From: akuster808 <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195
Date: Thu, 17 Dec 2015 08:34:30 -0800 [thread overview]
Message-ID: <5672E416.3030907@gmail.com> (raw)
In-Reply-To: <1450088707-64294-1-git-send-email-sona.sarmadi@enea.com>
merged to staging.
git@git.yoctoproject.org/poky-contrib.git akuster/dizzy-next
thanks,
Armin
On 12/14/2015 02:25 AM, Sona Sarmadi wrote:
> Fixes following vulnerabilities:
> Certificate verify crash with missing PSS parameter (CVE-2015-3194)
> X509_ATTRIBUTE memory leak (CVE-2015-3195)
>
> References:
> https://openssl.org/news/secadv/20151203.txt
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> .../CVE-2015-3194-Add-PSS-parameter-check.patch | 35 +++++++++++++
> ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59 ++++++++++++++++++++++
> .../recipes-connectivity/openssl/openssl_1.0.1p.bb | 2 +
> 3 files changed, 96 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
> create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
> new file mode 100644
> index 0000000..3c00bc1
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
> @@ -0,0 +1,35 @@
> +Date: Fri, 2 Oct 2015 13:10:29 +0100
> +Subject: [PATCH] Add PSS parameter check.
> +
> +Avoid seg fault by checking mgf1 parameter is not NULL. This can be
> +triggered during certificate verification so could be a DoS attack
> +against a client or a server enabling client authentication.
> +
> +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
> +
> +CVE-2015-3194
> +
> +Upstream-Status: Backport
> +
> +Reviewed-by: Matt Caswell <matt@openssl.org>
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + crypto/rsa/rsa_ameth.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
> +index 93e071d..c7f1148 100644
> +--- a/crypto/rsa/rsa_ameth.c
> ++++ b/crypto/rsa/rsa_ameth.c
> +@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
> + if (pss->maskGenAlgorithm) {
> + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
> + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
> +- && param->type == V_ASN1_SEQUENCE) {
> ++ && param && param->type == V_ASN1_SEQUENCE) {
> + p = param->value.sequence->data;
> + plen = param->value.sequence->length;
> + *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
> new file mode 100644
> index 0000000..87c4c6c
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
> @@ -0,0 +1,59 @@
> +Date: Tue, 10 Nov 2015 19:03:07 +0000
> +Subject: [PATCH] Fix leak with ASN.1 combine.
> +
> +When parsing a combined structure pass a flag to the decode routine
> +so on error a pointer to the parent structure is not zeroed as
> +this will leak any additional components in the parent.
> +
> +This can leak memory in any application parsing PKCS#7 or CMS structures.
> +
> +CVE-2015-3195.
> +
> +Upstream-Status: Backport
> +
> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
> +libFuzzer.
> +
> +PR#4131
> +
> +Reviewed-by: Richard Levitte <levitte@openssl.org>
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + crypto/asn1/tasn_dec.c | 7 +++++--
> + 1 file changed, 5 insertions(+), 2 deletions(-)
> +
> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
> +index febf605..9256049 100644
> +--- a/crypto/asn1/tasn_dec.c
> ++++ b/crypto/asn1/tasn_dec.c
> +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
> + int otag;
> + int ret = 0;
> + ASN1_VALUE **pchptr, *ptmpval;
> ++ int combine = aclass & ASN1_TFLG_COMBINE;
> ++ aclass &= ~ASN1_TFLG_COMBINE;
> + if (!pval)
> + return 0;
> + if (aux && aux->asn1_cb)
> +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
> + auxerr:
> + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
> + err:
> +- ASN1_item_ex_free(pval, it);
> ++ if (combine == 0)
> ++ ASN1_item_ex_free(pval, it);
> + if (errtt)
> + ERR_add_error_data(4, "Field=", errtt->field_name,
> + ", Type=", it->sname);
> +@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
> + } else {
> + /* Nothing special */
> + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
> +- -1, 0, opt, ctx);
> ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
> + if (!ret) {
> + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
> + goto err;
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
> index 3f61790..1d0242f 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
> @@ -34,6 +34,8 @@ SRC_URI += "file://configure-targets.patch \
> file://Makefiles-ptest.patch \
> file://ptest-deps.patch \
> file://run-ptest \
> + file://CVE-2015-3194-Add-PSS-parameter-check.patch \
> + file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
> "
>
> SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976"
>
next prev parent reply other threads:[~2015-12-17 16:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-14 10:25 [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195 Sona Sarmadi
2015-12-15 9:41 ` Sona Sarmadi
2015-12-17 16:34 ` akuster808 [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-12-15 10:07 Sona Sarmadi
[not found] ` <A8FC939F80655644A89BB21CCD3741E80140909C16@G08CNEXMBPEKD02.g08.fujitsu.local>
2015-12-16 6:50 ` Fan Xin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5672E416.3030907@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.