File openssl-CVE-2015-0287.patch of Package compat-openssl098.29205
commit 5722767d5dc1a3b5505058fe27877fc993fe9a5a
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Feb 23 02:32:44 2015 +0000
Free up ADB and CHOICE if already initialised.
CVE-2015-0287
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
commit b15b947491b18de131d3d3a4b5b79bd0181af12e
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Feb 23 12:57:50 2015 +0000
Free up passed ASN.1 structure if reused.
Change the "reuse" behaviour in ASN1_item_d2i: if successful the old
structure is freed and a pointer to the new one used. If it is not
successful then the passed structure is untouched.
Exception made for primitive types so ssl_asn1.c still works.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Conflicts:
crypto/asn1/tasn_dec.c
doc/crypto/d2i_X509.pod
Index: openssl-0.9.8j/crypto/asn1/tasn_dec.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/tasn_dec.c 2015-03-16 18:07:00.209122045 +0100
+++ openssl-0.9.8j/crypto/asn1/tasn_dec.c 2015-03-16 18:09:23.777191563 +0100
@@ -309,9 +315,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
goto auxerr;
- /* Allocate structure */
- if (!*pval && !ASN1_item_ex_new(pval, it))
- {
+ if (*pval) {
+ /* Free up and zero CHOICE value if initialised */
+ i = asn1_get_choice_selector(pval, it);
+ if ((i >= 0) && (i < it->tcount)) {
+ tt = it->templates + i;
+ pchptr = asn1_get_field_ptr(pval, tt);
+ ASN1_template_free(pchptr, tt);
+ asn1_set_choice_selector(pval, -1, it);
+ }
+ } else if (!ASN1_item_ex_new(pval, it)) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
@@ -406,6 +419,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
goto auxerr;
+ /* Free up and zero any ADB found */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
+ const ASN1_TEMPLATE *seqtt;
+ ASN1_VALUE **pseqval;
+ seqtt = asn1_do_adb(pval, tt, 1);
+ pseqval = asn1_get_field_ptr(pval, seqtt);
+ ASN1_template_free(pseqval, seqtt);
+ }
+ }
+
/* Get each field entry */
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
{
Index: openssl-0.9.8j/doc/crypto/d2i_X509.pod
===================================================================
--- openssl-0.9.8j.orig/doc/crypto/d2i_X509.pod 2015-03-16 18:07:00.209122045 +0100
+++ openssl-0.9.8j/doc/crypto/d2i_X509.pod 2015-03-16 18:07:19.466399606 +0100
@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts
persist if they are not present in the new one. As a result the use
of this "reuse" behaviour is strongly discouraged.
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
+set to the value of the newly decoded structure. As a result B<*px>
+B<must not> be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+
i2d_X509() will not return an error in many versions of OpenSSL,
if mandatory fields are not initialized due to a programming error
then the encoded structure may contain invalid data or omit the
@@ -210,7 +216,9 @@ always succeed.
d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
+with a valid X509 structure being passed in via B<px> then the object is not
+modified in the event of error.
i2d_X509(), i2d_X509_bio() and i2d_X509_fp() return a the number of bytes
successfully encoded or a negative value if an error occurs. The error code
