* [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195
@ 2015-12-11 8:13 Fan Xin
2015-12-14 8:00 ` Sona Sarmadi
0 siblings, 1 reply; 3+ messages in thread
From: Fan Xin @ 2015-12-11 8:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Fan Xin
This vulnerability affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
So the patch also should be merged into dizzy, daisy and dylan.
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
---
.../0001-Fix-leak-with-ASN.1-combine.patch | 65 ++++++++++++++++++++++
.../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
2 files changed, 66 insertions(+)
create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 0000000..5bda457
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,65 @@
+Upstream-Status: Backport
+
+This patch was imprted from
+https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d
+
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+
+From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
+From: Dr. Stephen Henson <steve@openssl.org>
+Date: Tue, 10 Nov 2015 19:03:07 +0000
+Subject: [PATCH] Fix leak with ASN.1 combine.
+
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+
+CVE-2015-3195.
+
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+
+PR#4131
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+---
+ crypto/asn1/tasn_dec.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
++++ b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ int otag;
+ int ret = 0;
+ ASN1_VALUE **pchptr, *ptmpval;
++ int combine = aclass & ASN1_TFLG_COMBINE;
++ aclass &= ~ASN1_TFLG_COMBINE;
+ if (!pval)
+ return 0;
+ if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ auxerr:
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+ err:
+- ASN1_item_ex_free(pval, it);
++ if (combine == 0)
++ ASN1_item_ex_free(pval, it);
+ if (errtt)
+ ERR_add_error_data(4, "Field=", errtt->field_name,
+ ", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+ } else {
+ /* Nothing special */
+ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+- -1, 0, opt, ctx);
++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ if (!ret) {
+ ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+ goto err;
+--
+1.7.0.4
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index bc1b944..dbc2da2 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
file://CVE-2014-0160.patch \
file://openssl-CVE-2014-0198-fix.patch \
+ file://0001-Fix-leak-with-ASN.1-combine.patch \
"
SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
--
1.8.4.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195
2015-12-11 8:13 [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195 Fan Xin
@ 2015-12-14 8:00 ` Sona Sarmadi
2015-12-14 8:46 ` Fan Xin
0 siblings, 1 reply; 3+ messages in thread
From: Sona Sarmadi @ 2015-12-14 8:00 UTC (permalink / raw)
To: Fan Xin, openembedded-core
Hi Fan,
dizzy branch has Openssl version 1.0.1p now:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb?h=dizzy
How can this patch be applied to dizzy branch?
You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
CVE-2015-3193 does not seem to affect OpenSSL version 1.0.1 according to Mitre:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
CVE-2015-3193 (OpenSSL 1.0.2)
CVE-2015-3194 (OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e)
CVE-2015-3195 (OpenSSL before before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e)
Regards
//Sona
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf
> Of Fan Xin
> Sent: den 11 december 2015 09:14
> To: openembedded-core@lists.openembedded.org
> Cc: Fan Xin <fan.xin@jp.fujitsu.com>
> Subject: [OE-core] [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-
> 3195
>
> This vulnerability affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
> So the patch also should be merged into dizzy, daisy and dylan.
>
> Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
> ---
> .../0001-Fix-leak-with-ASN.1-combine.patch | 65
> ++++++++++++++++++++++
> .../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
> 2 files changed, 66 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssl/openssl-
> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-
> with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl-
> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
> new file mode 100644
> index 0000000..5bda457
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-wit
> +++ h-ASN.1-combine.patch
> @@ -0,0 +1,65 @@
> +Upstream-Status: Backport
> +
> +This patch was imprted from
> +https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da57
> +66243ed55d55948637d
> +
> +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
> +
> +From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17
> 00:00:00 2001
> +From: Dr. Stephen Henson <steve@openssl.org>
> +Date: Tue, 10 Nov 2015 19:03:07 +0000
> +Subject: [PATCH] Fix leak with ASN.1 combine.
