Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 May 2016 22:52:54 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r48779 - in head/share: security/advisories security/patches/EN-16:06 security/patches/EN-16:07 security/patches/EN-16:08 security/patches/SA-16:06 security/patches/SA-16:17 xml
Message-ID:  <201605042252.u44Mqs6O060430@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius (src committer)
Date: Wed May  4 22:52:54 2016
New Revision: 48779
URL: https://svnweb.freebsd.org/changeset/doc/48779

Log:
  Publish todays advisory and notices:
  - SA-16:17.openssl
  - EN-16:06.libc
  - EN-16:07.ipi
  - EN-16:08.zfs
  
  Approved by:	so

Added:
  head/share/security/advisories/FreeBSD-EN-16:06.libc.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-EN-16:07.ipi.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-EN-16:08.zfs.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-16:17.openssl.asc   (contents, props changed)
  head/share/security/patches/EN-16:06/
  head/share/security/patches/EN-16:07/
  head/share/security/patches/EN-16:07/ipi.patch   (contents, props changed)
  head/share/security/patches/EN-16:07/ipi.patch.asc   (contents, props changed)
  head/share/security/patches/EN-16:08/
  head/share/security/patches/EN-16:08/zfs.patch   (contents, props changed)
  head/share/security/patches/EN-16:08/zfs.patch.asc   (contents, props changed)
  head/share/security/patches/SA-16:06/libc.patch   (contents, props changed)
  head/share/security/patches/SA-16:06/libc.patch.asc   (contents, props changed)
  head/share/security/patches/SA-16:17/
  head/share/security/patches/SA-16:17/openssl-10.patch   (contents, props changed)
  head/share/security/patches/SA-16:17/openssl-10.patch.asc   (contents, props changed)
  head/share/security/patches/SA-16:17/openssl-9.patch   (contents, props changed)
  head/share/security/patches/SA-16:17/openssl-9.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml
  head/share/xml/notices.xml

Added: head/share/security/advisories/FreeBSD-EN-16:06.libc.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-16:06.libc.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:06.libc                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Performance regression in libc hash(3)
+
+Category:       core
+Module:         libc / hash(3)
+Announced:      2016-05-04
+Credits:        Bryan Drewery, Baptiste Daroussin
+Affects:        FreeBSD 10.3-RELEASE
+Corrected:      2016-04-13 01:54:36 UTC (stable/10, 10.3-STABLE)
+                2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security branches,
+and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+The dbopen(3) with DB_HASH allows reading and writing to database files
+in the hash(3) format.  Examples of such files are the system master
+passwd and services databases in /etc.  In FreeBSD 10.3 operations
+using dbopen(3) were fixed to always call fsync(2) on their files when
+writing to ensure they were consistent after a power loss.  This was
+mostly noticeable for the user and group database files after using
+pw, vipw, chpass, etc.
+
+II.  Problem Description
+
+The changes in FreeBSD 10.3 to use fsync(2) were improperly extended to
+operations that were read-only.
+
+III. Impact
+
+This could manifest as extreme slowdowns in operations that read from one
+of these files, such as the user database.  It was especially noticeable
+during the use of "pkg install" since it reads from the user database.  It
+could also incur excessive I/O writes to these files if the file system
+was not mounted with noatime which could lessen the lifetime of SSD.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.3]
+# fetch https://security.FreeBSD.org/patches/EN-16:06/libc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:06/libc.patch.asc
+# gpg --verify libc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r297904
+releng/10.3/                                                      r299066
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-16:06.libc.asc
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXKj2JAAoJEO1n7NZdz2rnAqUQAKQmHsqyFPwl+yva/Is8U0Z+
+iuMnGAa9zp422ESLF8wczAYIQxv2wNuPAupuZGdDD5vnt8AJNEhs84xq9RW63AxM
+V1YQAsNzMTeP4xhGJbrLXPgS5tgB59Rwj0OmIjrbyi4rmDMVGl0Ok0XRr+L+c9KV
+dZhUSTmtlR005887aEoUe7Ujnqn4TljijaK/mD2YhGoE5Xkx5yOzJoO3ajCkyY61
+qSFVDqKP+pGgazt9gXpf7vtj4tw+TUqCMH3lj+LF4I7QfbAATYqwXo6pPVxSdZAY
+D8qFR7h31Rpb7ImnSLiULGkZvV5cJrbHJQR63ty1WF6y5qur1La4EfTDDhqqkz3I
+hvC8PCgAu11E55TsDeFUAFibjWZZvcqoYG3taWAKc9JlOHd5+cKoXVAzGTX4a/B7
+V0r5WH9AmmcodE7oRo90yFhUuv28G9T/z7a7bihaD6Cu2+3C7ez9f8cyD2x/FYJV
+Y7wF3Ey4faybuaXBmxrbq3aJQYPe4knfvigmLoJNbCgIutvCiDVue/BxXaZ97Zc3
+RxPx7+SQo18R83u/iGgYIgs5MAsLLDphwETQhAi8ZUsSO/YVb4Od0ScCHaHC/byp
+CdSC7DW56wiqYYyFjAe5/MQIIv8cvNLtekiaiUhAf36DrstglbSwOTw7x2kMcguk
+KLNONz99Am4A/sIHhizX
+=p2R6
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-EN-16:07.ipi.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-16:07.ipi.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:07.ipi                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Excessive latency in x86 IPI delivery
+
+Category:       core
+Module:         kernel
+Announced:      2016-05-04
+Credits:        Stanislav Sedov
+Affects:        FreeBSD 10.2 and 10.3
+Corrected:      2016-04-27 19:12:49 UTC (stable/10, 10.3-STABLE)
+                2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
+                2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security branches,
+and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+Each CPU in an x86 system contains an interrupt controller (local APIC)
+used to handle both external interrupts and inter-processor-interrupts
+(IPIs).
