From b0486e43cf4302f67925bd8db53a9c3105f42bd4 Mon Sep 17 00:00:00 2001 From: delphij Date: Fri, 20 Mar 2015 07:12:02 +0000 Subject: [PATCH] Fix issues with original SA-15:06.openssl commit: - Revert a portion of ASN1 change per suggested by OpenBSD and OpenSSL developers. The change was removed from the formal OpenSSL release and does not solve security issue. - Properly fix CVE-2015-0209 and CVE-2015-0288. Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.3@280275 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 3 +++ crypto/openssl/crypto/asn1/tasn_dec.c | 19 ++++++------------- crypto/openssl/crypto/ec/ec_asn1.c | 6 +++--- crypto/openssl/crypto/x509/x509_req.c | 2 ++ sys/conf/newvers.sh | 2 +- 5 files changed, 15 insertions(+), 17 deletions(-) diff --git a/UPDATING b/UPDATING index 12b6514af..f0f33c4c6 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,9 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20150320: p12 + Fix patch for SA-15:06.openssl. + 20150319: p11 FreeBSD-SA-15:06.openssl Fix multiple vulnerabilities in OpenSSL. [SA-15:06] diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index de6da3e1e..01b284d79 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -125,23 +125,16 @@ unsigned long ASN1_tag2bit(int tag) ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it) -{ + { ASN1_TLC c; ASN1_VALUE *ptmpval = NULL; + if (!pval) + pval = &ptmpval; c.valid = 0; - if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) - ptmpval = *pval; - - if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { - if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) { - if (*pval) - ASN1_item_free(*pval, it); - *pval = ptmpval; - } - return ptmpval; - } + if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) + return *pval; return NULL; -} + } int ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt) diff --git a/crypto/openssl/crypto/ec/ec_asn1.c b/crypto/openssl/crypto/ec/ec_asn1.c index ae5553985..0ef2ceef7 100644 --- a/crypto/openssl/crypto/ec/ec_asn1.c +++ b/crypto/openssl/crypto/ec/ec_asn1.c @@ -1126,8 +1126,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) ERR_R_MALLOC_FAILURE); goto err; } - if (a) - *a = ret; } else ret = *a; @@ -1192,11 +1190,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) } } + if (a) + *a = ret; ok = 1; err: if (!ok) { - if (ret) + if (ret && (a == NULL || *a != ret)) EC_KEY_free(ret); ret = NULL; } diff --git a/crypto/openssl/crypto/x509/x509_req.c b/crypto/openssl/crypto/x509/x509_req.c index 3872e1fb6..ca7f1a5e5 100644 --- a/crypto/openssl/crypto/x509/x509_req.c +++ b/crypto/openssl/crypto/x509/x509_req.c @@ -91,6 +91,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) goto err; pktmp = X509_get_pubkey(x); + if (pktmp == NULL) + goto err; i=X509_REQ_set_pubkey(ret,pktmp); EVP_PKEY_free(pktmp); if (!i) goto err; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 45afa52c7..bd79618e2 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- 2.42.0