Fix multiple security issues.
- fix CVE-2016-0702 - side channel attack on modular exponentiation - fix CVE-2016-0705 - double-free in DSA private key parsing - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement - fix CVE-2015-7575 - disallow use of MD5 in TLS1.2 - fix CVE-2016-0799 - memory issues in BIO_*printf functions
This commit is contained in:
parent
85a2d8a93c
commit
0fa091c0ff
42
openssl-1.0.1e-cve-2015-3197.patch
Normal file
42
openssl-1.0.1e-cve-2015-3197.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers openssl-1.0.1e/ssl/s2_srvr.c
|
||||||
|
--- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers 2016-01-14 17:38:50.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s2_srvr.c 2016-02-16 16:18:59.790225008 +0100
|
||||||
|
@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
|
||||||
|
}
|
||||||
|
|
||||||
|
cp=ssl2_get_cipher_by_char(p);
|
||||||
|
- if (cp == NULL)
|
||||||
|
+ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
|
||||||
|
{
|
||||||
|
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
|
||||||
|
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
|
||||||
|
@@ -692,9 +692,13 @@ static int get_client_hello(SSL *s)
|
||||||
|
prio = cs;
|
||||||
|
allow = cl;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* Generate list of SSLv2 ciphers shared between client and server */
|
||||||
|
for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
|
||||||
|
{
|
||||||
|
- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
|
||||||
|
+ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
|
||||||
|
+ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
|
||||||
|
+ sk_SSL_CIPHER_find(allow,cp) < 0)
|
||||||
|
{
|
||||||
|
(void)sk_SSL_CIPHER_delete(prio,z);
|
||||||
|
z--;
|
||||||
|
@@ -705,6 +709,14 @@ static int get_client_hello(SSL *s)
|
||||||
|
sk_SSL_CIPHER_free(s->session->ciphers);
|
||||||
|
s->session->ciphers = prio;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* Make sure we have at least one cipher in common */
|
||||||
|
+ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
|
||||||
|
+ {
|
||||||
|
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
|
||||||
|
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
/* s->session->ciphers should now have a list of
|
||||||
|
* ciphers that are on both the client and server.
|
||||||
|
* This list is ordered by the order the client sent
|
74
openssl-1.0.1e-cve-2016-0797.patch
Normal file
74
openssl-1.0.1e-cve-2016-0797.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/bn/bn.h.bn-hex openssl-1.0.1e/crypto/bn/bn.h
|
||||||
|
--- openssl-1.0.1e/crypto/bn/bn.h.bn-hex 2016-02-24 14:23:33.020233047 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/bn/bn.h 2016-02-24 14:23:06.078615397 +0100
|
||||||
|
@@ -129,6 +129,7 @@
|
||||||
|
#ifndef OPENSSL_NO_FP_API
|
||||||
|
#include <stdio.h> /* FILE */
|
||||||
|
#endif
|
||||||
|
+#include <limits.h>
|
||||||
|
#include <openssl/ossl_typ.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
@@ -640,7 +641,8 @@ const BIGNUM *BN_get0_nist_prime_521(voi
|
||||||
|
|
||||||
|
/* library internal functions */
|
||||||
|
|
||||||
|
-#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
|
||||||
|
+#define bn_expand(a,bits) (bits > (INT_MAX - BN_BITS2 + 1)?\
|
||||||
|
+ NULL:(((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
|
||||||
|
(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
|
||||||
|
#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
|
||||||
|
BIGNUM *bn_expand2(BIGNUM *a, int words);
|
||||||
|
diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex openssl-1.0.1e/crypto/bn/bn_print.c
|
||||||
|
--- openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/bn/bn_print.c 2016-02-24 14:15:21.215948376 +0100
|
||||||
|
@@ -58,6 +58,7 @@
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
+#include <limits.h>
|
||||||
|
#include "cryptlib.h"
|
||||||
|
#include <openssl/buffer.h>
|
||||||
|
#include "bn_lcl.h"
|
||||||
|
@@ -180,8 +181,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a
|
