Fix multiple security issues.
- fix CVE-2016-0702 - side channel attack on modular exponentiation - fix CVE-2016-0705 - double-free in DSA private key parsing - fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn - fix CVE-2015-3197 - SSLv2 ciphersuite enforcement - fix CVE-2015-7575 - disallow use of MD5 in TLS1.2 - fix CVE-2016-0799 - memory issues in BIO_*printf functions
This commit is contained in:
parent
85a2d8a93c
commit
0fa091c0ff
42
openssl-1.0.1e-cve-2015-3197.patch
Normal file
42
openssl-1.0.1e-cve-2015-3197.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers openssl-1.0.1e/ssl/s2_srvr.c
|
||||
--- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers 2016-01-14 17:38:50.000000000 +0100
|
||||
+++ openssl-1.0.1e/ssl/s2_srvr.c 2016-02-16 16:18:59.790225008 +0100
|
||||
@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
|
||||
}
|
||||
|
||||
cp=ssl2_get_cipher_by_char(p);
|
||||
- if (cp == NULL)
|
||||
+ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
|
||||
{
|
||||
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
|
||||
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
|
||||
@@ -692,9 +692,13 @@ static int get_client_hello(SSL *s)
|
||||
prio = cs;
|
||||
allow = cl;
|
||||
}
|
||||
+
|
||||
+ /* Generate list of SSLv2 ciphers shared between client and server */
|
||||
for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
|
||||
{
|
||||
- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
|
||||
+ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
|
||||
+ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
|
||||
+ sk_SSL_CIPHER_find(allow,cp) < 0)
|
||||
{
|
||||
(void)sk_SSL_CIPHER_delete(prio,z);
|
||||
z--;
|
||||
@@ -705,6 +709,14 @@ static int get_client_hello(SSL *s)
|
||||
sk_SSL_CIPHER_free(s->session->ciphers);
|
||||
s->session->ciphers = prio;
|
||||
}
|
||||
+
|
||||
+ /* Make sure we have at least one cipher in common */
|
||||
+ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
|
||||
+ {
|
||||
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
|
||||
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
|
||||
+ return -1;
|
||||
+ }
|
||||
/* s->session->ciphers should now have a list of
|
||||
* ciphers that are on both the client and server.
|
||||
* This list is ordered by the order the client sent
|
74
openssl-1.0.1e-cve-2016-0797.patch
Normal file
74
openssl-1.0.1e-cve-2016-0797.patch
Normal file
@ -0,0 +1,74 @@
|
||||
diff -up openssl-1.0.1e/crypto/bn/bn.h.bn-hex openssl-1.0.1e/crypto/bn/bn.h
|
||||
--- openssl-1.0.1e/crypto/bn/bn.h.bn-hex 2016-02-24 14:23:33.020233047 +0100
|
||||
+++ openssl-1.0.1e/crypto/bn/bn.h 2016-02-24 14:23:06.078615397 +0100
|
||||
@@ -129,6 +129,7 @@
|
||||
#ifndef OPENSSL_NO_FP_API
|
||||
#include <stdio.h> /* FILE */
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <openssl/ossl_typ.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
@@ -640,7 +641,8 @@ const BIGNUM *BN_get0_nist_prime_521(voi
|
||||
|
||||
/* library internal functions */
|
||||
|
||||
-#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
|
||||
+#define bn_expand(a,bits) (bits > (INT_MAX - BN_BITS2 + 1)?\
|
||||
+ NULL:(((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
|
||||
(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
|
||||
#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
|
||||
BIGNUM *bn_expand2(BIGNUM *a, int words);
|
||||
diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex openssl-1.0.1e/crypto/bn/bn_print.c
|
||||
--- openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex 2013-02-11 16:26:04.000000000 +0100
|
||||
+++ openssl-1.0.1e/crypto/bn/bn_print.c 2016-02-24 14:15:21.215948376 +0100
|
||||