+
+II.  Problem Description
+
+In xAPIC mode, the local APIC can only queue a single IPI at a time.  If
+a previously queued IPI is still pending when a CPU attempts to send an
+IPI, it spins waiting for the previous IPI to complete.  A change merged
+prior to 10.2-RELEASE altered this loop to check the state of the previous
+IPI once every 5 microseconds rather than constantly polling.
+
+III. Impact
+
+Checking the status of the previous IPI once every 5 microseconds could
+introduce 5 microsecond delays when sending IPIs.  This could increase the
+latency of various scheduling operations reducing performance.
+
+IV.  Workaround
+
+No workaround is available, but non-x86 systems are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:07/ipi.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:07/ipi.patch.asc
+# gpg --verify ipi.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r298715
+releng/10.2/                                                      r299067
+releng/10.3/                                                      r299066
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-16:07.ipi.asc
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXKj3tAAoJEO1n7NZdz2rnbpMP/R/Xetx8IFIeP4Ez9IYvQPXM
+ylnDZiLn0AP2AW5Wn4Dxa6SyfrTGYOpjMSGFtxu6JqPczFYhYY0fYVkdwLqPu0DS
+2Q9xGLJ0hedVa+aPbDyoS6Zafe2VElFjcpHm+y3qaaAhLoQNolMd+3bj0sezxzb/
+mVJZq1vHzFKU84vmiBXb6zF6lcwJgEqbdeLyLT+y+p42Sne9/k6QIUPUQPZKciu/
+gs3RH3/0NhNWyXRl8ISjU0uJB3SHFZTbbfRSoX/0pE0FGaaYue9UeOEAzsBi5O6x
+apF5euq6o6QSzH1MQaPj1hApreUY4TCS+/2ZSjKGTOZAOP9CkIjm/U89G5cw+dH4
+Bs4jV4q0H1Pc3jHGP/Y0NyPDA7XrmNUjhw//8WodchqyeHkrSboy4K2Cd5AFS03e
+dM4fUz1ybTWYTAuHejKIN7yPKo1MsI7tX55fYXZtZ9iA+JhTYGBuJEoBVqlDiSte
+RcfYWjMY45srf5lPwTjauuHFjsfgvHwxuxyQyKPV+uysq9y7E2E6hypBYZ0SJNaz
+W6fEAyUFv8rM6qMxtANuuOVDDrRTYq/FId5AhMMheK9AONA3XcvL9otMqw5HMBtg
+kzOoQ0JJKUbDow8sy9mjtM0cOgoNvmfRlUuLXxV26swXEHZ4la0o16mNVEzo10Z9
+mlbeuHCqBP25eT/TzQG4
+=XoQ4
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-EN-16:08.zfs.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-16:08.zfs.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:08.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Memory leak in ZFS
+
+Category:       contrib
+Module:         zfs
+Announced:      2016-05-04
+Credits:        Eric Borisch
+Affects:        All supported versions of FreeBSD.
+Corrected:      2016-03-18 13:32:00 UTC (stable/10, 10.3-STABLE)
+                2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
+                2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
+                2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33)
+                2016-03-18 13:32:37 UTC (stable/9, 9.3-STABLE)
+                2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ZFS is one of several filesystems available on FreeBSD.  ZFS supports many
+advanced features, including snapshots, which provides a frozen read-only
+image of file system at a given time.