||||||
|
|
||||||
|
if (*a == '-') { neg=1; a++; }
|
||||||
|
|
||||||
|
- for (i=0; isxdigit((unsigned char) a[i]); i++)
|
||||||
|
+ for (i=0; i <= (INT_MAX/4) && isxdigit((unsigned char) a[i]); i++)
|
||||||
|
;
|
||||||
|
+ if (i > INT_MAX/4)
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
num=i+neg;
|
||||||
|
if (bn == NULL) return(num);
|
||||||
|
@@ -197,7 +200,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a
|
||||||
|
BN_zero(ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* i is the number of hex digests; */
|
||||||
|
+ /* i is the number of hex digits */
|
||||||
|
if (bn_expand(ret,i*4) == NULL) goto err;
|
||||||
|
|
||||||
|
j=i; /* least significant 'hex' */
|
||||||
|
@@ -246,8 +249,10 @@ int BN_dec2bn(BIGNUM **bn, const char *a
|
||||||
|
if ((a == NULL) || (*a == '\0')) return(0);
|
||||||
|
if (*a == '-') { neg=1; a++; }
|
||||||
|
|
||||||
|
- for (i=0; isdigit((unsigned char) a[i]); i++)
|
||||||
|
+ for (i=0; i <= (INT_MAX/4) && isdigit((unsigned char) a[i]); i++)
|
||||||
|
;
|
||||||
|
+ if (i > INT_MAX/4)
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
num=i+neg;
|
||||||
|
if (bn == NULL) return(num);
|
||||||
|
@@ -264,7 +269,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a
|
||||||
|
BN_zero(ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* i is the number of digests, a bit of an over expand; */
|
||||||
|
+ /* i is the number of digits, a bit of an over expand */
|
||||||
|
if (bn_expand(ret,i*4) == NULL) goto err;
|
||||||
|
|
||||||
|
j=BN_DEC_NUM-(i%BN_DEC_NUM);
|
@ -11,3 +11,73 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
|
|||||||
return(ret);
|
return(ret);
|
||||||
err:
|
err:
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
|
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 openssl-1.0.1e/doc/apps/ciphers.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 2016-01-14 17:38:50.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/ciphers.pod 2016-02-24 11:17:36.297955053 +0100
|
||||||
|
@@ -572,11 +572,11 @@ Note: these ciphers can also be used in
|
||||||
|
=head2 Deprecated SSL v2.0 cipher suites.
|
||||||
|
|
||||||
|
SSL_CK_RC4_128_WITH_MD5 RC4-MD5
|
||||||
|
- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
|
||||||
|
- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
|
||||||
|
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
|
||||||
|
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented.
|
||||||
|
+ SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5
|
||||||
|
+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented.
|
||||||
|
SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
|
||||||
|
- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
|
||||||
|
+ SSL_CK_DES_64_CBC_WITH_MD5 Not implemented.
|
||||||
|
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
|
||||||
|
|
||||||
|
=head1 NOTES
|
||||||
|
diff -up openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 openssl-1.0.1e/ssl/s2_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 2016-02-24 11:23:24.012237164 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s2_lib.c 2016-02-24 11:19:34.623773423 +0100
|
||||||
|
@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
128,
|
||||||
|
},
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/* RC4_128_EXPORT40_WITH_MD5 */
|
||||||
|
{
|
||||||
|
1,
|
||||||
|
@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
40,
|
||||||
|
128,
|
||||||
|
},
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* RC2_128_CBC_WITH_MD5 */
|
||||||
|
{
|
||||||
|
@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
128,
|
||||||
|
},
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
|
||||||
|
{
|
||||||
|
1,
|
||||||
|
@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
40,
|
||||||
|
128,
|
||||||
|
},
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_IDEA
|
||||||
|
/* IDEA_128_CBC_WITH_MD5 */
|
||||||
|
@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
},
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/* DES_64_CBC_WITH_MD5 */
|
||||||
