Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
monitoring
>
openssl1
> openssl-CVE-2016-2182.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File openssl-CVE-2016-2182.patch of Package openssl1
commit 28a89639da50b1caed4ff3015508f23173bf3e49 Author: Dr. Stephen Henson <steve@openssl.org> Date: Fri Aug 5 14:26:03 2016 +0100 Check for errors in BN_bn2dec() If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing. Fix by checking return value of BN_div_word() and checking writes don't overflow buffer. Thanks to Shi Lei for reporting this bug. CVE-2016-2182 Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) Conflicts: crypto/bn/bn_print.c commit ff0571b10c5e95f72daed39a30e5b18667f4d51e Author: Dr. Stephen Henson <steve@openssl.org> Date: Fri Aug 5 14:33:03 2016 +0100 Check for errors in a2d_ASN1_OBJECT() Check for error return in BN_div_word(). Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa) commit 3612ff6fcec0e3d1f2a598135fe12177c0419582 Author: Kazuki Yamaguchi <k@rhe.jp> Date: Mon Aug 22 02:36:36 2016 +0900 Fix overflow check in BN_bn2dec() Fix an off by one error in the overflow check added by 07bed46f332fc ("Check for errors in BN_bn2dec()"). Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30) Index: openssl-1.0.1i/crypto/bn/bn_print.c =================================================================== --- openssl-1.0.1i.orig/crypto/bn/bn_print.c 2016-08-25 11:41:31.561851111 +0200 +++ openssl-1.0.1i/crypto/bn/bn_print.c 2016-08-30 13:07:00.857890216 +0200 @@ -108,6 +108,7 @@ char *BN_bn2dec(const BIGNUM *a) char *p; BIGNUM *t=NULL; BN_ULONG *bn_data=NULL,*lp; + int bn_data_num; /* get an upper bound for the length of the decimal integer * num <= (BN_num_bits(a) + 1) * log(2) @@ -116,8 +117,9 @@ char *BN_bn2dec(const BIGNUM *a) */ i=BN_num_bits(a)*3; num=(i/10+i/1000+1)+1; - bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG)); - buf=(char *)OPENSSL_malloc(num+3); + bn_data_num = num / BN_DEC_NUM + 1; + bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); + buf = OPENSSL_malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE); @@ -141,7 +143,11 @@ char *BN_bn2dec(const BIGNUM *a) i=0; while (!BN_is_zero(t)) { + if (lp - bn_data >= bn_data_num) + goto err; *lp=BN_div_word(t,BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) + goto err; lp++; } lp--; Index: openssl-1.0.1i/crypto/asn1/a_object.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/a_object.c 2014-08-06 23:15:58.000000000 +0200 +++ openssl-1.0.1i/crypto/asn1/a_object.c 2016-08-25 11:41:31.897856387 +0200 @@ -186,8 +186,13 @@ int a2d_ASN1_OBJECT(unsigned char *out, if (!tmp) goto err; } - while(blsize--) - tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L); + while (blsize--) + { + BN_ULONG t = BN_div_word(bl, 0x80L); + if (t == (BN_ULONG)-1) + goto err; + tmp[i++] = (unsigned char)t; + } } else {