Re: [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195

From: Fan Xin <fan.xin@jp.fujitsu.com>
To: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195
Date: Wed, 16 Dec 2015 15:50:21 +0900	[thread overview]
Message-ID: <567109AD.8030602@jp.fujitsu.com> (raw)
In-Reply-To: <A8FC939F80655644A89BB21CCD3741E80140909C16@G08CNEXMBPEKD02.g08.fujitsu.local>

Hi Armin

Please merge this patch to daisy branch.
Thanks.

Fan

>> -----Original Message-----
>> From: openembedded-core-bounces@lists.openembedded.org
>> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
>> Sona Sarmadi
>> Sent: Tuesday, December 15, 2015 6:08 PM
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195
>>
>> Fixes following vulnerabilities:
>> Certificate verify crash with missing PSS parameter (CVE-2015-3194)
>> X509_ATTRIBUTE memory leak (CVE-2015-3195)
>>
>> References:
>> https://openssl.org/news/secadv/20151203.txt
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
>>
>> Upstream patches:
>> CVE-2015-3194:
>> https://git.openssl.org/?p=openssl.git;a=commit;h=
>> d8541d7e9e63bf5f343af24644046c8d96498c17
>>
>> CVE-2015-3195:
>> https://git.openssl.org/?p=openssl.git;a=commit;h=
>> b29ffa392e839d05171206523e84909146f7a77c
>>
>> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
>> ---
>> .../CVE-2015-3194-Add-PSS-parameter-check.patch    | 37 +++++++++++++
>> ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 61
>> ++++++++++++++++++++++  .../recipes-connectivity/openssl/openssl_1.0.1p.bb |
>> 2 +
>> 3 files changed, 100 insertions(+)
>> create mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-c
>> heck.patch
>> create mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-
>> combine.patch
>>
>> diff --git
>> a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-paramete
>> r-check.patch
>> b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-paramete
>> r-check.patch
>> new file mode 100644
>> index 0000000..a6697ca
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-pa
>> +++ rameter-check.patch
>> @@ -0,0 +1,37 @@
>> +From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001
>> +From: "Dr. Stephen Henson" <steve@openssl.org>
>> +Date: Fri, 2 Oct 2015 13:10:29 +0100
>> +Subject:Add PSS parameter check.
>> +
>> +Avoid seg fault by checking mgf1 parameter is not NULL. This can be
>> +triggered during certificate verification so could be a DoS attack
>> +against a client or a server enabling client authentication.
>> +
>> +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
>> +
>> +CVE-2015-3194
>> +
>> +Upstream-Status: Backport
>> +
>> +Reviewed-by: Matt Caswell <matt@openssl.org>
>> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
>> +---
>> + crypto/rsa/rsa_ameth.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index
>> +93e071d..c7f1148 100644
>> +--- a/crypto/rsa/rsa_ameth.c
>> ++++ b/crypto/rsa/rsa_ameth.c
>> +@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const
>> X509_ALGOR *alg,
>> +     if (pss->maskGenAlgorithm) {
>> +         ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
>> +         if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
>> +-            && param->type == V_ASN1_SEQUENCE) {
>> ++            && param && param->type == V_ASN1_SEQUENCE) {
>> +             p = param->value.sequence->data;
>> +             plen = param->value.sequence->length;
>> +             *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
>> +--
>> +1.9.1
>> +
>> diff --git
>> a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.
>> 1-combine.patch
>> b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.
>> 1-combine.patch
>> new file mode 100644
>> index 0000000..be705c0
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-w
>> +++ ith-ASN.1-combine.patch
>> @@ -0,0 +1,61 @@
>> +commit b29ffa392e839d05171206523e84909146f7a77c
>> +Author: Dr. Stephen Henson <steve@openssl.org>
>> +Date: Tue, 10 Nov 2015 19:03:07 +0000
>> +Subject: Fix leak with ASN.1 combine.
>> +
>> +When parsing a combined structure pass a flag to the decode routine so
>> +on error a pointer to the parent structure is not zeroed as this will
>> +leak any additional components in the parent.
>> +
>> +This can leak memory in any application parsing PKCS#7 or CMS structures.
>> +
>> +CVE-2015-3195.
>> +
>> +Upstream-Status: Backport
>> +
>> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug
>> +using libFuzzer.
>> +
>> +PR#4131
>> +
>> +Reviewed-by: Richard Levitte <levitte@openssl.org>
>> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
>> +---
>> + crypto/asn1/tasn_dec.c | 7 +++++--
>> + 1 file changed, 5 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index
>> +febf605..9256049 100644
>> +--- a/crypto/asn1/tasn_dec.c
>> ++++ b/crypto/asn1/tasn_dec.c
>> +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
>> unsigned char **in, long len,
>> +     int otag;
>> +     int ret = 0;
>> +     ASN1_VALUE **pchptr, *ptmpval;
>> ++    int combine = aclass & ASN1_TFLG_COMBINE;
>> ++    aclass &= ~ASN1_TFLG_COMBINE;
>> +     if (!pval)
>> +         return 0;
>> +     if (aux && aux->asn1_cb)
>> +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
>> +unsigned char **in, long len,
>> +  auxerr:
>> +     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
>> +  err:
>> +-    ASN1_item_ex_free(pval, it);
>> ++    if (combine == 0)
>> ++        ASN1_item_ex_free(pval, it);
>> +     if (errtt)
>> +         ERR_add_error_data(4, "Field=", errtt->field_name,
>> +                            ", Type=", it->sname); @@ -689,7 +692,7 @@
>> +static int asn1_template_noexp_d2i(ASN1_VALUE **val,
>> +     } else {
>> +         /* Nothing special */
>> +         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
>> +-                               -1, 0, opt, ctx);
>> ++                               -1, tt->flags & ASN1_TFLG_COMBINE,
>> opt,
>> ++ ctx);
>> +         if (!ret) {
>> +             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
>> ERR_R_NESTED_ASN1_ERROR);
>> +             goto err;
>> +--
>> +1.9.1
>> +
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
>> b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
>> index 3f61790..1d0242f 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
>> @@ -34,6 +34,8 @@ SRC_URI += "file://configure-targets.patch \
>>              file://Makefiles-ptest.patch \
>>              file://ptest-deps.patch \
>>              file://run-ptest \
>> +            file://CVE-2015-3194-Add-PSS-parameter-check.patch \
>> +            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
>>             "
>>
>> SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976"
>> --
>> 1.9.1
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>