+
+File system snapshots can be accessed under the .zfs/snapshot directory
+in the root of the file system.
+
+II.  Problem Description
+
+There is a memory leak in the error path when mounting a snapshot via the
+automatic .zfs/snapshot directory, which can be triggered when the snapshot
+was once mounted, but later deleted by the system administrator.
+
+III. Impact
+
+A local user may be able to trigger the memory leak multiple times and
+eventually exhaust kernel memory, if the user knows a snapshot and access
+it before the system administrator deletes it.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not use ZFS snapshots are
+not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Reboot is required.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:08/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:08/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r297022
+releng/9.3/                                                       r299068
+stable/10/                                                        r297021
+releng/10.1/                                                      r299068
+releng/10.2/                                                      r299067
+releng/10.3/                                                      r299066
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:08.zfs.asc>;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXKk4dAAoJEO1n7NZdz2rnscQQAODmJLkUgi8YgTP32IuWyz+N
+mX/g5HNKGWP7COTzsoIFrGZ1l+BqWwqcX9cSR1K3fFOYSDPPgug3qMHdfg63RIsm
+G9sJRQ/XdsUC6436UYGe3ElZyqKUjrKSPW2pA95AYVWMiJTJwly+Vd6UqDadLKmA
+HyebF2uh5HR7JpkTyw9lT6uN4FHTIF6NfKruap3m+NNCMw64w4bILwOLuylvxT+0
+fiPJRlZ5X+I9lRM7QqO8m/S4AYAHeFAu/GG8GDPR2kO6ZuW2iuIQg04tfv8JmHgG
+4074OkCo7etJ6qq59EC1Y7k6TpuNDuiTNtTpn5DnOWVCaduZnGxZo0FhKhZg7b0K
+D4uJkXF8aSTi4Y9rp4ynEP+d1NJD7B5dLnI5R3P3EGuGKhigymI0QlT+iDy/UGLT
+rG1Hx9Tsq1CsrpUe6/Go6Daqt4VxW/WYtOULDZBoVaIhhKk5H4gV1Yj66MUAsPhZ
+Fe+hMnehYdCcKlSYrlCaF6MTosAafhzyTgxDKehgc0K1RPxHXOME98NF76erU1Vx
+62P7sdq3JrYFNg+9TUkyjaYnhc5XrHtShzCJxcMKm0NMNm7nWfyYYVwvBYpflSUI
+AE1VGcgAAlnH/yLnJPJL1BY6hfjsA2wPO+vituxOGDKCvSuUdWCV1baAW9ySmG4K
+Pgle9/Qvg/BNvtVL3dvv
+=PzFd
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-16:17.openssl.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:17.openssl.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,178 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:17.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple OpenSSL vulnerabilities
+
+Category:       contrib
+Module:         openssl
+Announced:      2016-05-04
+Credits:        OpenSSL Project
+Affects:        All supported versions of FreeBSD.
+Corrected:      2016-05-03 18:54:20 UTC (stable/10, 10.3-STABLE)
+                2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
+                2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
+                2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33)
+                2016-05-04 06:53:02 UTC (stable/9, 9.3-STABLE)
+                2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41)
+CVE Name:       CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109,
+                CVE-2016-2176
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II.  Problem Description
+
+The padding check in AES-NI CBC MAC was rewritten to be in constant time
+by making sure that always the same bytes are read and compared against
+either the MAC or padding bytes. But it no longer checked that there was
+enough data to have both the MAC and padding bytes. [CVE-2016-2107]
+
+An overflow can occur in the EVP_EncodeUpdate() function which is used for
+Base64 encoding of binary data. [CVE-2016-2105]
+
+An overflow can occur in the EVP_EncryptUpdate() function, however it is
+believed that there can be no overflows in internal code due to this problem.
+[CVE-2016-2106]
+
+When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+a short invalid encoding can casuse allocation of large amounts of memory
+potentially consuming excessive resources or exhausting memory.
+[CVE-2016-2109]
+
+ASN1 Strings that are over 1024 bytes can cause an overread in applications
+using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176]
+FreeBSD does not run on any EBCDIC systems and therefore is not affected.
