svn commit: r291854 - in releng: 10.1 10.1/crypto/openssl/crypto/asn1 10.1/crypto/openssl/crypto/rsa 10.1/crypto/openssl/ssl 10.1/sys/conf 10.2 10.2/crypto/openssl/crypto/asn1 10.2/crypto/openssl/c...
Xin LI
delphij at FreeBSD.org
Sat Dec 5 09:54:00 UTC 2015
Author: delphij
Date: Sat Dec 5 09:53:58 2015
New Revision: 291854
URL: https://svnweb.freebsd.org/changeset/base/291854
Log:
Fix OpenSSL multiple vulnerabilities.
Security: FreeBSD-SA-15:26.openssl
Approved by: so
Modified:
releng/10.1/UPDATING
releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c
releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c
releng/10.1/crypto/openssl/ssl/s3_clnt.c
releng/10.1/crypto/openssl/ssl/s3_srvr.c
releng/10.1/sys/conf/newvers.sh
releng/10.2/UPDATING
releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c
releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c
releng/10.2/sys/conf/newvers.sh
releng/9.3/UPDATING
releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c
releng/9.3/sys/conf/newvers.sh
Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.1/UPDATING Sat Dec 5 09:53:58 2015 (r291854)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20151205 p25 FreeBSD-SA-15:26.openssl
+
+ Fix multiple OpenSSL vulnerabilities. [SA-15:26]
+
20151104 p24 FreeBSD-SA-15:25.ntp [revised]
FreeBSD-EN-15:19.kqueue
FreeBSD-EN-15:20.vm
Modified: releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
int otag;
int ret = 0;
ASN1_VALUE **pchptr, *ptmpval;
+ int combine = aclass & ASN1_TFLG_COMBINE;
+ aclass &= ~ASN1_TFLG_COMBINE;
if (!pval)
return 0;
if (aux && aux->asn1_cb)
@@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
auxerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
err:
- ASN1_item_ex_free(pval, it);
+ if (combine == 0)
+ ASN1_item_ex_free(pval, it);
if (errtt)
ERR_add_error_data(4, "Field=", errtt->field_name,
", Type=", it->sname);
@@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_
{
/* Nothing special */
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, 0, opt, ctx);
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
if (!ret)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
Modified: releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.1/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co
{
ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
- && param->type == V_ASN1_SEQUENCE)
+ && param && param->type == V_ASN1_SEQUENCE)
{
p = param->value.sequence->data;
plen = param->value.sequence->length;
Modified: releng/10.1/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/10.1/crypto/openssl/ssl/s3_clnt.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.1/crypto/openssl/ssl/s3_clnt.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -1360,8 +1360,6 @@ int ssl3_get_key_exchange(SSL *s)
#ifndef OPENSSL_NO_PSK
if (alg_k & SSL_kPSK)
{
- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
-
param_len = 2;
if (param_len > n)
{
@@ -1390,16 +1388,8 @@ int ssl3_get_key_exchange(SSL *s)
}
param_len += i;
- /* If received PSK identity hint contains NULL
- * characters, the hint is truncated from the first
- * NULL. p may not be ending with NULL, so create a
- * NULL-terminated string. */
- memcpy(tmp_id_hint, p, i);
- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
- if (s->ctx->psk_identity_hint != NULL)
- OPENSSL_free(s->ctx->psk_identity_hint);
- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
- if (s->ctx->psk_identity_hint == NULL)
+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
+ if (s->session->psk_identity_hint == NULL)
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
@@ -3009,7 +2999,7 @@ int ssl3_send_client_key_exchange(SSL *s
}
memset(identity, 0, sizeof(identity));
- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
+ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
identity, sizeof(identity) - 1,
psk_or_pre_ms, sizeof(psk_or_pre_ms));
if (psk_len > PSK_MAX_PSK_LEN)
Modified: releng/10.1/crypto/openssl/ssl/s3_srvr.c
==============================================================================
