Date: Wed, 4 May 2016 06:53:02 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r299053 - in stable/9/crypto/openssl/crypto: asn1 evp x509 Message-ID: <201605040653.u446r2fP068163@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed May 4 06:53:02 2016 New Revision: 299053 URL: https://svnweb.freebsd.org/changeset/base/299053 Log: Fix several OpenSSL vulnerabilities. Security: CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 Security: CVE-2016-2176 (does not affect FreeBSD) Security: FreeBSD-SA-16:17.openssl Modified: stable/9/crypto/openssl/crypto/asn1/a_type.c stable/9/crypto/openssl/crypto/asn1/tasn_dec.c stable/9/crypto/openssl/crypto/asn1/tasn_enc.c stable/9/crypto/openssl/crypto/evp/encode.c stable/9/crypto/openssl/crypto/evp/evp_enc.c stable/9/crypto/openssl/crypto/x509/x509_obj.c Modified: stable/9/crypto/openssl/crypto/asn1/a_type.c ============================================================================== --- stable/9/crypto/openssl/crypto/asn1/a_type.c Wed May 4 06:26:27 2016 (r299052) +++ stable/9/crypto/openssl/crypto/asn1/a_type.c Wed May 4 06:53:02 2016 (r299053) @@ -123,9 +123,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: stable/9/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- stable/9/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 06:26:27 2016 (r299052) +++ stable/9/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 06:53:02 2016 (r299053) @@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: stable/9/crypto/openssl/crypto/asn1/tasn_enc.c ============================================================================== --- stable/9/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 06:26:27 2016 (r299052) +++ stable/9/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 06:53:02 2016 (r299053) @@ -610,9 +610,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: stable/9/crypto/openssl/crypto/evp/encode.c ============================================================================== --- stable/9/crypto/openssl/crypto/evp/encode.c Wed May 4 06:26:27 2016 (r299052) +++ stable/9/crypto/openssl/crypto/evp/encode.c Wed May 4 06:53:02 2016 (r299053) @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/evp.h> @@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl == 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return; @@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; Modified: stable/9/crypto/openssl/crypto/evp/evp_enc.c ============================================================================== --- stable/9/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 06:26:27 2016 (r299052) +++ stable/9/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 06:53:02 2016 (r299053) @@ -166,7 +166,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0; Modified: stable/9/crypto/openssl/crypto/x509/x509_obj.c ============================================================================== --- stable/9/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 06:26:27 2016 (r299052) +++ stable/9/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 06:53:02 2016 (r299053) @@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605040653.u446r2fP068163>