+
+III. Impact
+
+A MITM attacker can use a padding oracle attack to decrypt traffic
+when the connection uses an AES CBC cipher and the server support
+AES-NI. [CVE-2016-2107]
+
+If an attacker is able to supply very large amounts of input data then a
+length check can overflow resulting in a heap corruption. [CVE-2016-2105]
+
+Any application parsing untrusted data through d2i BIO functions are vulnerable
+to memory exhaustion attack. [CVE-2016-2109]  TLS applications are not affected.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart all daemons that use the library, or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all daemons that use the library, or reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch.asc
+# gpg --verify openssl-10.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patc
+# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patch.asc
+# gpg --verify openssl-9.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r299053
+releng/9.3/                                                       r299068
+stable/10/                                                        r298999
+releng/10.1/                                                      r299068
+releng/10.2/                                                      r299067
+releng/10.3/                                                      r299066
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
+
+VII. References
+
+<URL:https://www.openssl.org/news/secadv/20160503.txt>;
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105>;
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2106>;
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107>;
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109>;
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176>;
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:17.openssl.asc>;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXKjuIAAoJEO1n7NZdz2rneZoP/jqsWr9q5MkCel2aZzfmSVhU
+8CjzPwm3t48ibZqrkolAak4dbjJGhidUM/S83BvIcCdtKWyoG8D0fzemB7bBIP2L
+fqvd1314vuy82CgZlAyJIqzokckUPfyHhTAz9FPZW46f8A+s8znzJcaaD81tt1Xe
+qg9JZ61e2DZJ2NdZSJSjOpBl55gZqQq3tIwGYw027GKjiflJSvOG1n/531R4rppI
+x0IZpLor7XBWuiC44hPc4yasC4khWzmdaRpqcUoWVEex8g6Il6xByS2o4AgX7kE/
+NBZ0mj4IMYZNQW4VUYbnkmLtWXJYYScboBKh4FRljNCG/t5u/YoSfOY8SbS9LT9K
+KVj56C6tQRq+/frKbPt26HbqqRTFNVn3FKxJWNQ9CLzsebobXPUYATTN2NVC8gkj
+S0A/lT2xnvA2YqB9HfmHOvlHS2LDv8SivJWNK4dCPOwhVm624H4qH/N+VFcwU7zc
+ue+BPvDYU/czsyoJDdQoWxTdkreaOY6eLAWkYAh9dEDIkZSOxgsZR7C4th6THXMu
+ybIy544elc3bf9vS4tGR552Wi9VntE0B1/LJ2la8l+MnYE6qZL1hbAYpvNyuPWVP
+EDPjOc4inaMpV62fuL1UrKH1g1HMmFUnoWhC70iS+cuLeXWFdvwBFyL420Ixkd5H
+zvcsfJCrazlcZ6j83Qfd
+=PGTh
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-16:07/ipi.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-16:07/ipi.patch	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,103 @@
+--- sys/x86/x86/local_apic.c.orig
++++ sys/x86/x86/local_apic.c
+@@ -56,6 +56,7 @@
+ #include <vm/pmap.h>
+ 
+ #include <x86/apicreg.h>
++#include <machine/clock.h>
+ #include <machine/cputypes.h>
+ #include <machine/frame.h>
+ #include <machine/intr_machdep.h>
+@@ -158,6 +159,9 @@
+ vm_paddr_t lapic_paddr;
+ static u_long lapic_timer_divisor;
+ static struct eventtimer lapic_et;
++#ifdef SMP
++static uint64_t lapic_ipi_wait_mult;
++#endif
+ 
+ static void	lapic_enable(void);
+ static void	lapic_resume(struct pic *pic, bool suspend_cancelled);
+@@ -221,6 +225,9 @@
+ void
+ lapic_init(vm_paddr_t addr)
+ {
++#ifdef SMP
++	uint64_t r, r1, r2, rx;
++#endif
+ 	u_int regs[4];
+ 	int i, arat;
+ 
+@@ -275,6 +282,38 @@
+ 		lapic_et.et_priv = NULL;
+ 		et_register(&lapic_et);
+ 	}
++
++#ifdef SMP
++#define	LOOPS	1000000
++	/*
++	 * Calibrate the busy loop waiting for IPI ack in xAPIC mode.
++	 * lapic_ipi_wait_mult contains the number of iterations which
++	 * approximately delay execution for 1 microsecond (the
++	 * argument to native_lapic_ipi_wait() is in microseconds).
++	 *
++	 * We assume that TSC is present and already measured.
++	 * Possible TSC frequency jumps are irrelevant to the
++	 * calibration loop below, the CPU clock management code is
++	 * not yet started, and we do not enter sleep states.