@@ -58,6 +58,7 @@
|
||||
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
+#include <limits.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/buffer.h>
|
||||
#include "bn_lcl.h"
|
||||
@@ -180,8 +181,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a
|
||||
|
||||
if (*a == '-') { neg=1; a++; }
|
||||
|
||||
- for (i=0; isxdigit((unsigned char) a[i]); i++)
|
||||
+ for (i=0; i <= (INT_MAX/4) && isxdigit((unsigned char) a[i]); i++)
|
||||
;
|
||||
+ if (i > INT_MAX/4)
|
||||
+ goto err;
|
||||
|
||||
num=i+neg;
|
||||
if (bn == NULL) return(num);
|
||||
@@ -197,7 +200,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a
|
||||
BN_zero(ret);
|
||||
}
|
||||
|
||||
- /* i is the number of hex digests; */
|
||||
+ /* i is the number of hex digits */
|
||||
if (bn_expand(ret,i*4) == NULL) goto err;
|
||||
|
||||
j=i; /* least significant 'hex' */
|
||||
@@ -246,8 +249,10 @@ int BN_dec2bn(BIGNUM **bn, const char *a
|
||||
if ((a == NULL) || (*a == '\0')) return(0);
|
||||
if (*a == '-') { neg=1; a++; }
|
||||
|
||||
- for (i=0; isdigit((unsigned char) a[i]); i++)
|
||||
+ for (i=0; i <= (INT_MAX/4) && isdigit((unsigned char) a[i]); i++)
|
||||
;
|
||||
+ if (i > INT_MAX/4)
|
||||
+ goto err;
|
||||
|
||||
num=i+neg;
|
||||
if (bn == NULL) return(num);
|
||||
@@ -264,7 +269,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a
|
||||
BN_zero(ret);
|
||||
}
|
||||
|
||||
- /* i is the number of digests, a bit of an over expand; */
|
||||
+ /* i is the number of digits, a bit of an over expand */
|
||||
if (bn_expand(ret,i*4) == NULL) goto err;
|
||||
|
||||
j=BN_DEC_NUM-(i%BN_DEC_NUM);
|
@ -11,3 +11,73 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
|
||||
return(ret);
|
||||
err:
|
||||
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
|
||||
diff -up openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 openssl-1.0.1e/doc/apps/ciphers.pod
|
||||
--- openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 2016-01-14 17:38:50.000000000 +0100
|
||||
+++ openssl-1.0.1e/doc/apps/ciphers.pod 2016-02-24 11:17:36.297955053 +0100
|
||||
@@ -572,11 +572,11 @@ Note: these ciphers can also be used in
|
||||
=head2 Deprecated SSL v2.0 cipher suites.
|
||||
|
||||
SSL_CK_RC4_128_WITH_MD5 RC4-MD5
|
||||
- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
|
||||
- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
|
||||
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
|
||||
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented.
|
||||
+ SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5
|
||||
+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented.
|
||||
SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
|
||||
- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
|
||||
+ SSL_CK_DES_64_CBC_WITH_MD5 Not implemented.
|
||||
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
|
||||
|
||||
=head1 NOTES
|
||||
diff -up openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 openssl-1.0.1e/ssl/s2_lib.c
|
||||
--- openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 2016-02-24 11:23:24.012237164 +0100
|
||||
+++ openssl-1.0.1e/ssl/s2_lib.c 2016-02-24 11:19:34.623773423 +0100
|
||||
@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||
128,
|
||||
},
|
||||
|
||||
+#if 0
|
||||
/* RC4_128_EXPORT40_WITH_MD5 */
|
||||
{
|
||||
1,
|
||||
@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||
40,
|
||||
128,
|
||||
},
|
||||
+#endif
|
||||
|
||||
/* RC2_128_CBC_WITH_MD5 */
|
||||
{
|
||||
@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||
128,
|
||||
},
|
||||
|
||||
+#if 0
|
||||
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
|
||||
{
|
||||
1,
|
||||