|
{
|
||||||
|
1,
|
||||||
|
@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
56,
|
||||||
|
56,
|
||||||
|
},
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* DES_192_EDE3_CBC_WITH_MD5 */
|
||||||
|
{
|
||||||
|
1164
openssl-1.0.1k-cve-2016-0702.patch
Normal file
1164
openssl-1.0.1k-cve-2016-0702.patch
Normal file
File diff suppressed because it is too large
Load Diff
437
openssl-1.0.1k-cve-2016-0799.patch
Normal file
437
openssl-1.0.1k-cve-2016-0799.patch
Normal file
@ -0,0 +1,437 @@
|
|||||||
|
diff -up openssl-1.0.1k/crypto/bio/b_print.c.bio-printf openssl-1.0.1k/crypto/bio/b_print.c
|
||||||
|
--- openssl-1.0.1k/crypto/bio/b_print.c.bio-printf 2015-01-08 15:00:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.1k/crypto/bio/b_print.c 2016-03-02 10:56:35.376167813 +0100
|
||||||
|
@@ -125,14 +125,14 @@
|
||||||
|
#define LLONG long
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-static void fmtstr (char **, char **, size_t *, size_t *,
|
||||||
|
+static int fmtstr(char **, char **, size_t *, size_t *,
|
||||||
|
const char *, int, int, int);
|
||||||
|
-static void fmtint (char **, char **, size_t *, size_t *,
|
||||||
|
+static int fmtint(char **, char **, size_t *, size_t *,
|
||||||
|
LLONG, int, int, int, int);
|
||||||
|
-static void fmtfp (char **, char **, size_t *, size_t *,
|
||||||
|
+static int fmtfp(char **, char **, size_t *, size_t *,
|
||||||
|
LDOUBLE, int, int, int);
|
||||||
|
-static void doapr_outch (char **, char **, size_t *, size_t *, int);
|
||||||
|
-static void _dopr(char **sbuffer, char **buffer,
|
||||||
|
+static int doapr_outch(char **, char **, size_t *, size_t *, int);
|
||||||
|
+static int _dopr(char **sbuffer, char **buffer,
|
||||||
|
size_t *maxlen, size_t *retlen, int *truncated,
|
||||||
|
const char *format, va_list args);
|
||||||
|
|
||||||
|
@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char *
|
||||||
|
#define char_to_int(p) (p - '0')
|
||||||
|
#define OSSL_MAX(p,q) ((p >= q) ? p : q)
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
_dopr(
|
||||||
|
char **sbuffer,
|
||||||
|
char **buffer,
|
||||||
|
@@ -200,7 +200,8 @@ _dopr(
|
||||||
|
if (ch == '%')
|
||||||
|
state = DP_S_FLAGS;
|
||||||
|
else
|
||||||
|
- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch);
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
|
||||||
|
+ return 0;
|
||||||
|
ch = *format++;
|
||||||
|
break;
|
||||||
|
case DP_S_FLAGS:
|
||||||
|
@@ -306,8 +307,9 @@ _dopr(
|
||||||
|
value = va_arg(args, int);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- fmtint(sbuffer, buffer, &currlen, maxlen,
|
||||||
|
- value, 10, min, max, flags);
|
||||||
|
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
|
||||||
|
+ max, flags))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 'X':
|
||||||
|
flags |= DP_F_UP;
|
||||||
|
@@ -332,17 +334,19 @@ _dopr(
|
||||||
|
unsigned int);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- fmtint(sbuffer, buffer, &currlen, maxlen, value,
|
||||||
|
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
|
||||||
|
ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
|
||||||
|
- min, max, flags);
|
||||||
|
+ min, max, flags))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 'f':
|
||||||
|
if (cflags == DP_C_LDOUBLE)
|
||||||
|
fvalue = va_arg(args, LDOUBLE);
|
||||||
|
else
|
||||||
|
fvalue = va_arg(args, double);
|
||||||
|
- fmtfp(sbuffer, buffer, &currlen, maxlen,
|
||||||
|
- fvalue, min, max, flags);
|
||||||
|
+ if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
|
||||||
|
+ flags))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 'E':
|
||||||
|
flags |= DP_F_UP;
|
||||||
|
@@ -361,8 +365,9 @@ _dopr(
|
||||||
|
fvalue = va_arg(args, double);
|
||||||
|
break;
|
||||||
|
case 'c':
|
||||||
|
- doapr_outch(sbuffer, buffer, &currlen, maxlen,
|
||||||
|
- va_arg(args, int));
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
|
||||||
|
+ va_arg(args, int)))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 's':
|
||||||
|
strvalue = va_arg(args, char *);