++	 */
++	KASSERT((cpu_feature & CPUID_TSC) != 0 && tsc_freq != 0,
++	    ("TSC not initialized"));
++	r = rdtsc();
++	for (rx = 0; rx < LOOPS; rx++) {
++		(void)lapic->icr_lo;
++		ia32_pause();
++	}
++	r = rdtsc() - r;
++	r1 = tsc_freq * LOOPS;
++	r2 = r * 1000000;
++	lapic_ipi_wait_mult = r1 >= r2 ? r1 / r2 : 1;
++	if (bootverbose) {
++		printf("LAPIC: ipi_wait() us multiplier %ju (r %ju tsc %ju)\n",
++		    (uintmax_t)lapic_ipi_wait_mult, (uintmax_t)r,
++		    (uintmax_t)tsc_freq);
++	}
++#undef LOOPS
++#endif /* SMP */
+ }
+ 
+ /*
+@@ -1381,25 +1420,20 @@
+  * private to the MD code.  The public interface for the rest of the
+  * kernel is defined in mp_machdep.c.
+  */
++
++/*
++ * Wait delay microseconds for IPI to be sent.  If delay is -1, we
++ * wait forever.
++ */
+ int
+ lapic_ipi_wait(int delay)
+ {
+-	int x;
++	uint64_t rx;
+ 
+-	/*
+-	 * Wait delay microseconds for IPI to be sent.  If delay is
+-	 * -1, we wait forever.
+-	 */
+-	if (delay == -1) {
+-		while ((lapic->icr_lo & APIC_DELSTAT_MASK) != APIC_DELSTAT_IDLE)
+-			ia32_pause();
+-		return (1);
+-	}
+-
+-	for (x = 0; x < delay; x += 5) {
++	for (rx = 0; delay == -1 || rx < lapic_ipi_wait_mult * delay; rx++) {
+ 		if ((lapic->icr_lo & APIC_DELSTAT_MASK) == APIC_DELSTAT_IDLE)
+ 			return (1);
+-		DELAY(5);
++		ia32_pause();
+ 	}
+ 	return (0);
+ }

Added: head/share/security/patches/EN-16:07/ipi.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-16:07/ipi.patch.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXKj3yAAoJEO1n7NZdz2rnv4kP/06mfaq4/iwxKgkmZ/YA1xr1
+OyeEURd20DU/z5IJrcOOM7I6t20tzTpITp4G4TirPAl+614ieFBEJLZtlLYCCnhd
+02VfG9SEbqsM1ymfCrWg2FBx9YJtszL6bkWUSjlWA9dei2eomie6GyJeprfVDolD
+Va+fp1FDVPmhcw8uXp9BNiCoBe/S1pd1ireMemXVwJCTwzJAcIrhMThDqTBKX9Rh
+hxzd4gJBtAfppdPL0jcfjLMN3NUelRLs6AlT447lGJJeLJZTGnZNyaq6TKzHBE9E
+witl2MOcaxm3SodaYq5e7CT4DZ+zfZHJ6Tc9r3RqoshlMgVk2DV6GXzcY8Z+GAjv
+VeMY4shqEmApu3qIB3h/+PHN9RRPYtt4yNIAJjZt7sYWqEyAIIu4TH3UkUmdbLyg
+v+Gf6CmDCoDmPsO0Yg1Ap5TrZy6NxoEXERzPOhgUaRBy7q0VKFrmLZoBw6UJ9GPu
+DcS6aSxVoNgD7a/zUkrMezAtOsXD2OGcPpPOvco6JsbYqieoAZ4UGtCRSW+m7uJK
+G1i1+c4sC5lqN/PxPvc05ci1RbtrjZFdYakg8Jz4rTegg44zU24ENZ+qW0k4uXUY
+pm4ED1z1yozrMghOeTcFvq33j2fttfpHGtR24QCzoIMd6S9NNuCT5zTNf8PpU5aW
+Tq2KDK20ywHxg8rBZdlW
+=L412
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-16:08/zfs.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-16:08/zfs.patch	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,10 @@
+--- sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c.orig
++++ sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
+@@ -196,6 +196,7 @@
+ 		VI_UNLOCK(vp);
+ 		vrele(vp);
+ 		vfs_unbusy(mp);
++		vfs_freeopts(mp->mnt_optnew);
+ 		vfs_mount_destroy(mp);
+ 		*vpp = NULL;
+ 		return (error);

Added: head/share/security/patches/EN-16:08/zfs.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-16:08/zfs.patch.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXKk4gAAoJEO1n7NZdz2rnJnsQAKcsAvrU96EYdeIHQnR2AJ88
+jCHXfXDnGN+dPpHXqBwjVCM4TLTHQVdsa47sw9wWOD5hhlP53qsKmsDohV68E+nc
+HSbksbOWACuLtihtiR5bwlU2NuSUF+MKH+P35yqlIC6IFLJ41XrfbPXidJz4vUH0
+1FhKGiXgHMlaCDpOxRXVKtQ05O8BvKl3kh1G2u/wM0fbdTWmK98kscc8b/abysi9
