~ubuntu-branches/ubuntu/lucid/openssl/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2015-0209.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-19 09:57:59 UTC
  • Revision ID: package-import@ubuntu.com-20150319095759-do88u689v2nfth1v
Tags: 0.9.8k-7ubuntu8.27
* SECURITY UPDATE: denial of service and possible memory corruption via
  malformed EC private key
  - debian/patches/CVE-2015-0209.patch: fix use after free in
    crypto/ec/ec_asn1.c.
  - debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
    freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
  - CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
  - debian/patches/CVE-2015-0286.patch: handle boolean types in
    crypto/asn1/a_type.c.
  - CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
  - debian/patches/CVE-2015-0287.patch: free up structures in
    crypto/asn1/tasn_dec.c.
  - CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
  - debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
    crypto/x509/x509_req.c.
  - CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
  PKCS#7 parsing
  - debian/patches/CVE-2015-0289.patch: handle missing content in
    crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
  - CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
  decoding
  - debian/patches/CVE-2015-0292.patch: prevent underflow in
    crypto/evp/encode.c.
  - CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
  - debian/patches/CVE-2015-0293.patch: check key lengths in
    ssl/s2_lib.c, ssl/s2_srvr.c.
  - debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
    ssl/s2_srvr.c.
  - CVE-2015-0293

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
From 1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a Mon Sep 17 00:00:00 2001
 
4
From: Matt Caswell <matt@openssl.org>
 
5
Date: Mon, 9 Feb 2015 11:38:41 +0000
 
6
Subject: [PATCH] Fix a failure to NULL a pointer freed on error.
 
7
MIME-Version: 1.0
 
8
Content-Type: text/plain; charset=utf8
 
9
Content-Transfer-Encoding: 8bit
 
10
 
 
11
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>
 
12
 
 
13
CVE-2015-0209
 
14
 
 
15
Reviewed-by: Emilia Käsper <emilia@openssl.org>
 
16
---
 
17
 crypto/ec/ec_asn1.c | 6 +++---
 
18
 1 file changed, 3 insertions(+), 3 deletions(-)
 
19
 
 
20
Index: openssl-0.9.8k/crypto/ec/ec_asn1.c
 
21
===================================================================
 
22
--- openssl-0.9.8k.orig/crypto/ec/ec_asn1.c     2015-03-17 14:28:22.952802945 -0400
 
23
+++ openssl-0.9.8k/crypto/ec/ec_asn1.c  2015-03-17 14:29:11.477189253 -0400
 
24
@@ -1126,8 +1126,6 @@
 
25
                                  ERR_R_MALLOC_FAILURE);
 
26
                        goto err;
 
27
                        }
 
28
-               if (a)
 
29
-                       *a = ret;
 
30
                }
 
31
        else
 
32
                ret = *a;
 
33
@@ -1192,11 +1190,13 @@
 
34
                        }
 
35
                }
 
36
 
 
37
+       if (a)
 
38
+               *a = ret;
 
39
        ok = 1;
 
40
 err:
 
41
        if (!ok)
 
42
                {
 
43
-               if (ret)
 
44
+               if (ret && (a == NULL || *a != ret))
 
45
                        EC_KEY_free(ret);
 
46
                ret = NULL;
 
47
                }