|
||||||
|
@@ -372,13 +377,15 @@ _dopr(
|
||||||
|
else
|
||||||
|
max = *maxlen;
|
||||||
|
}
|
||||||
|
- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
|
||||||
|
- flags, min, max);
|
||||||
|
+ if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
|
||||||
|
+ flags, min, max))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 'p':
|
||||||
|
value = (long)va_arg(args, void *);
|
||||||
|
- fmtint(sbuffer, buffer, &currlen, maxlen,
|
||||||
|
- value, 16, min, max, flags|DP_F_NUM);
|
||||||
|
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen,
|
||||||
|
+ value, 16, min, max, flags | DP_F_NUM))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 'n': /* XXX */
|
||||||
|
if (cflags == DP_C_SHORT) {
|
||||||
|
@@ -400,7 +407,8 @@ _dopr(
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case '%':
|
||||||
|
- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
|
||||||
|
+ return 0;
|
||||||
|
break;
|
||||||
|
case 'w':
|
||||||
|
/* not supported yet, treat as next char */
|
||||||
|
@@ -424,12 +432,13 @@ _dopr(
|
||||||
|
*truncated = (currlen > *maxlen - 1);
|
||||||
|
if (*truncated)
|
||||||
|
currlen = *maxlen - 1;
|
||||||
|
- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
|
||||||
|
+ return 0;
|
||||||
|
*retlen = currlen - 1;
|
||||||
|
- return;
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
fmtstr(
|
||||||
|
char **sbuffer,
|
||||||
|
char **buffer,
|
||||||
|
@@ -440,36 +449,44 @@ fmtstr(
|
||||||
|
int min,
|
||||||
|
int max)
|
||||||
|
{
|
||||||
|
- int padlen, strln;
|
||||||
|
+ int padlen;
|
||||||
|
+ size_t strln;
|
||||||
|
int cnt = 0;
|
||||||
|
|
||||||
|
if (value == 0)
|
||||||
|
value = "<NULL>";
|
||||||
|
- for (strln = 0; value[strln]; ++strln)
|
||||||
|
- ;
|
||||||
|
+
|
||||||
|
+ strln = strlen(value);
|
||||||
|
+ if (strln > INT_MAX)
|
||||||
|
+ strln = INT_MAX;
|
||||||
|
+
|
||||||
|
padlen = min - strln;
|
||||||
|
- if (padlen < 0)
|
||||||
|
+ if (min < 0 || padlen < 0)
|
||||||
|
padlen = 0;
|
||||||
|
if (flags & DP_F_MINUS)
|
||||||
|
padlen = -padlen;
|
||||||
|
|
||||||
|
while ((padlen > 0) && (cnt < max)) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||||
|
+ return 0;
|
||||||
|
--padlen;
|
||||||
|
++cnt;
|
||||||
|
}
|
||||||
|
while (*value && (cnt < max)) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
|
||||||
|
+ return 0;
|
||||||
|
++cnt;
|
||||||
|
}
|
||||||
|
while ((padlen < 0) && (cnt < max)) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||||
|
+ return 0;
|
||||||
|
++padlen;
|
||||||
|
++cnt;
|
||||||
|
}
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
fmtint(
|
||||||
|
char **sbuffer,
|
||||||
|
char **buffer,
|
||||||
|
@@ -533,37 +550,44 @@ fmtint(
|
||||||
|
|
||||||
|
/* spaces */
|
||||||
|
while (spadlen > 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||||
|
+ return 0;
|
||||||
|
--spadlen;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* sign */
|
||||||
|
if (signvalue)
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
/* prefix */
|
||||||
|
while (*prefix) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
|
||||||
|
+ return 0;
|
||||||
|
prefix++;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* zeros */
|
||||||
|
if (zpadlen > 0) {
|
||||||
|
while (zpadlen > 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
|
||||||
|
+ return 0;
|
||||||
|
--zpadlen;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* digits */
|
||||||
|
- while (place > 0)
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
|
||||||
|
+ while (place > 0) {
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* left justified spaces */
|
||||||
|
while (spadlen < 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||||
|
+ return 0;
|
||||||
|
++spadlen;
|
||||||
|
}
|
||||||
|
- return;
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static LDOUBLE
|
||||||
|
@@ -597,7 +621,7 @@ roundv(LDOUBLE value)
|
||||||
|
return intpart;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
fmtfp(
|
||||||
|
char **sbuffer,
|
||||||
|
char **buffer,
|
