File openssl-CVE-2016-2108.patch of Package compat-openssl098.29129
From c5e4bc81c5a142cab7f46f69824fa35367999ee8 Mon Sep 17 00:00:00 2001
From: Dr. Stephen Henson <steve@openssl.org>
Date: Fri, 15 Apr 2016 02:37:09 +0100
Subject: [PATCH] Fix ASN1_INTEGER handling.
Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.
Thanks to David Benjamin <davidben@google.com> for reporting this bug.
This was found using libFuzzer.
RT#4364 (part)CVE-2016-2108.
From 32d3b0f52f77ce86d53f38685336668d47c5bdfe Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 16 Apr 2015 16:43:09 +0100
Subject: [PATCH] Fix encoding bug in i2c_ASN1_INTEGER
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.
Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44)
---
crypto/asn1/a_type.c | 2 --
crypto/asn1/tasn_dec.c | 2 --
crypto/asn1/tasn_enc.c | 2 --
3 files changed, 0 insertions(+), 6 deletions(-)
Index: openssl-0.9.8j/crypto/asn1/a_type.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/a_type.c 2017-02-06 16:55:36.742744471 +0100
+++ openssl-0.9.8j/crypto/asn1/a_type.c 2017-02-06 16:55:37.986763216 +0100
@@ -128,9 +128,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
Index: openssl-0.9.8j/crypto/asn1/tasn_dec.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/tasn_dec.c 2017-02-06 16:55:36.742744471 +0100
+++ openssl-0.9.8j/crypto/asn1/tasn_dec.c 2017-02-06 16:55:37.986763216 +0100
@@ -1003,9 +1003,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
Index: openssl-0.9.8j/crypto/asn1/tasn_enc.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/tasn_enc.c 2017-02-06 16:55:36.742744471 +0100
+++ openssl-0.9.8j/crypto/asn1/tasn_enc.c 2017-02-06 16:55:37.986763216 +0100
@@ -637,9 +637,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/* These are all have the same content format
* as ASN1_INTEGER
*/
Index: openssl-0.9.8j/crypto/asn1/a_int.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/a_int.c 2017-02-06 16:55:36.742744471 +0100
+++ openssl-0.9.8j/crypto/asn1/a_int.c 2017-02-06 16:55:37.986763216 +0100
@@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
{
ret=a->length;
i=a->data[0];
+ if (ret == 1 && i == 0)
+ neg=0;
if (!neg && (i > 127)) {
pad=1;
pb=0;
@@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
p += a->length - 1;
i = a->length;
/* Copy zeros to destination as long as source is zero */
- while(!*n) {
+ while(!*n && i > 1) {
*(p--) = 0;
n--;
i--;
@@ -416,7 +418,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM
ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
goto err;
}
- if (BN_is_negative(bn))
+ if (BN_is_negative(bn) && !BN_is_zero(bn))
ret->type = V_ASN1_NEG_INTEGER;
else ret->type=V_ASN1_INTEGER;
j=BN_num_bits(bn);
