forked from rpms/openssl
Multiple security issues fixed.
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0293 - triggerable assert in SSLv2 server
This commit is contained in:
parent
446f9bea43
commit
729d2d0e11
13
openssl-1.0.1e-cve-2015-0286.patch
Normal file
13
openssl-1.0.1e-cve-2015-0286.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp openssl-1.0.1e/crypto/asn1/a_type.c
|
||||||
|
--- openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp 2015-03-18 13:02:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-03-18 14:38:07.111401390 +0100
|
||||||
|
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
|
||||||
|
case V_ASN1_OBJECT:
|
||||||
|
result = OBJ_cmp(a->value.object, b->value.object);
|
||||||
|
break;
|
||||||
|
+ case V_ASN1_BOOLEAN:
|
||||||
|
+ result = a->value.boolean - b->value.boolean;
|
||||||
|
+ break;
|
||||||
|
case V_ASN1_NULL:
|
||||||
|
result = 0; /* They do not have content. */
|
||||||
|
break;
|
46
openssl-1.0.1e-cve-2015-0287.patch
Normal file
46
openssl-1.0.1e-cve-2015-0287.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse openssl-1.0.1e/crypto/asn1/tasn_dec.c
|
||||||
|
--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-03-19 15:46:51.097022616 +0100
|
||||||
|
@@ -310,9 +310,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
||||||
|
case ASN1_ITYPE_CHOICE:
|
||||||
|
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
|
||||||
|
goto auxerr;
|
||||||
|
-
|
||||||
|
- /* Allocate structure */
|
||||||
|
- if (!*pval && !ASN1_item_ex_new(pval, it))
|
||||||
|
+ if (*pval)
|
||||||
|
+ {
|
||||||
|
+ /* Free up and zero CHOICE value if initialised */
|
||||||
|
+ i = asn1_get_choice_selector(pval, it);
|
||||||
|
+ if ((i >= 0) && (i < it->tcount))
|
||||||
|
+ {
|
||||||
|
+ tt = it->templates + i;
|
||||||
|
+ pchptr = asn1_get_field_ptr(pval, tt);
|
||||||
|
+ ASN1_template_free(pchptr, tt);
|
||||||
|
+ asn1_set_choice_selector(pval, -1, it);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ else if (!ASN1_item_ex_new(pval, it))
|
||||||
|
{
|
||||||
|
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
|
||||||
|
ERR_R_NESTED_ASN1_ERROR);
|
||||||
|
@@ -407,6 +417,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
||||||
|
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
|
||||||
|
goto auxerr;
|
||||||
|
|
||||||
|
+ /* Free up and zero any ADB found */
|
||||||
|
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
|
||||||
|
+ {
|
||||||
|
+ if (tt->flags & ASN1_TFLG_ADB_MASK)
|
||||||
|
+ {
|
||||||
|
+ const ASN1_TEMPLATE *seqtt;
|
||||||
|
+ ASN1_VALUE **pseqval;
|
||||||
|
+ seqtt = asn1_do_adb(pval, tt, 1);
|
||||||
|
+ pseqval = asn1_get_field_ptr(pval, seqtt);
|
||||||
|
+ ASN1_template_free(pseqval, seqtt);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Get each field entry */
|
||||||
|
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
|
||||||
|
{
|
12
openssl-1.0.1e-cve-2015-0288.patch
Normal file
12
openssl-1.0.1e-cve-2015-0288.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref openssl-1.0.1e/crypto/x509/x509_req.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x509_req.c 2015-03-18 18:34:35.732448017 +0100
|
||||||
|
@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
pktmp = X509_get_pubkey(x);
|
||||||
|
+ if (pktmp == NULL)
|
||||||
|
+ goto err;
|
||||||
|
i=X509_REQ_set_pubkey(ret,pktmp);
|
||||||
|
EVP_PKEY_free(pktmp);
|
||||||
|
if (!i) goto err;
|
102
openssl-1.0.1e-cve-2015-0293.patch
Normal file
102
openssl-1.0.1e-cve-2015-0293.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
diff -up openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert openssl-1.0.1e/ssl/s2_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert 2015-03-18 13:02:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s2_lib.c 2015-03-18 18:22:20.195322489 +0100
|
||||||
|
@@ -488,7 +488,7 @@ int ssl2_generate_key_material(SSL *s)
|
||||||
|
|
||||||
|
OPENSSL_assert(s->session->master_key_length >= 0
|
||||||
|
&& s->session->master_key_length
|
||||||
|
- < (int)sizeof(s->session->master_key));
|
||||||
|
+ <= (int)sizeof(s->session->master_key));
|
||||||
|
EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
|
||||||
|
EVP_DigestUpdate(&ctx,&c,1);
