[Midnightbsd-cvs] src [7428] stable/0.7: Fix 3 issues in OpenSSL

Thu Jan 14 19:17:10 EST 2016

Revision: 7428
          http://svnweb.midnightbsd.org/src/?rev=7428
Author:   laffer1
Date:     2016-01-14 19:17:09 -0500 (Thu, 14 Jan 2016)
Log Message:
-----------
Fix 3 issues in OpenSSL

Modified Paths:
--------------
    stable/0.7/UPDATING
    stable/0.7/crypto/openssl/crypto/asn1/tasn_dec.c
    stable/0.7/crypto/openssl/crypto/rsa/rsa_ameth.c

Modified: stable/0.7/UPDATING
===================================================================

--- stable/0.7/UPDATING	2016-01-15 00:06:28 UTC (rev 7427)
+++ stable/0.7/UPDATING	2016-01-15 00:17:09 UTC (rev 7428)
@@ -2,6 +2,18 @@
 
 20160114:
 	0.7.3 RELEASE
+
+	OpenSSL
+
+	The signature verification routines will crash with a NULL pointer dereference
+	if presented with an ASN.1 signature using the RSA PSS algorithm and absent
+	mask generation function parameter. [CVE-2015-3194]
+
+	When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak
+	memory. [CVE-2015-3195]
+
+	If PSK identity hints are received by a multi-threaded client then the values
+	are incorrectly updated in the parent SSL_CTX structure.  [CVE-2015-3196]
 	
 	linuxolator
 

Modified: stable/0.7/crypto/openssl/crypto/asn1/tasn_dec.c
===================================================================
--- stable/0.7/crypto/openssl/crypto/asn1/tasn_dec.c	2016-01-15 00:06:28 UTC (rev 7427)
+++ stable/0.7/crypto/openssl/crypto/asn1/tasn_dec.c	2016-01-15 00:17:09 UTC (rev 7428)
@@ -180,6 +180,8 @@
     int otag;
     int ret = 0;
     ASN1_VALUE **pchptr, *ptmpval;
+    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
     if (!pval)
         return 0;
     if (aux && aux->asn1_cb)
@@ -500,7 +502,8 @@
  auxerr:
     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
  err:
-    ASN1_item_ex_free(pval, it);
+    if (combine == 0)
+        ASN1_item_ex_free(pval, it);
     if (errtt)
         ERR_add_error_data(4, "Field=", errtt->field_name,
                            ", Type=", it->sname);
@@ -689,7 +692,7 @@
     } else {
         /* Nothing special */
         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                               -1, 0, opt, ctx);
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
         if (!ret) {
             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;

Modified: stable/0.7/crypto/openssl/crypto/rsa/rsa_ameth.c
===================================================================
--- stable/0.7/crypto/openssl/crypto/rsa/rsa_ameth.c	2016-01-15 00:06:28 UTC (rev 7427)
+++ stable/0.7/crypto/openssl/crypto/rsa/rsa_ameth.c	2016-01-15 00:17:09 UTC (rev 7428)
@@ -279,7 +279,7 @@
     if (pss->maskGenAlgorithm) {
         ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
         if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
-            && param->type == V_ASN1_SEQUENCE) {
+            && param && param->type == V_ASN1_SEQUENCE) {
             p = param->value.sequence->data;
             plen = param->value.sequence->length;
             *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);

