Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
compat-openssl098.503
openssl-CVE-2015-0287.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2015-0287.patch of Package compat-openssl098.503
commit 5722767d5dc1a3b5505058fe27877fc993fe9a5a Author: Dr. Stephen Henson <steve@openssl.org> Date: Mon Feb 23 02:32:44 2015 +0000 Free up ADB and CHOICE if already initialised. CVE-2015-0287 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> commit b15b947491b18de131d3d3a4b5b79bd0181af12e Author: Dr. Stephen Henson <steve@openssl.org> Date: Mon Feb 23 12:57:50 2015 +0000 Free up passed ASN.1 structure if reused. Change the "reuse" behaviour in ASN1_item_d2i: if successful the old structure is freed and a pointer to the new one used. If it is not successful then the passed structure is untouched. Exception made for primitive types so ssl_asn1.c still works. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> Conflicts: crypto/asn1/tasn_dec.c doc/crypto/d2i_X509.pod Index: openssl-0.9.8j/crypto/asn1/tasn_dec.c =================================================================== --- openssl-0.9.8j.orig/crypto/asn1/tasn_dec.c 2015-03-16 18:07:00.209122045 +0100 +++ openssl-0.9.8j/crypto/asn1/tasn_dec.c 2015-03-16 18:09:23.777191563 +0100 @@ -128,11 +128,17 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **p { ASN1_TLC c; ASN1_VALUE *ptmpval = NULL; - if (!pval) - pval = &ptmpval; c.valid = 0; - if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) - return *pval; + if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) + ptmpval = *pval; + if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { + if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) { + if (*pval) + ASN1_item_free(*pval, it); + *pval = ptmpval; + } + return ptmpval; + } return NULL; } @@ -309,9 +315,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it)) goto auxerr; - /* Allocate structure */ - if (!*pval && !ASN1_item_ex_new(pval, it)) - { + if (*pval) { + /* Free up and zero CHOICE value if initialised */ + i = asn1_get_choice_selector(pval, it); + if ((i >= 0) && (i < it->tcount)) { + tt = it->templates + i; + pchptr = asn1_get_field_ptr(pval, tt); + ASN1_template_free(pchptr, tt); + asn1_set_choice_selector(pval, -1, it); + } + } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; @@ -406,6 +419,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it)) goto auxerr; + /* Free up and zero any ADB found */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { + if (tt->flags & ASN1_TFLG_ADB_MASK) { + const ASN1_TEMPLATE *seqtt; + ASN1_VALUE **pseqval; + seqtt = asn1_do_adb(pval, tt, 1); + pseqval = asn1_get_field_ptr(pval, seqtt); + ASN1_template_free(pseqval, seqtt); + } + } + /* Get each field entry */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { Index: openssl-0.9.8j/doc/crypto/d2i_X509.pod =================================================================== --- openssl-0.9.8j.orig/doc/crypto/d2i_X509.pod 2015-03-16 18:07:00.209122045 +0100 +++ openssl-0.9.8j/doc/crypto/d2i_X509.pod 2015-03-16 18:07:19.466399606 +0100 @@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts persist if they are not present in the new one. As a result the use of this "reuse" behaviour is strongly discouraged. +Current versions of OpenSSL will not modify B<*px> if an error occurs. +If parsing succeeds then B<*px> is freed (if it is not NULL) and then +set to the value of the newly decoded structure. As a result B<*px> +B<must not> be allocated on the stack or an attempt will be made to +free an invalid pointer. + i2d_X509() will not return an error in many versions of OpenSSL, if mandatory fields are not initialized due to a programming error then the encoded structure may contain invalid data or omit the @@ -210,7 +216,9 @@ always succeed. d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure or B<NULL> if an error occurs. The error code that can be obtained by -L<ERR_get_error(3)|ERR_get_error(3)>. +L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used +with a valid X509 structure being passed in via B<px> then the object is not +modified in the event of error. i2d_X509(), i2d_X509_bio() and i2d_X509_fp() return a the number of bytes successfully encoded or a negative value if an error occurs. The error code
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor