File openssl-CVE-2015-3195.patch of Package compat-openssl098.29129

From 2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 10 Nov 2015 19:03:07 +0000
Subject: [PATCH] Fix leak with ASN.1 combine.

When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 crypto/asn1/tasn_dec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Index: openssl-0.9.8j/crypto/asn1/tasn_dec.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/tasn_dec.c	2015-12-04 14:55:36.978510933 +0100
+++ openssl-0.9.8j/crypto/asn1/tasn_dec.c	2015-12-04 14:57:54.282594142 +0100
@@ -167,6 +167,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
 	int otag;
 	int ret = 0;
 	ASN1_VALUE *pchval, **pchptr, *ptmpval;
+	int combine = aclass & ASN1_TFLG_COMBINE;
+	aclass &= ~ASN1_TFLG_COMBINE;
 	if (!pval)
 		return 0;
 	if (aux && aux->asn1_cb)
@@ -533,7 +535,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
 	auxerr:
 	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
 	err:
-	ASN1_item_ex_free(pval, it);
+	if (combine == 0)
+        	ASN1_item_ex_free(pval, it);
 	if (errtt)
 		ERR_add_error_data(4, "Field=", errtt->field_name,
 					", Type=", it->sname);
@@ -759,7 +762,7 @@ static int asn1_template_noexp_d2i(ASN1_
 		{
 		/* Nothing special */
 		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-							-1, 0, opt, ctx);
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
 		if (!ret)
 			{
 			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,