--- releng/10.1/crypto/openssl/ssl/s3_srvr.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.1/crypto/openssl/ssl/s3_srvr.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -2827,7 +2827,7 @@ int ssl3_get_client_key_exchange(SSL *s)
if (s->session->psk_identity != NULL)
OPENSSL_free(s->session->psk_identity);
- s->session->psk_identity = BUF_strdup((char *)p);
+ s->session->psk_identity = BUF_strndup((char *)p, i);
if (s->session->psk_identity == NULL)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.1/sys/conf/newvers.sh Sat Dec 5 09:53:58 2015 (r291854)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.1"
-BRANCH="RELEASE-p24"
+BRANCH="RELEASE-p25"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.2/UPDATING Sat Dec 5 09:53:58 2015 (r291854)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20151205 p8 FreeBSD-SA-15:26.openssl
+
+ Fix multiple OpenSSL vulnerabilities. [SA-15:26]
+
20151104 p7 FreeBSD-SA-15:25.ntp [revised]
FreeBSD-EN-15:19.kqueue
FreeBSD-EN-15:20.vm
Modified: releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
int otag;
int ret = 0;
ASN1_VALUE **pchptr, *ptmpval;
+ int combine = aclass & ASN1_TFLG_COMBINE;
+ aclass &= ~ASN1_TFLG_COMBINE;
if (!pval)
return 0;
if (aux && aux->asn1_cb)
@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
auxerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
err:
- ASN1_item_ex_free(pval, it);
+ if (combine == 0)
+ ASN1_item_ex_free(pval, it);
if (errtt)
ERR_add_error_data(4, "Field=", errtt->field_name,
", Type=", it->sname);
@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_
} else {
/* Nothing special */
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, 0, opt, ctx);
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
Modified: releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c
==============================================================================
--- releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.2/crypto/openssl/crypto/rsa/rsa_ameth.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co
if (pss->maskGenAlgorithm) {
ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
- && param->type == V_ASN1_SEQUENCE) {
+ && param && param->type == V_ASN1_SEQUENCE) {
p = param->value.sequence->data;
plen = param->value.sequence->length;
*pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/10.2/sys/conf/newvers.sh Sat Dec 5 09:53:58 2015 (r291854)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.2"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/9.3/UPDATING Sat Dec 5 09:53:58 2015 (r291854)
@@ -11,6 +11,10 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20151205 p31 FreeBSD-SA-15:26.openssl
+
+ Fix OpenSSL X509_ATTRIBUTE memory leak. [SA-15:26]
+
20151104 p30 FreeBSD-SA-15:25.ntp [revised]
FreeBSD-EN-15:19.kqueue
FreeBSD-EN-15:20.vm
Modified: releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Sat Dec 5 09:53:58 2015 (r291854)
@@ -167,6 +167,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
int otag;
int ret = 0;
ASN1_VALUE **pchptr, *ptmpval;
+ int combine = aclass & ASN1_TFLG_COMBINE;
+ aclass &= ~ASN1_TFLG_COMBINE;
if (!pval)
return 0;
if (aux && aux->asn1_cb)
@@ -532,7 +534,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
auxerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
err:
- ASN1_item_ex_free(pval, it);
+ if (combine == 0)
+ ASN1_item_ex_free(pval, it);
if (errtt)
ERR_add_error_data(4, "Field=", errtt->field_name,
", Type=", it->sname);
@@ -758,7 +761,7 @@ static int asn1_template_noexp_d2i(ASN1_
{
/* Nothing special */
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, 0, opt, ctx);
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
if (!ret)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Sat Dec 5 09:50:37 2015 (r291853)
+++ releng/9.3/sys/conf/newvers.sh Sat Dec 5 09:53:58 2015 (r291854)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p30"
+BRANCH="RELEASE-p31"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
More information about the svn-src-releng
mailing list