merged to staging. g...@git.yoctoproject.org/poky-contrib.git akuster/dizzy-next
thanks, Armin On 12/14/2015 02:25 AM, Sona Sarmadi wrote: > Fixes following vulnerabilities: > Certificate verify crash with missing PSS parameter (CVE-2015-3194) > X509_ATTRIBUTE memory leak (CVE-2015-3195) > > References: > https://openssl.org/news/secadv/20151203.txt > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195 > > Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> > --- > .../CVE-2015-3194-Add-PSS-parameter-check.patch | 35 +++++++++++++ > ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59 > ++++++++++++++++++++++ > .../recipes-connectivity/openssl/openssl_1.0.1p.bb | 2 + > 3 files changed, 96 insertions(+) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch > > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch > > b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch > new file mode 100644 > index 0000000..3c00bc1 > --- /dev/null > +++ > b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch > @@ -0,0 +1,35 @@ > +Date: Fri, 2 Oct 2015 13:10:29 +0100 > +Subject: [PATCH] Add PSS parameter check. > + > +Avoid seg fault by checking mgf1 parameter is not NULL. This can be > +triggered during certificate verification so could be a DoS attack > +against a client or a server enabling client authentication. > + > +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. > + > +CVE-2015-3194 > + > +Upstream-Status: Backport > + > +Reviewed-by: Matt Caswell <m...@openssl.org> > +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> > +--- > + crypto/rsa/rsa_ameth.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c > +index 93e071d..c7f1148 100644 > +--- a/crypto/rsa/rsa_ameth.c > ++++ b/crypto/rsa/rsa_ameth.c > +@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR > *alg, > + if (pss->maskGenAlgorithm) { > + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; > + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 > +- && param->type == V_ASN1_SEQUENCE) { > ++ && param && param->type == V_ASN1_SEQUENCE) { > + p = param->value.sequence->data; > + plen = param->value.sequence->length; > + *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); > +-- > +1.9.1 > + > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch > > b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch > new file mode 100644 > index 0000000..87c4c6c > --- /dev/null > +++ > b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch > @@ -0,0 +1,59 @@ > +Date: Tue, 10 Nov 2015 19:03:07 +0000 > +Subject: [PATCH] Fix leak with ASN.1 combine. > + > +When parsing a combined structure pass a flag to the decode routine > +so on error a pointer to the parent structure is not zeroed as > +this will leak any additional components in the parent. > + > +This can leak memory in any application parsing PKCS#7 or CMS structures. > + > +CVE-2015-3195. > + > +Upstream-Status: Backport > + > +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using > +libFuzzer. > + > +PR#4131 > + > +Reviewed-by: Richard Levitte <levi...@openssl.org> > +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> > +--- > + crypto/asn1/tasn_dec.c | 7 +++++-- > + 1 file changed, 5 insertions(+), 2 deletions(-) > + > +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c > +index febf605..9256049 100644 > +--- a/crypto/asn1/tasn_dec.c > ++++ b/crypto/asn1/tasn_dec.c > +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned > char **in, long len, > + int otag; > + int ret = 0; > + ASN1_VALUE **pchptr, *ptmpval; > ++ int combine = aclass & ASN1_TFLG_COMBINE; > ++ aclass &= ~ASN1_TFLG_COMBINE; > + if (!pval) > + return 0; > + if (aux && aux->asn1_cb) > +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned > char **in, long len, > + auxerr: > + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); > + err: > +- ASN1_item_ex_free(pval, it); > ++ if (combine == 0) > ++ ASN1_item_ex_free(pval, it); > + if (errtt) > + ERR_add_error_data(4, "Field=", errtt->field_name, > + ", Type=", it->sname); > +@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, > + } else { > + /* Nothing special */ > + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), > +- -1, 0, opt, ctx); > ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); > + if (!ret) { > + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, > ERR_R_NESTED_ASN1_ERROR); > + goto err; > +-- > +1.9.1 > + > diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > index 3f61790..1d0242f 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb > @@ -34,6 +34,8 @@ SRC_URI += "file://configure-targets.patch \ > file://Makefiles-ptest.patch \ > file://ptest-deps.patch \ > file://run-ptest \ > + file://CVE-2015-3194-Add-PSS-parameter-check.patch \ > + file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ > " > > SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976" > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