@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||
40,
|
||||
128,
|
||||
},
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_NO_IDEA
|
||||
/* IDEA_128_CBC_WITH_MD5 */
|
||||
@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||
},
|
||||
#endif
|
||||
|
||||
+#if 0
|
||||
/* DES_64_CBC_WITH_MD5 */
|
||||
{
|
||||
1,
|
||||
@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||
56,
|
||||
56,
|
||||
},
|
||||
+#endif
|
||||
|
||||
/* DES_192_EDE3_CBC_WITH_MD5 */
|
||||
{
|
||||
|
1164
openssl-1.0.1k-cve-2016-0702.patch
Normal file
1164
openssl-1.0.1k-cve-2016-0702.patch
Normal file
File diff suppressed because it is too large
Load Diff
437
openssl-1.0.1k-cve-2016-0799.patch
Normal file
437
openssl-1.0.1k-cve-2016-0799.patch
Normal file
@ -0,0 +1,437 @@
|
||||
diff -up openssl-1.0.1k/crypto/bio/b_print.c.bio-printf openssl-1.0.1k/crypto/bio/b_print.c
|
||||
--- openssl-1.0.1k/crypto/bio/b_print.c.bio-printf 2015-01-08 15:00:36.000000000 +0100
|
||||
+++ openssl-1.0.1k/crypto/bio/b_print.c 2016-03-02 10:56:35.376167813 +0100
|
||||
@@ -125,14 +125,14 @@
|
||||
#define LLONG long
|
||||
#endif
|
||||
|
||||
-static void fmtstr (char **, char **, size_t *, size_t *,
|
||||
+static int fmtstr(char **, char **, size_t *, size_t *,
|
||||
const char *, int, int, int);
|
||||
-static void fmtint (char **, char **, size_t *, size_t *,
|
||||
+static int fmtint(char **, char **, size_t *, size_t *,
|
||||
LLONG, int, int, int, int);
|
||||
-static void fmtfp (char **, char **, size_t *, size_t *,
|
||||
+static int fmtfp(char **, char **, size_t *, size_t *,
|
||||
LDOUBLE, int, int, int);
|
||||
-static void doapr_outch (char **, char **, size_t *, size_t *, int);
|
||||
-static void _dopr(char **sbuffer, char **buffer,
|
||||
+static int doapr_outch(char **, char **, size_t *, size_t *, int);
|
||||
+static int _dopr(char **sbuffer, char **buffer,
|
||||
size_t *maxlen, size_t *retlen, int *truncated,
|
||||
const char *format, va_list args);
|
||||
|
||||
@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char *
|
||||
#define char_to_int(p) (p - '0')
|
||||
#define OSSL_MAX(p,q) ((p >= q) ? p : q)
|
||||
|
||||
-static void
|
||||
+static int
|
||||
_dopr(
|
||||
char **sbuffer,
|
||||
char **buffer,
|
||||
@@ -200,7 +200,8 @@ _dopr(
|
||||
if (ch == '%')
|
||||
state = DP_S_FLAGS;
|
||||
else
|
||||
- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch);
|
||||
+ if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
|
||||
+ return 0;
|
||||
ch = *format++;
|
||||
break;
|
||||
case DP_S_FLAGS:
|
||||
@@ -306,8 +307,9 @@ _dopr(
|
||||
value = va_arg(args, int);
|
||||
break;
|
||||
}
|
||||
- fmtint(sbuffer, buffer, &currlen, maxlen,
|
||||
- value, 10, min, max, flags);
|
||||
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
|
||||
+ max, flags))
|
||||
+ return 0;
|
||||
break;
|
||||
case 'X':
|
||||
flags |= DP_F_UP;
|
||||
@@ -332,17 +334,19 @@ _dopr(
|
||||
unsigned int);
|
||||
break;
|
||||
}
|
||||
- fmtint(sbuffer, buffer, &currlen, maxlen, value,
|
||||
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
|
||||
ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
|
||||
- min, max, flags);
|
||||
+ min, max, flags))
|
||||
+ return 0;
|
||||
break;
|
||||
case 'f':
|
||||
if (cflags == DP_C_LDOUBLE)
|
||||
fvalue = va_arg(args, LDOUBLE);
|
||||
else
|
||||
fvalue = va_arg(args, double);
|
||||
- fmtfp(sbuffer, buffer, &currlen, maxlen,
|
||||
- fvalue, min, max, flags);
|
||||
+ if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
|
||||
+ flags))
|
||||
+ return 0;
|
||||
break;
|
||||
case 'E':
|
||||
flags |= DP_F_UP;
|
||||
@@ -361,8 +365,9 @@ _dopr(
|
||||
fvalue = va_arg(args, double);
|
||||
break;
|
||||
