~ubuntu-branches/ubuntu/lucid/openssl/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2015-0287.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-19 09:57:59 UTC
  • Revision ID: package-import@ubuntu.com-20150319095759-do88u689v2nfth1v
Tags: 0.9.8k-7ubuntu8.27
* SECURITY UPDATE: denial of service and possible memory corruption via
  malformed EC private key
  - debian/patches/CVE-2015-0209.patch: fix use after free in
    crypto/ec/ec_asn1.c.
  - debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
    freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
  - CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
  - debian/patches/CVE-2015-0286.patch: handle boolean types in
    crypto/asn1/a_type.c.
  - CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
  - debian/patches/CVE-2015-0287.patch: free up structures in
    crypto/asn1/tasn_dec.c.
  - CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
  - debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
    crypto/x509/x509_req.c.
  - CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
  PKCS#7 parsing
  - debian/patches/CVE-2015-0289.patch: handle missing content in
    crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
  - CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
  decoding
  - debian/patches/CVE-2015-0292.patch: prevent underflow in
    crypto/evp/encode.c.
  - CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
  - debian/patches/CVE-2015-0293.patch: check key lengths in
    ssl/s2_lib.c, ssl/s2_srvr.c.
  - debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
    ssl/s2_srvr.c.
  - CVE-2015-0293

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
commit 5722767d5dc1a3b5505058fe27877fc993fe9a5a
 
4
Author: Dr. Stephen Henson <steve@openssl.org>
 
5
Date:   Mon Feb 23 02:32:44 2015 +0000
 
6
 
 
7
    Free up ADB and CHOICE if already initialised.
 
8
    
 
9
    CVE-2015-0287
 
10
    
 
11
    Reviewed-by: Tim Hudson <tjh@openssl.org>
 
12
    Reviewed-by: Emilia Käsper <emilia@openssl.org>
 
13
 
 
14
Index: openssl-0.9.8k/crypto/asn1/tasn_dec.c
 
15
===================================================================
 
16
--- openssl-0.9.8k.orig/crypto/asn1/tasn_dec.c  2015-03-17 14:31:41.974390531 -0400
 
17
+++ openssl-0.9.8k/crypto/asn1/tasn_dec.c       2015-03-17 14:34:58.307964400 -0400
 
18
@@ -310,7 +316,16 @@
 
19
                                goto auxerr;
 
20
 
 
21
                /* Allocate structure */
 
22
-               if (!*pval && !ASN1_item_ex_new(pval, it))
 
23
+               if (*pval) {
 
24
+                       /* Free up and zero CHOICE value if initialised */
 
25
+                       i = asn1_get_choice_selector(pval, it);
 
26
+                       if ((i >= 0) && (i < it->tcount)) {
 
27
+                               tt = it->templates + i;
 
28
+                               pchptr = asn1_get_field_ptr(pval, tt);
 
29
+                               ASN1_template_free(pchptr, tt);
 
30
+                               asn1_set_choice_selector(pval, -1, it);
 
31
+                       }
 
32
+               } else if (!ASN1_item_ex_new(pval, it))
 
33
                        {
 
34
                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
 
35
                                                ERR_R_NESTED_ASN1_ERROR);
 
36
@@ -406,6 +421,17 @@
 
37
                if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
 
38
                                goto auxerr;
 
39
 
 
40
+               /* Free up and zero any ADB found */
 
41
+               for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
 
42
+                       if (tt->flags & ASN1_TFLG_ADB_MASK) {
 
43
+                               const ASN1_TEMPLATE *seqtt;
 
44
+                               ASN1_VALUE **pseqval;
 
45
+                               seqtt = asn1_do_adb(pval, tt, 1);
 
46
+                               pseqval = asn1_get_field_ptr(pval, seqtt);
 
47
+                               ASN1_template_free(pseqval, seqtt);
 
48
+                       }
 
49
+               }
 
50
+
 
51
                /* Get each field entry */
 
52
                for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
 
53
                        {