|
||||||
|
c++;
|
||||||
|
diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert openssl-1.0.1e/ssl/s2_srvr.c
|
||||||
|
--- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s2_srvr.c 2015-03-18 18:30:11.403974038 +0100
|
||||||
|
@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s)
|
||||||
|
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
|
||||||
|
return(-1);
|
||||||
|
}
|
||||||
|
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
|
||||||
|
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
|
||||||
|
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
|
||||||
|
|
||||||
|
is_export=SSL_C_IS_EXPORT(s->session->cipher);
|
||||||
|
|
||||||
|
@@ -467,21 +464,61 @@ static int get_client_master_key(SSL *s)
|
||||||
|
else
|
||||||
|
ek=5;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * The format of the CLIENT-MASTER-KEY message is
|
||||||
|
+ * 1 byte message type
|
||||||
|
+ * 3 bytes cipher
|
||||||
|
+ * 2-byte clear key length (stored in s->s2->tmp.clear)
|
||||||
|
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
|
||||||
|
+ * 2-byte key args length (IV etc)
|
||||||
|
+ * clear key
|
||||||
|
+ * encrypted key
|
||||||
|
+ * key args
|
||||||
|
+ *
|
||||||
|
+ * If the cipher is an export cipher, then the encrypted key bytes
|
||||||
|
+ * are a fixed portion of the total key (5 or 8 bytes). The size of
|
||||||
|
+ * this portion is in |ek|. If the cipher is not an export cipher,
|
||||||
|
+ * then the entire key material is encrypted (i.e., clear key length
|
||||||
|
+ * must be zero).
|
||||||
|
+ */
|
||||||
|
+ if ((!is_export && s->s2->tmp.clear != 0) ||
|
||||||
|
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c)))
|
||||||
|
+ {
|
||||||
|
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
|
||||||
|
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ /*
|
||||||
|
+ * The encrypted blob must decrypt to the encrypted portion of the key.
|
||||||
|
+ * Decryption can't be expanding, so if we don't have enough encrypted
|
||||||
|
+ * bytes to fit the key in the buffer, stop now.
|
||||||
|
+ */
|
||||||
|
+ if ((is_export && s->s2->tmp.enc < ek) ||
|
||||||
|
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c)))
|
||||||
|
+ {
|
||||||
|
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
|
||||||
|
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
|
||||||
|
+ &(p[s->s2->tmp.clear]),
|
||||||
|
+ &(p[s->s2->tmp.clear]),
|
||||||
|
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING);
|
||||||
|
+
|
||||||
|
/* bad decrypt */
|
||||||
|
#if 1
|
||||||
|
/* If a bad decrypt, continue with protocol but with a
|
||||||
|
* random master secret (Bleichenbacher attack) */
|
||||||
|
- if ((i < 0) ||
|
||||||
|
- ((!is_export && (i != EVP_CIPHER_key_length(c)))
|
||||||
|
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
|
||||||
|
- (unsigned int)EVP_CIPHER_key_length(c))))))
|
||||||
|
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
|
||||||
|
+ || (is_export && i != ek)))
|
||||||
|
{
|
||||||
|
ERR_clear_error();
|
||||||
|
if (is_export)
|
||||||
|
i=ek;
|
||||||
|
else
|
||||||
|
i=EVP_CIPHER_key_length(c);
|
||||||
|
- if (RAND_pseudo_bytes(p,i) <= 0)
|
||||||
|
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
@@ -505,7 +542,8 @@ static int get_client_master_key(SSL *s)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if (is_export) i+=s->s2->tmp.clear;
|
||||||
|
+ if (is_export)
|
||||||
|
+ i = EVP_CIPHER_key_length(c);
|
||||||
|
|
||||||
|
if (i > SSL_MAX_MASTER_KEY_LENGTH)
|
||||||
|
{
|
27
openssl-1.0.1k-cve-2015-0209.patch
Normal file
27
openssl-1.0.1k-cve-2015-0209.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
diff -up openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1k/crypto/ec/ec_asn1.c
|
||||||
|
--- openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free 2014-10-15 15:49:54.000000000 +0200
|
||||||
|
+++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 17:28:03.349627040 +0100
|
||||||
|
@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
||||||
|
ERR_R_MALLOC_FAILURE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
- if (a)
|
||||||
|
- *a = ret;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