||||||
|
@@ -616,7 +640,6 @@ fmtfp(
|
||||||
|
int fplace = 0;
|
||||||
|
int padlen = 0;
|
||||||
|
int zpadlen = 0;
|
||||||
|
- int caps = 0;
|
||||||
|
long intpart;
|
||||||
|
long fracpart;
|
||||||
|
long max10;
|
||||||
|
@@ -650,9 +673,7 @@ fmtfp(
|
||||||
|
|
||||||
|
/* convert integer part */
|
||||||
|
do {
|
||||||
|
- iconvert[iplace++] =
|
||||||
|
- (caps ? "0123456789ABCDEF"
|
||||||
|
- : "0123456789abcdef")[intpart % 10];
|
||||||
|
+ iconvert[iplace++] = "0123456789"[intpart % 10];
|
||||||
|
intpart = (intpart / 10);
|
||||||
|
} while (intpart && (iplace < (int)sizeof(iconvert)));
|
||||||
|
if (iplace == sizeof iconvert)
|
||||||
|
@@ -661,9 +682,7 @@ fmtfp(
|
||||||
|
|
||||||
|
/* convert fractional part */
|
||||||
|
do {
|
||||||
|
- fconvert[fplace++] =
|
||||||
|
- (caps ? "0123456789ABCDEF"
|
||||||
|
- : "0123456789abcdef")[fracpart % 10];
|
||||||
|
+ fconvert[fplace++] = "0123456789"[fracpart % 10];
|
||||||
|
fracpart = (fracpart / 10);
|
||||||
|
} while (fplace < max);
|
||||||
|
if (fplace == sizeof fconvert)
|
||||||
|
@@ -682,47 +701,61 @@ fmtfp(
|
||||||
|
|
||||||
|
if ((flags & DP_F_ZERO) && (padlen > 0)) {
|
||||||
|
if (signvalue) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
|
||||||
|
+ return 0;
|
||||||
|
--padlen;
|
||||||
|
signvalue = 0;
|
||||||
|
}
|
||||||
|
while (padlen > 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
|
||||||
|
+ return 0;
|
||||||
|
--padlen;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
while (padlen > 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||||
|
+ return 0;
|
||||||
|
--padlen;
|
||||||
|
}
|
||||||
|
- if (signvalue)
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
|
||||||
|
+ if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
- while (iplace > 0)
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
|
||||||
|
+ while (iplace > 0) {
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Decimal point. This should probably use locale to find the correct
|
||||||
|
* char to print out.
|
||||||
|
*/
|
||||||
|
if (max > 0 || (flags & DP_F_NUM)) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
- while (fplace > 0)
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
|
||||||
|
+ while (fplace > 0) {
|
||||||
|
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
|
||||||
|
+ fconvert[--fplace]))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
while (zpadlen > 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
|
||||||
|
+ return 0;
|
||||||
|
--zpadlen;
|
||||||
|
}
|
||||||
|
|
||||||
|
while (padlen < 0) {
|
||||||
|
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||||
|
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||||
|
+ return 0;
|
||||||
|
++padlen;
|
||||||
|
}
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+#define BUFFER_INC 1024
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
doapr_outch(
|
||||||
|
char **sbuffer,
|
||||||
|
char **buffer,
|
||||||
|
@@ -733,24 +766,30 @@ doapr_outch(
|
||||||
|
/* If we haven't at least one buffer, someone has doe a big booboo */
|
||||||
|
assert(*sbuffer != NULL || buffer != NULL);
|
||||||
|
|
||||||
|
- if (buffer) {
|
||||||
|
- while (*currlen >= *maxlen) {
|
||||||
|
- if (*buffer == NULL) {
|
||||||
|
- if (*maxlen == 0)
|
||||||
|
- *maxlen = 1024;
|
||||||
|
+ /* |currlen| must always be <= |*maxlen| */
|
||||||
|
+ assert(*currlen <= *maxlen);
|
||||||
|
+
|
||||||
|
+ if (buffer && *currlen == *maxlen) {
|
||||||
|
+ if (*maxlen > INT_MAX - BUFFER_INC)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ *maxlen += BUFFER_INC;
|
||||||
|
+ if (*buffer == NULL) {
|
||||||
|
*buffer = OPENSSL_malloc(*maxlen);
|
||||||
|
+ if (*buffer == NULL)
|
||||||
|
+ return 0;
|
||||||
|
if (*currlen > 0) {
|
||||||
|
assert(*sbuffer != NULL);
|
||||||
|
memcpy(*buffer, *sbuffer, *currlen);
|
||||||
|
}
|
||||||
|
*sbuffer = NULL;
|
||||||
|
- } else {
|
||||||
|
- *maxlen += 1024;
|
||||||
|
- *buffer = OPENSSL_realloc(*buffer, *maxlen);
|
||||||
|
- }
|
||||||
|
+ } else {
|
||||||
|
+ char *tmpbuf;
