Reference: https://www.openssl.org/news/secadv/20160922.txt
Upstream fix: https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a7771c15b Signed-off-by: Anuj Mittal <anujx.mit...@intel.com> --- .../openssl/openssl/CVE-2016-6304.patch | 75 ++++++++++++++++++++++ .../recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 + 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000..59d66f0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch @@ -0,0 +1,75 @@ +From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 +From: Matt Caswell <m...@openssl.org> +Date: Fri, 9 Sep 2016 10:08:45 +0100 +Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth + +A malicious client can send an excessively large OCSP Status Request +extension. If that client continually requests renegotiation, +sending a large OCSP Status Request extension each time, then there will +be unbounded memory growth on the server. This will eventually lead to a +Denial Of Service attack through memory exhaustion. Servers with a +default configuration are vulnerable even if they do not support OCSP. +Builds using the "no-ocsp" build time option are not affected. + +I have also checked other extensions to see if they suffer from a similar +problem but I could not find any other issues. + +CVE-2016-6304 + +Issue reported by Shi Lei. +Reviewed-by: Rich Salz <rs...@openssl.org> + +CVE: CVE-2016-6304 +Upstream-Status: Backport +https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a7771c15b + +Signed-off-by: Anuj Mittal <anujx.mit...@intel.com> +--- + ssl/t1_lib.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fbcf2e6..e4b4e27 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + size -= 2; + if (dsize > size) + goto err; ++ ++ /* ++ * We remove any OCSP_RESPIDs from a previous handshake ++ * to prevent unbounded memory growth - CVE-2016-6304 ++ */ ++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, ++ OCSP_RESPID_free); ++ if (dsize > 0) { ++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); ++ if (s->tlsext_ocsp_ids == NULL) { ++ *al = SSL_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } else { ++ s->tlsext_ocsp_ids = NULL; ++ } ++ + while (dsize > 0) { + OCSP_RESPID *id; + int idsize; +@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + OCSP_RESPID_free(id); + goto err; + } +- if (!s->tlsext_ocsp_ids +- && !(s->tlsext_ocsp_ids = +- sk_OCSP_RESPID_new_null())) { +- OCSP_RESPID_free(id); +- *al = SSL_AD_INTERNAL_ERROR; +- return 0; +- } + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { + OCSP_RESPID_free(id); + *al = SSL_AD_INTERNAL_ERROR; +-- +1.9.1 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index c8444d3..c369d01 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb @@ -42,6 +42,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \ file://CVE-2016-2177.patch \ file://CVE-2016-2178.patch \ file://openssl-util-perlpath.pl-cwd.patch \ + file://CVE-2016-6304.patch \ " SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