> +
> +When parsing a combined structure pass a flag to the decode routine so
> +on error a pointer to the parent structure is not zeroed as this will
> +leak any additional components in the parent.
> +
> +This can leak memory in any application parsing PKCS#7 or CMS structures.
> +
> +CVE-2015-3195.
> +
> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug
> +using libFuzzer.
> +
> +PR#4131
> +
> +Reviewed-by: Richard Levitte <levitte@openssl.org>
> +---
> + crypto/asn1/tasn_dec.c | 7 +++++--
> + 1 files changed, 5 insertions(+), 2 deletions(-)
> +
> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index
> +febf605..9256049 100644
> +--- a/crypto/asn1/tasn_dec.c
> ++++ b/crypto/asn1/tasn_dec.c
> +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
> unsigned char **in, long len,
> + int otag;
> + int ret = 0;
> + ASN1_VALUE **pchptr, *ptmpval;
> ++ int combine = aclass & ASN1_TFLG_COMBINE;
> ++ aclass &= ~ASN1_TFLG_COMBINE;
> + if (!pval)
> + return 0;
> + if (aux && aux->asn1_cb)
> +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
> +unsigned char **in, long len,
> + auxerr:
> + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
> + err:
> +- ASN1_item_ex_free(pval, it);
> ++ if (combine == 0)
> ++ ASN1_item_ex_free(pval, it);
> + if (errtt)
> + ERR_add_error_data(4, "Field=", errtt->field_name,
> + ", Type=", it->sname); @@ -689,7 +692,7 @@
> +static int asn1_template_noexp_d2i(ASN1_VALUE **val,
> + } else {
> + /* Nothing special */
> + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
> +- -1, 0, opt, ctx);
> ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt,
> ++ ctx);
> + if (!ret) {
> + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
> ERR_R_NESTED_ASN1_ERROR);
> + goto err;
> +--
> +1.7.0.4
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> index bc1b944..dbc2da2 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> @@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
> file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
> file://CVE-2014-0160.patch \
> file://openssl-CVE-2014-0198-fix.patch \
> + file://0001-Fix-leak-with-ASN.1-combine.patch \
> "
>
> SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
> --
> 1.8.4.2
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195
2015-12-14 8:00 ` Sona Sarmadi
@ 2015-12-14 8:46 ` Fan Xin
0 siblings, 0 replies; 3+ messages in thread
From: Fan Xin @ 2015-12-14 8:46 UTC (permalink / raw)
To: Sona Sarmadi, openembedded-core
Hi Sona,
> How can this patch be applied to dizzy branch?
This patch is for dylan branch.
I will send the patch for dizzy and daisy later.
> You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
Actually the patch for CVE-2015-3194 is also needed for dizzy and daisy
branch.
Thanks for your comment.
I will modify and re-send the patch.
Regards,
Fan
On 2015年12月14日 17:00, Sona Sarmadi wrote:
> Hi Fan,
>
> dizzy branch has Openssl version 1.0.1p now:
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb?h=dizzy
>
> How can this patch be applied to dizzy branch?
>
> You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
> CVE-2015-3193 does not seem to affect OpenSSL version 1.0.1 according to Mitre:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
> CVE-2015-3193 (OpenSSL 1.0.2)
> CVE-2015-3194 (OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e)
> CVE-2015-3195 (OpenSSL before before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e)
>
> Regards
> //Sona
>
>
>> -----Original Message-----
>> From: openembedded-core-bounces@lists.openembedded.org
>> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf
>> Of Fan Xin
>> Sent: den 11 december 2015 09:14
>> To: openembedded-core@lists.openembedded.org
>> Cc: Fan Xin <fan.xin@jp.fujitsu.com>
>> Subject: [OE-core] [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-
>> 3195
>>
>> This vulnerability affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
>> So the patch also should be merged into dizzy, daisy and dylan.