+qV88b8cDYf9Dn57moFN0GySAKxPTnn4s0IKAu6BCko/bwH9cdwJmbbktpxTZrJuS
+s2z0KKO15Wb/iD1SPTF9oxetXc8kok6nTQikLBVUNA6aXCpn69CeD6X7SL4198a0
+oCXCZM1cYJDrT7V1Z/JTncF7e66UViLdFxI3v9RnpcGmsz88xjhXKv7jtv5DD+L+
+tLsCCHZqfOtNEF7mTBdm0tfZP7B+quhXCnFs4qB945q0nJ1J8s5fLsWKSFgaeYUu
+nEmNpjE3EbhxzUVa3xSdbs+hwtcOdMUaOelbO5sehaFOwblO6FDNLZ7TDpU2vfNk
+noo9t2OqyK6hJvm+IIZgjwnQxTS64O4ehpd3S5HZit/3ExIt3SdsF7LUuGIHskfU
+ucHvK763RsxjbwTyF2M6HV8TWbn8zKdLIJ9AlSF3B3hJIqwIpTKFBF6Sm/ovGe48
+kSE51i0jjr8eRC87SB0K
+=wnPD
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-16:06/libc.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:06/libc.patch	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,12 @@
+--- lib/libc/db/hash/hash.c.orig
++++ lib/libc/db/hash/hash.c
+@@ -423,7 +423,8 @@
+ 		free(hashp->tmp_buf);
+ 
+ 	if (hashp->fp != -1) {
+-		(void)_fsync(hashp->fp);
++		if (hashp->save_file)
++			(void)_fsync(hashp->fp);
+ 		(void)_close(hashp->fp);
+ 	}
+ 

Added: head/share/security/patches/SA-16:06/libc.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:06/libc.patch.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXKj1xAAoJEO1n7NZdz2rnBE4QALyliMFWZRH6HNFUOmUzpb82
+ukBfKSS7MA2xXoFAZAGcpStuHRVg8sl21s4tGtnSa7Q9VkDzr898BG4mFlf+ZNWc
+qHZqaZcQbJAJofrywklu4XCss0V9pv5WQ5TPnIaddoQs/USbbx4nZFyiY7p3XFHc
+D9U30O8/QAUJO//TwHcQftbhNRJiVINWiGaNlKzf/tW5LipkA+GuMrLjqodA0FjN
+nTZo469DWm26YzVKx7QH0ZobqEhK+7P/4Uo+gMLhXfBXnh+EX4P1w+gsYPXOhy02
+bL0MsqG9F7tpcNI6tlxjNP0V6PjMCtuEuQ0Fk4rkPEZJDq9B6dc9wY9Vxas5hQ8n
+IsNkMeIfNz9plK9WFTwfOiwu9IO84J0xhHgdp4cHqbvFcDSxU+GrtYU2zmPqoxJe
+uT+KqdhfC533oN6CXzKzrn+kcxx2NuBt2lIjsg8K1V1Q/ovYpopdPfTOColDdBKZ
+41XBo5AdDVS1liTNTiXtjUL9A5Eb8876Be4O+yvhQiXYsRFhQ7Kw2talGLiiJWlP
+MOWEtBAvkFYZPedGNnIc+dmtBQ3G2uqEd/w4ZO0tgxkL0jt2b02s9xD0Y3YU9Xtp
+f/sjoxT2kWNeQ8MS+zWh2dEj9OIxAerdOZsOSJmchqNHXD3Rv+99jmK/IY78LmbZ
+5+hYuoGy4zOMHFXMJ8vm
+=9bAQ
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-16:17/openssl-10.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:17/openssl-10.patch	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,127 @@
+--- crypto/openssl/crypto/asn1/a_type.c.orig
++++ crypto/openssl/crypto/asn1/a_type.c
+@@ -126,9 +126,7 @@
+         result = 0;             /* They do not have content. */
+         break;
+     case V_ASN1_INTEGER:
+-    case V_ASN1_NEG_INTEGER:
+     case V_ASN1_ENUMERATED:
+-    case V_ASN1_NEG_ENUMERATED:
+     case V_ASN1_BIT_STRING:
+     case V_ASN1_OCTET_STRING:
+     case V_ASN1_SEQUENCE:
+--- crypto/openssl/crypto/asn1/tasn_dec.c.orig
++++ crypto/openssl/crypto/asn1/tasn_dec.c
+@@ -903,9 +903,7 @@
+         break;
+ 
+     case V_ASN1_INTEGER:
+-    case V_ASN1_NEG_INTEGER:
+     case V_ASN1_ENUMERATED:
+-    case V_ASN1_NEG_ENUMERATED:
+         tint = (ASN1_INTEGER **)pval;
+         if (!c2i_ASN1_INTEGER(tint, &cont, len))
+             goto err;
+--- crypto/openssl/crypto/asn1/tasn_enc.c.orig
++++ crypto/openssl/crypto/asn1/tasn_enc.c
+@@ -611,9 +611,7 @@
+         break;
+ 
+     case V_ASN1_INTEGER:
+-    case V_ASN1_NEG_INTEGER:
+     case V_ASN1_ENUMERATED:
+-    case V_ASN1_NEG_ENUMERATED:
+         /*