|
||||||
|
+ tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
|
||||||
|
+ if (tmpbuf == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+ *buffer = tmpbuf;
|
||||||
|
}
|
||||||
|
- /* What to do if *buffer is NULL? */
|
||||||
|
- assert(*sbuffer != NULL || *buffer != NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (*currlen < *maxlen) {
|
||||||
|
@@ -760,7 +799,7 @@ doapr_outch(
|
||||||
|
(*buffer)[(*currlen)++] = (char)c;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return;
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/***************************************************************************/
|
||||||
|
@@ -792,11 +831,15 @@ int BIO_vprintf (BIO *bio, const char *f
|
||||||
|
|
||||||
|
dynbuf = NULL;
|
||||||
|
CRYPTO_push_info("doapr()");
|
||||||
|
- _dopr(&hugebufp, &dynbuf, &hugebufsize,
|
||||||
|
- &retlen, &ignored, format, args);
|
||||||
|
+ if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
|
||||||
|
+ args))
|
||||||
|
+ {
|
||||||
|
+ OPENSSL_free(dynbuf);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (dynbuf)
|
||||||
|
{
|
||||||
|
- ret=BIO_write(bio, dynbuf, (int)retlen);
|
||||||
|
+ ret = BIO_write(bio, dynbuf, (int)retlen);
|
||||||
|
OPENSSL_free(dynbuf);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -829,7 +872,8 @@ int BIO_vsnprintf(char *buf, size_t n, c
|
||||||
|
size_t retlen;
|
||||||
|
int truncated;
|
||||||
|
|
||||||
|
- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
|
||||||
|
+ if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
|
||||||
|
+ return -1;
|
||||||
|
|
||||||
|
if (truncated)
|
||||||
|
/* In case of truncation, return -1 like traditional snprintf.
|
20
openssl.spec
20
openssl.spec
@ -23,7 +23,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1k
|
Version: 1.0.1k
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -106,6 +106,11 @@ Patch112: openssl-1.0.1e-cve-2015-1792.patch
|
|||||||
Patch113: openssl-1.0.1e-cve-2015-3194.patch
|
Patch113: openssl-1.0.1e-cve-2015-3194.patch
|
||||||
Patch114: openssl-1.0.1e-cve-2015-3195.patch
|
Patch114: openssl-1.0.1e-cve-2015-3195.patch
|
||||||
Patch115: openssl-1.0.1k-cve-2015-3196.patch
|
Patch115: openssl-1.0.1k-cve-2015-3196.patch
|
||||||
|
Patch116: openssl-1.0.1e-cve-2015-3197.patch
|
||||||
|
Patch117: openssl-1.0.1k-cve-2016-0702.patch
|
||||||
|
Patch118: openssl-1.0.1e-cve-2016-0705.patch
|
||||||
|
Patch119: openssl-1.0.1e-cve-2016-0797.patch
|
||||||
|
Patch120: openssl-1.0.1k-cve-2016-0799.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -245,6 +250,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||||||
%patch113 -p1 -b .pss-check
|
%patch113 -p1 -b .pss-check
|
||||||
%patch114 -p1 -b .combine-leak
|
%patch114 -p1 -b .combine-leak
|
||||||
%patch115 -p1 -b .psk-identity
|
%patch115 -p1 -b .psk-identity
|
||||||
|
%patch116 -p1 -b .ssl2-ciphers
|
||||||
|
%patch117 -p1 -b .rsa-const
|
||||||
|
%patch118 -p1 -b .dsa-doublefree
|
||||||
|
%patch119 -p1 -b .bn-hex
|
||||||
|
%patch120 -p1 -b .bio-printf
|
||||||
|
|
||||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||||
|
|
||||||
@ -517,6 +527,14 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-14
|
||||||
|
- fix CVE-2016-0702 - side channel attack on modular exponentiation
|
||||||
|
- fix CVE-2016-0705 - double-free in DSA private key parsing
|
||||||
|
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
|
||||||
|
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
|
||||||
|
- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
|
||||||
|
- fix CVE-2016-0799 - memory issues in BIO_*printf functions
|
||||||
|
|
||||||
* Fri Dec 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-13
|
* Fri Dec 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-13
|
||||||
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
|
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
|
||||||
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
|
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
|
||||||
|
Loading…
Reference in New Issue
Block a user