From owner-freebsd-security@FreeBSD.ORG Thu Mar 19 22:11:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D6A9AE2 for ; Thu, 19 Mar 2015 22:11:47 +0000 (UTC) Received: from ox.tedunangst.com (ox.tedunangst.com [208.82.130.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BD3F2FE7 for ; Thu, 19 Mar 2015 22:11:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]); by ox.tedunangst.com (OpenSMTPD) with ESMTP id 92644697; for ; Thu, 19 Mar 2015 18:05:06 -0400 (EDT) From: "Ted Unangst" Message-ID: To: freebsd-security@freebsd.org Date: Thu, 19 Mar 2015 18:04:44 -0400 Subject: bad patch for openssl Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=utf-8 X-Mailman-Approved-At: Thu, 19 Mar 2015 22:31:08 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 22:11:47 -0000 I notice the posted patch includes a change to tasn_dec.c that doesn't work. - if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) - return *pval; + if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) + ptmpval = *pval; + if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { This will, among other things, prevent nginx 1.6 from loading keys. The diff was included in the preannouncement material, but is not part of the any of the final openssl releases.