ret = *a;
|
||||||
|
@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
||||||
|
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (a)
|
||||||
|
+ *a = ret;
|
||||||
|
ok = 1;
|
||||||
|
err:
|
||||||
|
if (!ok)
|
||||||
|
{
|
||||||
|
- if (ret)
|
||||||
|
+ if (ret && (a == NULL || *a != ret))
|
||||||
|
EC_KEY_free(ret);
|
||||||
|
ret = NULL;
|
||||||
|
}
|
163
openssl-1.0.1k-cve-2015-0289.patch
Normal file
163
openssl-1.0.1k-cve-2015-0289.patch
Normal file
@ -0,0 +1,163 @@
|
|||||||
|
diff -up openssl-1.0.1k/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1k/crypto/pkcs7/pk7_doit.c
|
||||||
|
--- openssl-1.0.1k/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2015-01-08 15:00:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.1k/crypto/pkcs7/pk7_doit.c 2015-03-19 17:30:36.797650980 +0100
|
||||||
|
@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
|
||||||
|
PKCS7_RECIP_INFO *ri=NULL;
|
||||||
|
ASN1_OCTET_STRING *os=NULL;
|
||||||
|
|
||||||
|
+ if (p7 == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ /*
|
||||||
|
+ * The content field in the PKCS7 ContentInfo is optional, but that really
|
||||||
|
+ * only applies to inner content (precisely, detached signatures).
|
||||||
|
+ *
|
||||||
|
+ * When reading content, missing outer content is therefore treated as an
|
||||||
|
+ * error.
|
||||||
|
+ *
|
||||||
|
+ * When creating content, PKCS7_content_new() must be called before
|
||||||
|
+ * calling this method, so a NULL p7->d is always an error.
|
||||||
|
+ */
|
||||||
|
+ if (p7->d.ptr == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
i=OBJ_obj2nid(p7->type);
|
||||||
|
p7->state=PKCS7_S_HEADER;
|
||||||
|
|
||||||
|
@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||||
|
unsigned char *ek = NULL, *tkey = NULL;
|
||||||
|
int eklen = 0, tkeylen = 0;
|
||||||
|
|
||||||
|
+ if (p7 == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (p7->d.ptr == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
i=OBJ_obj2nid(p7->type);
|
||||||
|
p7->state=PKCS7_S_HEADER;
|
||||||
|
|
||||||
|
@@ -752,6 +785,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
||||||
|
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
|
||||||
|
ASN1_OCTET_STRING *os=NULL;
|
||||||
|
|
||||||
|
+ if (p7 == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (p7->d.ptr == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
EVP_MD_CTX_init(&ctx_tmp);
|
||||||
|
i=OBJ_obj2nid(p7->type);
|
||||||
|
p7->state=PKCS7_S_HEADER;
|
||||||
|
@@ -796,6 +841,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
||||||
|
/* If detached data then the content is excluded */
|
||||||
|
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
|
||||||
|
M_ASN1_OCTET_STRING_free(os);
|
||||||
|
+ os = NULL;
|
||||||
|
p7->d.sign->contents->d.data = NULL;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -806,6 +852,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
||||||
|
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
|
||||||
|
{
|
||||||
|
M_ASN1_OCTET_STRING_free(os);
|
||||||
|
+ os = NULL;
|
||||||
|
p7->d.digest->contents->d.data = NULL;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -878,23 +925,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
|
||||||
|
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
|
||||||
|
+ if (!PKCS7_is_detached(p7))
|
||||||
|
{
|
||||||
|
- char *cont;
|
||||||
|
- long contlen;
|
||||||
|
- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
|
||||||
|
- if (btmp == NULL)
|
||||||
|
- {
|
||||||
|
- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
|
||||||
|
+ /*
|
||||||
|
+ * NOTE(emilia): I think we only reach os == NULL here because detached
|
||||||
|
+ * digested data support is broken.
|
||||||
|
+ */
|
||||||
|
+ if (os == NULL)
|
||||||
|
goto err;
|
||||||
|
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF))
|
||||||
|
+ {
|
||||||
|
+ char *cont;
|
||||||
|
+ long contlen;
|
||||||
|
+ btmp=BIO_find_type(bio,BIO_TYPE_MEM);
|
||||||
|
+ if (btmp == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ contlen = BIO_get_mem_data(btmp, &cont);
|
||||||
|
+ /* Mark the BIO read only then we can use its copy of the data
|
||||||
|
+ * instead of making an extra copy.