case 'c':
|
||||
- doapr_outch(sbuffer, buffer, &currlen, maxlen,
|
||||
- va_arg(args, int));
|
||||
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
|
||||
+ va_arg(args, int)))
|
||||
+ return 0;
|
||||
break;
|
||||
case 's':
|
||||
strvalue = va_arg(args, char *);
|
||||
@@ -372,13 +377,15 @@ _dopr(
|
||||
else
|
||||
max = *maxlen;
|
||||
}
|
||||
- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
|
||||
- flags, min, max);
|
||||
+ if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
|
||||
+ flags, min, max))
|
||||
+ return 0;
|
||||
break;
|
||||
case 'p':
|
||||
value = (long)va_arg(args, void *);
|
||||
- fmtint(sbuffer, buffer, &currlen, maxlen,
|
||||
- value, 16, min, max, flags|DP_F_NUM);
|
||||
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen,
|
||||
+ value, 16, min, max, flags | DP_F_NUM))
|
||||
+ return 0;
|
||||
break;
|
||||
case 'n': /* XXX */
|
||||
if (cflags == DP_C_SHORT) {
|
||||
@@ -400,7 +407,8 @@ _dopr(
|
||||
}
|
||||
break;
|
||||
case '%':
|
||||
- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
|
||||
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
|
||||
+ return 0;
|
||||
break;
|
||||
case 'w':
|
||||
/* not supported yet, treat as next char */
|
||||
@@ -424,12 +432,13 @@ _dopr(
|
||||
*truncated = (currlen > *maxlen - 1);
|
||||
if (*truncated)
|
||||
currlen = *maxlen - 1;
|
||||
- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
|
||||
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
|
||||
+ return 0;
|
||||
*retlen = currlen - 1;
|
||||
- return;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
fmtstr(
|
||||
char **sbuffer,
|
||||
char **buffer,
|
||||
@@ -440,36 +449,44 @@ fmtstr(
|
||||
int min,
|
||||
int max)
|
||||
{
|
||||
- int padlen, strln;
|
||||
+ int padlen;
|
||||
+ size_t strln;
|
||||
int cnt = 0;
|
||||
|
||||
if (value == 0)
|
||||
value = "<NULL>";
|
||||
- for (strln = 0; value[strln]; ++strln)
|
||||
- ;
|
||||
+
|
||||
+ strln = strlen(value);
|
||||
+ if (strln > INT_MAX)
|
||||
+ strln = INT_MAX;
|
||||
+
|
||||
padlen = min - strln;
|
||||
- if (padlen < 0)
|
||||
+ if (min < 0 || padlen < 0)
|
||||
padlen = 0;
|
||||
if (flags & DP_F_MINUS)
|
||||
padlen = -padlen;
|
||||
|
||||
while ((padlen > 0) && (cnt < max)) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||
+ return 0;
|
||||
--padlen;
|
||||
++cnt;
|
||||
}
|
||||
while (*value && (cnt < max)) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
|
||||
+ return 0;
|
||||
++cnt;
|
||||
}
|
||||
while ((padlen < 0) && (cnt < max)) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||
+ return 0;
|
||||
++padlen;
|
||||
++cnt;
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
fmtint(
|
||||
char **sbuffer,
|
||||
char **buffer,
|
||||
@@ -533,37 +550,44 @@ fmtint(
|
||||
|
||||
/* spaces */
|
||||
while (spadlen > 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||
+ return 0;
|
||||
--spadlen;
|
||||
}
|
||||
|
||||
/* sign */
|
||||
if (signvalue)
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
|
||||
+ return 0;
|
||||
|
||||
/* prefix */
|
||||
while (*prefix) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
|
||||
+ return 0;
|
||||
prefix++;
|
||||
}
|
||||
|
||||
/* zeros */
|
||||
if (zpadlen > 0) {
|
||||
while (zpadlen > 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
|
||||
+ return 0;
|
||||
--zpadlen;
|
||||
}
|
||||
}
|
||||
/* digits */
|
||||
- while (place > 0)
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
|
||||
+ while (place > 0) {
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
/* left justified spaces */
|
||||
while (spadlen < 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||
+ return 0;
|
