~ubuntu-branches/ubuntu/lucid/openssl/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2015-0209-2.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-19 09:57:59 UTC
  • Revision ID: package-import@ubuntu.com-20150319095759-do88u689v2nfth1v
Tags: 0.9.8k-7ubuntu8.27
* SECURITY UPDATE: denial of service and possible memory corruption via
  malformed EC private key
  - debian/patches/CVE-2015-0209.patch: fix use after free in
    crypto/ec/ec_asn1.c.
  - debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
    freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
  - CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
  - debian/patches/CVE-2015-0286.patch: handle boolean types in
    crypto/asn1/a_type.c.
  - CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
  - debian/patches/CVE-2015-0287.patch: free up structures in
    crypto/asn1/tasn_dec.c.
  - CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
  - debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
    crypto/x509/x509_req.c.
  - CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
  PKCS#7 parsing
  - debian/patches/CVE-2015-0289.patch: handle missing content in
    crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
  - CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
  decoding
  - debian/patches/CVE-2015-0292.patch: prevent underflow in
    crypto/evp/encode.c.
  - CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
  - debian/patches/CVE-2015-0293.patch: check key lengths in
    ssl/s2_lib.c, ssl/s2_srvr.c.
  - debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
    ssl/s2_srvr.c.
  - CVE-2015-0293

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
From c380bff888bfd5e48c4b24250ba1996b0fd1a5e3 Mon Sep 17 00:00:00 2001
 
4
From: Matt Caswell <matt@openssl.org>
 
5
Date: Thu, 19 Mar 2015 10:16:32 +0000
 
6
Subject: [PATCH] Fix a failure to NULL a pointer freed on error.
 
7
 
 
8
Reported by the LibreSSL project as a follow on to CVE-2015-0209
 
9
 
 
10
Reviewed-by: Richard Levitte <levitte@openssl.org>
 
11
---
 
12
 crypto/asn1/x_x509.c | 12 +++++++++++-
 
13
 crypto/ec/ec_asn1.c  |  7 +++++--
 
14
 2 files changed, 16 insertions(+), 3 deletions(-)
 
15
 
 
16
Index: openssl-0.9.8k/crypto/asn1/x_x509.c
 
17
===================================================================
 
18
--- openssl-0.9.8k.orig/crypto/asn1/x_x509.c    2015-03-19 10:48:20.220415979 -0400
 
19
+++ openssl-0.9.8k/crypto/asn1/x_x509.c 2015-03-19 10:49:19.076933257 -0400
 
20
@@ -178,8 +178,14 @@
 
21
 {
 
22
        const unsigned char *q;
 
23
        X509 *ret;
 
24
+       int freeret = 0;
 
25
+
 
26
        /* Save start position */
 
27
        q = *pp;
 
28
+
 
29
+       if(!a || *a == NULL) {
 
30
+               freeret = 1;
 
31
+       }
 
32
        ret = d2i_X509(a, pp, length);
 
33
        /* If certificate unreadable then forget it */
 
34
        if(!ret) return NULL;
 
35
@@ -189,7 +195,11 @@
 
36
        if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
 
37
        return ret;
 
38
        err:
 
39
-       X509_free(ret);
 
40
+       if(freeret) {
 
41
+               X509_free(ret);
 
42
+               if (a)
 
43
+                       *a = NULL;
 
44
+       }
 
45
        return NULL;
 
46
 }
 
47
 
 
48
Index: openssl-0.9.8k/crypto/ec/ec_asn1.c
 
49
===================================================================
 
50
--- openssl-0.9.8k.orig/crypto/ec/ec_asn1.c     2015-03-19 10:48:20.220415979 -0400
 
51
+++ openssl-0.9.8k/crypto/ec/ec_asn1.c  2015-03-19 10:50:00.301288901 -0400
 
52
@@ -1344,8 +1344,6 @@
 
53
                        ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
 
54
                        return NULL;
 
55
                        }
 
56
-               if (a)
 
57
-                       *a = ret;
 
58
                }
 
59
        else
 
60
                ret = *a;
 
61
@@ -1353,9 +1351,14 @@
 
62
        if (!d2i_ECPKParameters(&ret->group, in, len))
 
63
                {
 
64
                ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
 
65
+               if (a == NULL || *a != ret)
 
66
+                       EC_KEY_free(ret);
 
67
                return NULL;
 
68
                }
 
69
 
 
70
+       if (a)
 
71
+               *a = ret;
 
72
+
 
73
        return ret;
 
74
        }
 
75