(pval, it); > + if (errtt) > + ERR_add_error_data(4, "Field=", errtt->field_name, > + ", Type=", it->sname); @@ -689,7 +692,7 @@ > +static int asn1_template_noexp_d2i(ASN1_VALUE **val, > + } else { > + /* Nothing special */ > + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), > +- -1, 0, opt, ctx); > ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, > ++ ctx); > + if (!ret) { > + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, > ERR_R_NESTED_ASN1_ERROR); > + goto err; > +-- > +1.9.1 > + > diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > index 3f61790..1d0242f 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > @@ -34,6 +34,8 @@ SRC_URI += "file://configure-targets.patch \ > file://Makefiles-ptest.patch \ > file://ptest-deps.patch \ > file://run-ptest \ > + file://CVE-2015-3194-Add-PSS-parameter-check.patch \ > + file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ > " > > SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976" > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