||||
++spadlen;
|
||||
}
|
||||
- return;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static LDOUBLE
|
||||
@@ -597,7 +621,7 @@ roundv(LDOUBLE value)
|
||||
return intpart;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
fmtfp(
|
||||
char **sbuffer,
|
||||
char **buffer,
|
||||
@@ -616,7 +640,6 @@ fmtfp(
|
||||
int fplace = 0;
|
||||
int padlen = 0;
|
||||
int zpadlen = 0;
|
||||
- int caps = 0;
|
||||
long intpart;
|
||||
long fracpart;
|
||||
long max10;
|
||||
@@ -650,9 +673,7 @@ fmtfp(
|
||||
|
||||
/* convert integer part */
|
||||
do {
|
||||
- iconvert[iplace++] =
|
||||
- (caps ? "0123456789ABCDEF"
|
||||
- : "0123456789abcdef")[intpart % 10];
|
||||
+ iconvert[iplace++] = "0123456789"[intpart % 10];
|
||||
intpart = (intpart / 10);
|
||||
} while (intpart && (iplace < (int)sizeof(iconvert)));
|
||||
if (iplace == sizeof iconvert)
|
||||
@@ -661,9 +682,7 @@ fmtfp(
|
||||
|
||||
/* convert fractional part */
|
||||
do {
|
||||
- fconvert[fplace++] =
|
||||
- (caps ? "0123456789ABCDEF"
|
||||
- : "0123456789abcdef")[fracpart % 10];
|
||||
+ fconvert[fplace++] = "0123456789"[fracpart % 10];
|
||||
fracpart = (fracpart / 10);
|
||||
} while (fplace < max);
|
||||
if (fplace == sizeof fconvert)
|
||||
@@ -682,47 +701,61 @@ fmtfp(
|
||||
|
||||
if ((flags & DP_F_ZERO) && (padlen > 0)) {
|
||||
if (signvalue) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
|
||||
+ return 0;
|
||||
--padlen;
|
||||
signvalue = 0;
|
||||
}
|
||||
while (padlen > 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
|
||||
+ return 0;
|
||||
--padlen;
|
||||
}
|
||||
}
|
||||
while (padlen > 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||
+ return 0;
|
||||
--padlen;
|
||||
}
|
||||
- if (signvalue)
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
|
||||
+ if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
|
||||
+ return 0;
|
||||
|
||||
- while (iplace > 0)
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
|
||||
+ while (iplace > 0) {
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Decimal point. This should probably use locale to find the correct
|
||||
* char to print out.
|
||||
*/
|
||||
if (max > 0 || (flags & DP_F_NUM)) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
|
||||
+ return 0;
|
||||
|
||||
- while (fplace > 0)
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
|
||||
+ while (fplace > 0) {
|
||||
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
|
||||
+ fconvert[--fplace]))
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
while (zpadlen > 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
|
||||
+ return 0;
|
||||
--zpadlen;
|
||||
}
|
||||
|
||||
while (padlen < 0) {
|
||||
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
|
||||
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
|
||||
+ return 0;
|
||||
++padlen;
|
||||
}
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
-static void
|
||||
+#define BUFFER_INC 1024
|
||||
+
|
||||
+static int
|
||||
doapr_outch(
|
||||
char **sbuffer,
|
||||
char **buffer,
|
||||
@@ -733,24 +766,30 @@ doapr_outch(
|
||||
/* If we haven't at least one buffer, someone has doe a big booboo */
|
||||
assert(*sbuffer != NULL || buffer != NULL);
|
||||
|
||||
- if (buffer) {
|
||||
- while (*currlen >= *maxlen) {
|
||||
- if (*buffer == NULL) {
|
||||
- if (*maxlen == 0)
|
||||
- *maxlen = 1024;
|
||||
+ /* |currlen| must always be <= |*maxlen| */
|
||||
+ assert(*currlen <= *maxlen);
|
||||
+
|
||||
+ if (buffer && *currlen == *maxlen) {
|
||||
+ if (*maxlen > INT_MAX - BUFFER_INC)
|
||||
+ return 0;
|
||||
+
|
||||
+ *maxlen += BUFFER_INC;
|
||||
+ if (*buffer == NULL) {
|
||||
*buffer = OPENSSL_malloc(*maxlen);
|
||||
