Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
monitoring
>
openssl1
> openssl-CVE-2016-2108.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File openssl-CVE-2016-2108.patch of Package openssl1
From c5e4bc81c5a142cab7f46f69824fa35367999ee8 Mon Sep 17 00:00:00 2001 From: Dr. Stephen Henson <steve@openssl.org> Date: Fri, 15 Apr 2016 02:37:09 +0100 Subject: [PATCH] Fix ASN1_INTEGER handling. Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER tag: V_ASN1_NEG_INTEGER is an internal only value which is never used for on the wire encoding. Thanks to David Benjamin <davidben@google.com> for reporting this bug. This was found using libFuzzer. RT#4364 (part)CVE-2016-2108. --- crypto/asn1/a_type.c | 2 -- crypto/asn1/tasn_dec.c | 2 -- crypto/asn1/tasn_enc.c | 2 -- 3 files changed, 0 insertions(+), 6 deletions(-) From 32d3b0f52f77ce86d53f38685336668d47c5bdfe Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" <steve@openssl.org> Date: Thu, 16 Apr 2015 16:43:09 +0100 Subject: [PATCH] Fix encoding bug in i2c_ASN1_INTEGER MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and Hanno Böck <hanno@hboeck.de> for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44) --- crypto/asn1/a_int.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) Index: openssl-1.0.1i/crypto/asn1/a_type.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/a_type.c 2016-04-28 15:39:48.512663139 +0200 +++ openssl-1.0.1i/crypto/asn1/a_type.c 2016-04-28 15:42:49.378664932 +0200 @@ -131,9 +131,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2016-04-28 15:39:48.512663139 +0200 +++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2016-04-28 15:44:38.059490691 +0200 @@ -1006,9 +1006,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Index: openssl-1.0.1i/crypto/asn1/tasn_enc.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/tasn_enc.c 2016-04-28 15:39:48.512663139 +0200 +++ openssl-1.0.1i/crypto/asn1/tasn_enc.c 2016-04-28 15:45:41.659558469 +0200 @@ -643,9 +643,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* These are all have the same content format * as ASN1_INTEGER */ Index: openssl-1.0.1i/crypto/asn1/a_int.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/a_int.c +++ openssl-1.0.1i/crypto/asn1/a_int.c @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un { ret=a->length; i=a->data[0]; + if (ret == 1 && i == 0) + neg=0; if (!neg && (i > 127)) { pad=1; pb=0; @@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while(!*n) { + while(!*n && i > 1) { *(p--) = 0; n--; i--; @@ -415,7 +417,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const B ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type=V_ASN1_INTEGER; j=BN_num_bits(bn);