+          * These are all have the same content format as ASN1_INTEGER
+          */
+--- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c.orig
++++ crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -59,6 +59,7 @@
+ # include <openssl/aes.h>
+ # include <openssl/sha.h>
+ # include "evp_locl.h"
++# include "constant_time_locl.h"
+ 
+ # ifndef EVP_CIPH_FLAG_AEAD_CIPHER
+ #  define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
+@@ -286,6 +287,8 @@
+             maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
+             maxpad &= 255;
+ 
++            ret &= constant_time_ge(maxpad, pad);
++
+             inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
+             mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
+             inp_len &= mask;
+--- crypto/openssl/crypto/evp/encode.c.orig
++++ crypto/openssl/crypto/evp/encode.c
+@@ -57,6 +57,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ 
+@@ -151,13 +152,13 @@
+                       const unsigned char *in, int inl)
+ {
+     int i, j;
+-    unsigned int total = 0;
++    size_t total = 0;
+ 
+     *outl = 0;
+     if (inl <= 0)
+         return;
+     OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
+-    if ((ctx->num + inl) < ctx->length) {
++    if (ctx->length - ctx->num > inl) {
+         memcpy(&(ctx->enc_data[ctx->num]), in, inl);
+         ctx->num += inl;
+         return;
+@@ -174,7 +175,7 @@
+         *out = '\0';
+         total = j + 1;
+     }
+-    while (inl >= ctx->length) {
++    while (inl >= ctx->length && total <= INT_MAX) {
+         j = EVP_EncodeBlock(out, in, ctx->length);
+         in += ctx->length;
+         inl -= ctx->length;
+@@ -183,6 +184,11 @@
+         *out = '\0';
+         total += j + 1;
+     }
++    if (total > INT_MAX) {
++        /* Too much output data! */
++        *outl = 0;
++        return;
++    }
+     if (inl != 0)
+         memcpy(&(ctx->enc_data[0]), in, inl);
+     ctx->num = inl;
+--- crypto/openssl/crypto/evp/evp_enc.c.orig
++++ crypto/openssl/crypto/evp/evp_enc.c
+@@ -334,7 +334,7 @@
+     bl = ctx->cipher->block_size;
+     OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
+     if (i != 0) {
+-        if (i + inl < bl) {
++        if (bl - i > inl) {
+             memcpy(&(ctx->buf[i]), in, inl);
+             ctx->buf_len += inl;
+             *outl = 0;
+--- crypto/openssl/crypto/x509/x509_obj.c.orig
++++ crypto/openssl/crypto/x509/x509_obj.c
+@@ -117,8 +117,9 @@
+             type == V_ASN1_PRINTABLESTRING ||
+             type == V_ASN1_TELETEXSTRING ||
+             type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
+-            ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
+-                         ? sizeof ebcdic_buf : num);
++            if (num > (int)sizeof(ebcdic_buf))
++                num = sizeof(ebcdic_buf);
++            ascii2ebcdic(ebcdic_buf, q, num);
+             q = ebcdic_buf;
+         }
+ #endif

Added: head/share/security/patches/SA-16:17/openssl-10.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:17/openssl-10.patch.asc	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXKjysAAoJEO1n7NZdz2rnmqsP/AhTL40m2kb2Ccu8prEqw2XF
