svn commit: r191381 - head/crypto/openssl/crypto/asn1 releng/6.3 releng/6.3/crypto/openssl/crypto/asn1 releng/6.3/lib/libc/db/btree releng/6.3/lib/libc/db/hash releng/6.3/lib/libc/db/mpool releng/6...

Colin Percival cperciva at FreeBSD.org
Wed Apr 22 14:07:15 UTC 2009


Author: cperciva
Date: Wed Apr 22 14:07:14 2009
New Revision: 191381
URL: http://svn.freebsd.org/changeset/base/191381

Log:
  Don't leak information via uninitialized space in db(3) records. [09:07]
  
  Sanity-check string lengths in order to stop OpenSSL crashing
  when printing corrupt BMPString or UniversalString objects. [09:08]
  
  Security:	FreeBSD-SA-09:07.libc
  Security:	FreeBSD-SA-09:08.openssl
  Security:	CVE-2009-0590
  Approved by:	re (kensmith)
  Approved by:	so (cperciva)

Modified:
  stable/7/crypto/openssl/crypto/asn1/asn1.h
  stable/7/crypto/openssl/crypto/asn1/asn1_err.c
  stable/7/crypto/openssl/crypto/asn1/tasn_dec.c

Changes in other areas also in this revision:
Modified:
  head/crypto/openssl/crypto/asn1/asn1.h
  head/crypto/openssl/crypto/asn1/asn1_err.c
  head/crypto/openssl/crypto/asn1/tasn_dec.c
  releng/6.3/UPDATING
  releng/6.3/crypto/openssl/crypto/asn1/asn1.h
  releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c
  releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c
  releng/6.3/lib/libc/db/btree/bt_split.c
  releng/6.3/lib/libc/db/hash/hash_buf.c
  releng/6.3/lib/libc/db/mpool/mpool.c
  releng/6.3/sys/conf/newvers.sh
  releng/6.4/UPDATING
  releng/6.4/crypto/openssl/crypto/asn1/asn1.h
  releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c
  releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c
  releng/6.4/lib/libc/db/btree/bt_split.c
  releng/6.4/lib/libc/db/hash/hash_buf.c
  releng/6.4/lib/libc/db/mpool/mpool.c
  releng/6.4/sys/conf/newvers.sh
  releng/7.0/UPDATING
  releng/7.0/crypto/openssl/crypto/asn1/asn1.h
  releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c
  releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c
  releng/7.0/lib/libc/db/btree/bt_split.c
  releng/7.0/lib/libc/db/hash/hash_buf.c
  releng/7.0/lib/libc/db/mpool/mpool.c
  releng/7.0/sys/conf/newvers.sh
  releng/7.1/UPDATING
  releng/7.1/crypto/openssl/crypto/asn1/asn1.h
  releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c
  releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c
  releng/7.1/lib/libc/db/btree/bt_split.c
  releng/7.1/lib/libc/db/hash/hash_buf.c
  releng/7.1/lib/libc/db/mpool/mpool.c
  releng/7.1/sys/conf/newvers.sh
  releng/7.2/UPDATING
  releng/7.2/crypto/openssl/crypto/asn1/asn1.h
  releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c
  releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c
  stable/6/crypto/openssl/crypto/asn1/asn1.h
  stable/6/crypto/openssl/crypto/asn1/asn1_err.c
  stable/6/crypto/openssl/crypto/asn1/tasn_dec.c

Modified: stable/7/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- stable/7/crypto/openssl/crypto/asn1/asn1.h	Wed Apr 22 13:31:52 2009	(r191380)
+++ stable/7/crypto/openssl/crypto/asn1/asn1.h	Wed Apr 22 14:07:14 2009	(r191381)
@@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_BAD_OBJECT_HEADER			 102
 #define ASN1_R_BAD_PASSWORD_READ			 103
 #define ASN1_R_BAD_TAG					 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH		 210
 #define ASN1_R_BN_LIB					 105
 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH			 106
 #define ASN1_R_BUFFER_TOO_SMALL				 107
@@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH		 211
 #define ASN1_R_UNKNOWN_FORMAT				 160
 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM		 161
 #define ASN1_R_UNKNOWN_OBJECT_TYPE			 162

Modified: stable/7/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- stable/7/crypto/openssl/crypto/asn1/asn1_err.c	Wed Apr 22 13:31:52 2009	(r191380)
+++ stable/7/crypto/openssl/crypto/asn1/asn1_err.c	Wed Apr 22 14:07:14 2009	(r191381)
@@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
 {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
 {ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
 {ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
 {ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
 {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
 {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
@@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
 {ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
 {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},

Modified: stable/7/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- stable/7/crypto/openssl/crypto/asn1/tasn_dec.c	Wed Apr 22 13:31:52 2009	(r191380)
+++ stable/7/crypto/openssl/crypto/asn1/tasn_dec.c	Wed Apr 22 14:07:14 2009	(r191381)
@@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
 		case V_ASN1_SET:
 		case V_ASN1_SEQUENCE:
 		default:
+		if (utype == V_ASN1_BMPSTRING && (len & 1))
+			{
+			ASN1err(ASN1_F_ASN1_EX_C2I,
+					ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+			goto err;
+			}
+		if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+			{
+			ASN1err(ASN1_F_ASN1_EX_C2I,
+					ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+			goto err;
+			}
 		/* All based on ASN1_STRING and handled the same */
 		if (!*pval)
 			{


More information about the svn-src-stable mailing list