|
||||||
|
+ */
|
||||||
|
+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
|
||||||
|
+ BIO_set_mem_eof_return(btmp, 0);
|
||||||
|
+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
|
||||||
|
}
|
||||||
|
- contlen = BIO_get_mem_data(btmp, &cont);
|
||||||
|
- /* Mark the BIO read only then we can use its copy of the data
|
||||||
|
- * instead of making an extra copy.
|
||||||
|
- */
|
||||||
|
- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
|
||||||
|
- BIO_set_mem_eof_return(btmp, 0);
|
||||||
|
- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
|
||||||
|
}
|
||||||
|
ret=1;
|
||||||
|
err:
|
||||||
|
@@ -971,6 +1027,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st
|
||||||
|
STACK_OF(X509) *cert;
|
||||||
|
X509 *x509;
|
||||||
|
|
||||||
|
+ if (p7 == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (p7->d.ptr == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (PKCS7_type_is_signed(p7))
|
||||||
|
{
|
||||||
|
cert=p7->d.sign->cert;
|
||||||
|
diff -up openssl-1.0.1k/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1k/crypto/pkcs7/pk7_lib.c
|
||||||
|
--- openssl-1.0.1k/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2014-10-15 15:49:15.000000000 +0200
|
||||||
|
+++ openssl-1.0.1k/crypto/pkcs7/pk7_lib.c 2015-03-19 17:30:36.797650980 +0100
|
||||||
|
@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
|
||||||
|
|
||||||
|
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
|
||||||
|
{
|
||||||
|
+ if (p7 == NULL || p7->d.ptr == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
if (PKCS7_type_is_signed(p7))
|
||||||
|
{
|
||||||
|
return(p7->d.sign->signer_info);
|
21
openssl.spec
21
openssl.spec
@ -23,7 +23,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1k
|
Version: 1.0.1k
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -90,6 +90,12 @@ Patch84: openssl-1.0.1k-trusted-first.patch
|
|||||||
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
|
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
|
||||||
Patch86: openssl-1.0.1k-ephemeral-key-size.patch
|
Patch86: openssl-1.0.1k-ephemeral-key-size.patch
|
||||||
Patch87: openssl-1.0.1e-cc-reqs.patch
|
Patch87: openssl-1.0.1e-cc-reqs.patch
|
||||||
|
Patch101: openssl-1.0.1k-cve-2015-0209.patch
|
||||||
|
Patch102: openssl-1.0.1e-cve-2015-0286.patch
|
||||||
|
Patch103: openssl-1.0.1e-cve-2015-0287.patch
|
||||||
|
Patch104: openssl-1.0.1e-cve-2015-0288.patch
|
||||||
|
Patch105: openssl-1.0.1k-cve-2015-0289.patch
|
||||||
|
Patch106: openssl-1.0.1e-cve-2015-0293.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -213,6 +219,12 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||||||
%patch85 -p1 -b .armcap
|
%patch85 -p1 -b .armcap
|
||||||
%patch86 -p1 -b .ephemeral
|
%patch86 -p1 -b .ephemeral
|
||||||
%patch87 -p1 -b .cc-reqs
|
%patch87 -p1 -b .cc-reqs
|
||||||
|
%patch101 -p1 -b .use-after-free
|
||||||
|
%patch102 -p1 -b .bool-cmp
|
||||||
|
%patch103 -p1 -b .item-reuse
|
||||||
|
%patch104 -p1 -b .req-null-deref
|
||||||
|
%patch105 -p1 -b .pkcs7-null-deref
|
||||||
|
%patch106 -p1 -b .ssl2-assert
|
||||||
|
|
||||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||||
|
|
||||||
@ -480,6 +492,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-6
|
||||||
|
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
|
||||||
|
- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
|
||||||
|
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
|
||||||
|
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
|
||||||
|
- fix CVE-2015-0293 - triggerable assert in SSLv2 server
|
||||||
|
|
||||||
* Mon Mar 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-5
|
* Mon Mar 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-5
|
||||||
- fix bug in the CRYPTO_128_unwrap()
|
- fix bug in the CRYPTO_128_unwrap()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user