From owner-svn-src-all@freebsd.org Sat Dec 5 09:54:00 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9529BA42040; Sat, 5 Dec 2015 09:54:00 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 56720122A; Sat, 5 Dec 2015 09:54:00 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tB59rxmE010601; Sat, 5 Dec 2015 09:53:59 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tB59rwkT010587; Sat, 5 Dec 2015 09:53:58 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201512050953.tB59rwkT010587@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Sat, 5 Dec 2015 09:53:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r291854 - in releng: 10.1 10.1/crypto/openssl/crypto/asn1 10.1/crypto/openssl/crypto/rsa 10.1/crypto/openssl/ssl 10.1/sys/conf 10.2 10.2/crypto/openssl/crypto/asn1 10.2/crypto/openssl/c... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2015 09:54:00 -0000 Author: delphij Date: Sat Dec 5 09:53:58 2015 New Revision: 291854 URL: https://svnweb.freebsd.org/changeset/base/291854 Log: Fix OpenSSL multiple vulnerabilities. Security: FreeBSD-SA-15:26.openssl Approved by: so Modified: releng/10.1/UPDATING releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c releng/10.1/crypto/openssl/ssl/s3_clnt.c releng/10.1/crypto/openssl/ssl/s3_srvr.c releng/10.1/sys/conf/newvers.sh releng/10.2/UPDATING releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c releng/10.2/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c releng/9.3/sys/conf/newvers.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.1/UPDATING Sat Dec 5 09:53:58 2015 (r291854) @@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20151205 p25 FreeBSD-SA-15:26.openssl + + Fix multiple OpenSSL vulnerabilities. [SA-15:26] + 20151104 p24 FreeBSD-SA-15:25.ntp [revised] FreeBSD-EN-15:19.kqueue FreeBSD-EN-15:20.vm Modified: releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:53:58 2015 (r291854) @@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_ { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, Modified: releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:53:58 2015 (r291854) @@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co { ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 - && param->type == V_ASN1_SEQUENCE) + && param && param->type == V_ASN1_SEQUENCE) { p = param->value.sequence->data; plen = param->value.sequence->length; Modified: releng/10.1/crypto/openssl/ssl/s3_clnt.c ============================================================================== --- releng/10.1/crypto/openssl/ssl/s3_clnt.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.1/crypto/openssl/ssl/s3_clnt.c Sat Dec 5 09:53:58 2015 (r291854) @@ -1360,8 +1360,6 @@ int ssl3_get_key_exchange(SSL *s) #ifndef OPENSSL_NO_PSK if (alg_k & SSL_kPSK) { - char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; - param_len = 2; if (param_len > n) { @@ -1390,16 +1388,8 @@ int ssl3_get_key_exchange(SSL *s) } param_len += i; - /* If received PSK identity hint contains NULL - * characters, the hint is truncated from the first - * NULL. p may not be ending with NULL, so create a - * NULL-terminated string. */ - memcpy(tmp_id_hint, p, i); - memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); - if (s->ctx->psk_identity_hint != NULL) - OPENSSL_free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); - if (s->ctx->psk_identity_hint == NULL) + s->session->psk_identity_hint = BUF_strndup((char *)p, i); + if (s->session->psk_identity_hint == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); @@ -3009,7 +2999,7 @@ int ssl3_send_client_key_exchange(SSL *s } memset(identity, 0, sizeof(identity)); - psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, + psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, identity, sizeof(identity) - 1, psk_or_pre_ms, sizeof(psk_or_pre_ms)); if (psk_len > PSK_MAX_PSK_LEN) Modified: releng/10.1/crypto/openssl/ssl/s3_srvr.c ============================================================================== --- releng/10.1/crypto/openssl/ssl/s3_srvr.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.1/crypto/openssl/ssl/s3_srvr.c Sat Dec 5 09:53:58 2015 (r291854) @@ -2827,7 +2827,7 @@ int ssl3_get_client_key_exchange(SSL *s) if (s->session->psk_identity != NULL) OPENSSL_free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup((char *)p); + s->session->psk_identity = BUF_strndup((char *)p, i); if (s->session->psk_identity == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.1/sys/conf/newvers.sh Sat Dec 5 09:53:58 2015 (r291854) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p24" +BRANCH="RELEASE-p25" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.2/UPDATING ============================================================================== --- releng/10.2/UPDATING Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.2/UPDATING Sat Dec 5 09:53:58 2015 (r291854) @@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20151205 p8 FreeBSD-SA-15:26.openssl + + Fix multiple OpenSSL vulnerabilities. [SA-15:26] + 20151104 p7 FreeBSD-SA-15:25.ntp [revised] FreeBSD-EN-15:19.kqueue FreeBSD-EN-15:20.vm Modified: releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:53:58 2015 (r291854) @@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_ } else { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; Modified: releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:53:58 2015 (r291854) @@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co if (pss->maskGenAlgorithm) { ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 - && param->type == V_ASN1_SEQUENCE) { + && param && param->type == V_ASN1_SEQUENCE) { p = param->value.sequence->data; plen = param->value.sequence->length; *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); Modified: releng/10.2/sys/conf/newvers.sh ============================================================================== --- releng/10.2/sys/conf/newvers.sh Sat Dec 5 09:50:37 2015 (r291853) +++ releng/10.2/sys/conf/newvers.sh Sat Dec 5 09:53:58 2015 (r291854) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Sat Dec 5 09:50:37 2015 (r291853) +++ releng/9.3/UPDATING Sat Dec 5 09:53:58 2015 (r291854) @@ -11,6 +11,10 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20151205 p31 FreeBSD-SA-15:26.openssl + + Fix OpenSSL X509_ATTRIBUTE memory leak. [SA-15:26] + 20151104 p30 FreeBSD-SA-15:25.ntp [revised] FreeBSD-EN-15:19.kqueue FreeBSD-EN-15:20.vm Modified: releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:50:37 2015 (r291853) +++ releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:53:58 2015 (r291854) @@ -167,6 +167,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -532,7 +534,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -758,7 +761,7 @@ static int asn1_template_noexp_d2i(ASN1_ { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Sat Dec 5 09:50:37 2015 (r291853) +++ releng/9.3/sys/conf/newvers.sh Sat Dec 5 09:53:58 2015 (r291854) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p30" +BRANCH="RELEASE-p31" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi