File openssl-CVE-2015-1790.patch of Package openssl.4105
commit 59302b600e8d5b77ef144e447bb046fd7ab72686
Author: Emilia Kasper <emilia@openssl.org>
Date: Tue May 12 19:00:30 2015 +0200
PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790
Reviewed-by: Rich Salz <rsalz@openssl.org>
Index: openssl-1.0.1i/crypto/pkcs7/pk7_doit.c
===================================================================
--- openssl-1.0.1i.orig/crypto/pkcs7/pk7_doit.c 2015-06-12 12:40:53.809587792 +0200
+++ openssl-1.0.1i/crypto/pkcs7/pk7_doit.c 2015-06-12 12:40:53.838588132 +0200
@@ -468,6 +468,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
switch (i)
{
case NID_pkcs7_signed:
+ /*
+ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
+ * field and optional content.
+ * data_body is NULL if that structure has no (=detached) content
+ * or if the contentType is wrong (i.e., not "data").
+ */
data_body=PKCS7_get_octet_string(p7->d.sign->contents);
if (!PKCS7_is_detached(p7) && data_body == NULL)
{
@@ -479,6 +485,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
case NID_pkcs7_signedAndEnveloped:
rsk=p7->d.signed_and_enveloped->recipientinfo;
md_sk=p7->d.signed_and_enveloped->md_algs;
+ /* data_body is NULL if the optional EncryptedContent is missing. */
data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
@@ -504,6 +511,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
goto err;
}
+ /* Detached content must be supplied via in_bio instead. */
+ if (data_body == NULL && in_bio == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ goto err;
+ }
+
/* We will be checking the signature */
if (md_sk != NULL)
{
@@ -660,8 +673,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
}
#if 1
- if (PKCS7_is_detached(p7) || (in_bio != NULL))
- {
+ if (in_bio != NULL) {
bio=in_bio;
}
else