+ if (*buffer == NULL)
|
||||
+ return 0;
|
||||
if (*currlen > 0) {
|
||||
assert(*sbuffer != NULL);
|
||||
memcpy(*buffer, *sbuffer, *currlen);
|
||||
}
|
||||
*sbuffer = NULL;
|
||||
- } else {
|
||||
- *maxlen += 1024;
|
||||
- *buffer = OPENSSL_realloc(*buffer, *maxlen);
|
||||
- }
|
||||
+ } else {
|
||||
+ char *tmpbuf;
|
||||
+ tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
|
||||
+ if (tmpbuf == NULL)
|
||||
+ return 0;
|
||||
+ *buffer = tmpbuf;
|
||||
}
|
||||
- /* What to do if *buffer is NULL? */
|
||||
- assert(*sbuffer != NULL || *buffer != NULL);
|
||||
}
|
||||
|
||||
if (*currlen < *maxlen) {
|
||||
@@ -760,7 +799,7 @@ doapr_outch(
|
||||
(*buffer)[(*currlen)++] = (char)c;
|
||||
}
|
||||
|
||||
- return;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
/***************************************************************************/
|
||||
@@ -792,11 +831,15 @@ int BIO_vprintf (BIO *bio, const char *f
|
||||
|
||||
dynbuf = NULL;
|
||||
CRYPTO_push_info("doapr()");
|
||||
- _dopr(&hugebufp, &dynbuf, &hugebufsize,
|
||||
- &retlen, &ignored, format, args);
|
||||
+ if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
|
||||
+ args))
|
||||
+ {
|
||||
+ OPENSSL_free(dynbuf);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (dynbuf)
|
||||
{
|
||||
- ret=BIO_write(bio, dynbuf, (int)retlen);
|
||||
+ ret = BIO_write(bio, dynbuf, (int)retlen);
|
||||
OPENSSL_free(dynbuf);
|
||||
}
|
||||
else
|
||||
@@ -829,7 +872,8 @@ int BIO_vsnprintf(char *buf, size_t n, c
|
||||
size_t retlen;
|
||||
int truncated;
|
||||
|
||||
- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
|
||||
+ if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
|
||||
+ return -1;
|
||||
|
||||
if (truncated)
|
||||
/* In case of truncation, return -1 like traditional snprintf.
|
20
openssl.spec
20
openssl.spec
@ -23,7 +23,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1k
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -106,6 +106,11 @@ Patch112: openssl-1.0.1e-cve-2015-1792.patch
|
||||
Patch113: openssl-1.0.1e-cve-2015-3194.patch
|
||||
Patch114: openssl-1.0.1e-cve-2015-3195.patch
|
||||
Patch115: openssl-1.0.1k-cve-2015-3196.patch
|
||||
Patch116: openssl-1.0.1e-cve-2015-3197.patch
|
||||
Patch117: openssl-1.0.1k-cve-2016-0702.patch
|
||||
Patch118: openssl-1.0.1e-cve-2016-0705.patch
|
||||
Patch119: openssl-1.0.1e-cve-2016-0797.patch
|
||||
Patch120: openssl-1.0.1k-cve-2016-0799.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -245,6 +250,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||
%patch113 -p1 -b .pss-check
|
||||
%patch114 -p1 -b .combine-leak
|
||||
%patch115 -p1 -b .psk-identity
|
||||
%patch116 -p1 -b .ssl2-ciphers
|
||||
%patch117 -p1 -b .rsa-const
|
||||
%patch118 -p1 -b .dsa-doublefree
|
||||
%patch119 -p1 -b .bn-hex
|
||||
%patch120 -p1 -b .bio-printf
|
||||
|
||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||
|
||||
@ -517,6 +527,14 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Mar 2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-14
|
||||
- fix CVE-2016-0702 - side channel attack on modular exponentiation
|
||||
- fix CVE-2016-0705 - double-free in DSA private key parsing
|
||||
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
|
||||
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
|
||||
- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
|
||||
- fix CVE-2016-0799 - memory issues in BIO_*printf functions
|
||||
|
||||
* Fri Dec 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-13
|
||||
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
|
||||
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
|
||||
|
Loading…
Reference in New Issue
Block a user