>>
>> Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
>> ---
>> .../0001-Fix-leak-with-ASN.1-combine.patch | 65
>> ++++++++++++++++++++++
>> .../recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 +
>> 2 files changed, 66 insertions(+)
>> create mode 100644 meta/recipes-connectivity/openssl/openssl-
>> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-
>> with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl-
>> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
>> new file mode 100644
>> index 0000000..5bda457
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-wit
>> +++ h-ASN.1-combine.patch
>> @@ -0,0 +1,65 @@
>> +Upstream-Status: Backport
>> +
>> +This patch was imprted from
>> +https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da57
>> +66243ed55d55948637d
>> +
>> +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
>> +
>> +From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17
>> 00:00:00 2001
>> +From: Dr. Stephen Henson <steve@openssl.org>
>> +Date: Tue, 10 Nov 2015 19:03:07 +0000
>> +Subject: [PATCH] Fix leak with ASN.1 combine.
>> +
>> +When parsing a combined structure pass a flag to the decode routine so
>> +on error a pointer to the parent structure is not zeroed as this will
>> +leak any additional components in the parent.
>> +
>> +This can leak memory in any application parsing PKCS#7 or CMS structures.
>> +
>> +CVE-2015-3195.
>> +
>> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug
>> +using libFuzzer.
>> +
>> +PR#4131
>> +
>> +Reviewed-by: Richard Levitte <levitte@openssl.org>
>> +---
>> + crypto/asn1/tasn_dec.c | 7 +++++--
>> + 1 files changed, 5 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index
>> +febf605..9256049 100644
>> +--- a/crypto/asn1/tasn_dec.c
>> ++++ b/crypto/asn1/tasn_dec.c
>> +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
>> unsigned char **in, long len,
>> + int otag;
>> + int ret = 0;
>> + ASN1_VALUE **pchptr, *ptmpval;
>> ++ int combine = aclass & ASN1_TFLG_COMBINE;
>> ++ aclass &= ~ASN1_TFLG_COMBINE;
>> + if (!pval)
>> + return 0;
>> + if (aux && aux->asn1_cb)
>> +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
>> +unsigned char **in, long len,
>> + auxerr:
>> + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
>> + err:
>> +- ASN1_item_ex_free(pval, it);
>> ++ if (combine == 0)
>> ++ ASN1_item_ex_free(pval, it);
>> + if (errtt)
>> + ERR_add_error_data(4, "Field=", errtt->field_name,
>> + ", Type=", it->sname); @@ -689,7 +692,7 @@
>> +static int asn1_template_noexp_d2i(ASN1_VALUE **val,
>> + } else {
>> + /* Nothing special */
>> + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
>> +- -1, 0, opt, ctx);
>> ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt,
>> ++ ctx);
>> + if (!ret) {
>> + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
>> ERR_R_NESTED_ASN1_ERROR);
>> + goto err;
>> +--
>> +1.7.0.4
>> +
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
>> b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
>> index bc1b944..dbc2da2 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
>> @@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
>> file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
>> file://CVE-2014-0160.patch \
>> file://openssl-CVE-2014-0198-fix.patch \
>> + file://0001-Fix-leak-with-ASN.1-combine.patch \
>> "
>>
>> SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
>> --
>> 1.8.4.2
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
=====================================================
株式会社富士通コンピュータテクノロジーズ
組込みシステム技術統括部 第一ファームウェア技術部
樊 昕 Fan Xin
fan.xin@jp.fujitsu.com
┏┓ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┗■ 【ubinux V15】のリリースを開始しました!
「SDN(Open vSwitch)」や「クラウド管理(OpenStack Heat)」などに対応
---------------------------------------------------------------------
詳細>>http://elsc.utsfd.cs.fujitsu.co.jp/location_elsc.php?id=0024
※"ubinux"は組込み装置向け当社独自のLinuxディストリビューションです
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-12-14 8:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-11 8:13 [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195 Fan Xin
2015-12-14 8:00 ` Sona Sarmadi
2015-12-14 8:46 ` Fan Xin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.