Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
monitoring
>
openssl1
> openssl-CVE-2015-3195.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File openssl-CVE-2015-3195.patch of Package openssl1
From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" <steve@openssl.org> Date: Tue, 10 Nov 2015 19:03:07 +0000 Subject: [PATCH] Fix leak with ASN.1 combine. When parsing a combined structure pass a flag to the decode routine so on error a pointer to the parent structure is not zeroed as this will leak any additional components in the parent. This can leak memory in any application parsing PKCS#7 or CMS structures. CVE-2015-3195. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. PR#4131 Reviewed-by: Richard Levitte <levitte@openssl.org> --- crypto/asn1/tasn_dec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2015-12-03 17:59:01.272944957 +0100 +++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2015-12-03 18:02:54.285726394 +0100 @@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_ { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,