+glaizsxpLE5fxARZm4V/MB5s2uQk1OvhN3/im6mzfIZhLwrVnIERtMXG5cZM3fUa
+kSguKkP72U2agBivBXLQgsWXWzdzwLk+boS9idUhXj8MU4o9Irrpmm4N31l2K+3A
+A853HSIHfOB1R/1U9hKUPTAYnz2SVrqjtcmxAC/0m7//v5mWotR4KE/BL9x8lzUm
+ZmdNc/O8HsXkZdIrMt3l4K5va20sFUEFURVhUl2drd4FAv52RK1N36d4uZ09riyU
+9/dEJdln4V1HWM48Smy/spqvNBzKUPidJPXw2lfFacKqMAM8h5micvAxfwD50iUy
+8noKrZyT9CfeZPGxp9iua5F86Qgco7sRyDL5vgsZQDHLDzQFA4uFgnaW1qDlci+K
+qEF5gJtXHw0bezjbiAr0Z/68bcYzcEz5j4/nUmFcd2+ZTzhGY/PKCdHKwoCdvoB9
+J+XLCsvM5TN8+OFFp7Mb42fW5BuaRlOjzk1G6zUPSeHVhI6mPcoyYRXDaBudh3KV
+DoX6SUFQaqm12wyheFkj0n1tNUMmBd3L5JKPWRNEMbm3kFXVlwbPq4iqKjsMVryy
+wxQsdv30WXUpfwtN0XYfAkAcYh99lZB7873qSGJ+MvFPWLi7M7HhHnP46A27zHF/
+yflt63U9yT6T/apz5LCa
+=sQdP
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-16:17/openssl-9.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-16:17/openssl-9.patch	Wed May  4 22:52:54 2016	(r48779)
@@ -0,0 +1,108 @@
+--- crypto/openssl/crypto/asn1/a_type.c.orig
++++ crypto/openssl/crypto/asn1/a_type.c
+@@ -123,9 +123,7 @@
+         result = 0;             /* They do not have content. */
+         break;
+     case V_ASN1_INTEGER:
+-    case V_ASN1_NEG_INTEGER:
+     case V_ASN1_ENUMERATED:
+-    case V_ASN1_NEG_ENUMERATED:
+     case V_ASN1_BIT_STRING:
+     case V_ASN1_OCTET_STRING:
+     case V_ASN1_SEQUENCE:
+--- crypto/openssl/crypto/asn1/tasn_dec.c.orig
++++ crypto/openssl/crypto/asn1/tasn_dec.c
+@@ -901,9 +901,7 @@
+         break;
+ 
+     case V_ASN1_INTEGER:
+-    case V_ASN1_NEG_INTEGER:
+     case V_ASN1_ENUMERATED:
+-    case V_ASN1_NEG_ENUMERATED:
+         tint = (ASN1_INTEGER **)pval;
+         if (!c2i_ASN1_INTEGER(tint, &cont, len))
+             goto err;
+--- crypto/openssl/crypto/asn1/tasn_enc.c.orig
++++ crypto/openssl/crypto/asn1/tasn_enc.c
+@@ -610,9 +610,7 @@
+         break;
+ 
+     case V_ASN1_INTEGER:
+-    case V_ASN1_NEG_INTEGER:
+     case V_ASN1_ENUMERATED:
+-    case V_ASN1_NEG_ENUMERATED:
+         /*
+          * These are all have the same content format as ASN1_INTEGER
+          */
+--- crypto/openssl/crypto/evp/encode.c.orig
++++ crypto/openssl/crypto/evp/encode.c
+@@ -57,6 +57,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ 
+@@ -134,13 +135,13 @@
+                       const unsigned char *in, int inl)
+ {
+     int i, j;
+-    unsigned int total = 0;
++    size_t total = 0;
+ 
+     *outl = 0;
+     if (inl == 0)
+         return;
+     OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
+-    if ((ctx->num + inl) < ctx->length) {
++    if (ctx->length - ctx->num > inl) {
+         memcpy(&(ctx->enc_data[ctx->num]), in, inl);
+         ctx->num += inl;
+         return;
+@@ -157,7 +158,7 @@
+         *out = '\0';
+         total = j + 1;
+     }
+-    while (inl >= ctx->length) {
++    while (inl >= ctx->length && total <= INT_MAX) {
+         j = EVP_EncodeBlock(out, in, ctx->length);
+         in += ctx->length;
+         inl -= ctx->length;
+@@ -166,6 +167,11 @@
+         *out = '\0';
+         total += j + 1;
+     }
++    if (total > INT_MAX) {
++        /* Too much output data! */

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605042252.u44Mqs6O060430>