Overview

File openssl-CVE-2016-0705.patch of Package openssl.openSUSE_13.1_Update

commit 6c88c71b4e4825c7bc0489306d062d017634eb88
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Thu Feb 18 12:47:23 2016 +0000

    Fix double free in DSA private key parsing.
    
    Fix double free bug when parsing malformed DSA private keys.
    
    Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
    libFuzzer.
    
    CVE-2016-0705
    
    Reviewed-by: Emilia Käsper <emilia@openssl.org>

diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index fa04b08..d729d15 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -446,6 +446,13 @@ void ASN1_STRING_free(ASN1_STRING *a)
 	OPENSSL_free(a);
 	}
 
+void ASN1_STRING_clear_free(ASN1_STRING *a)
+{
+    if (a && a->data && !(a->flags & ASN1_STRING_FLAG_NDEF))
+        OPENSSL_cleanse(a->data, a->length);
+    ASN1_STRING_free(a);
+}
+
 int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 	{
 	int i;
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 5af76ea..61598ad 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -201,6 +201,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 	STACK_OF(ASN1_TYPE) *ndsa = NULL;
 	DSA *dsa = NULL;
 
+        int ret = 0;
+
 	if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
 		return 0;
 	X509_ALGOR_get0(NULL, &ptype, &pval, palg);
@@ -281,23 +283,22 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 		}
 
 	EVP_PKEY_assign_DSA(pkey, dsa);
-	BN_CTX_free (ctx);
-	if(ndsa)
-		sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-	else
-		ASN1_INTEGER_free(privkey);
-
-	return 1;
+        ret = 1;;
+        goto done;
 
 	decerr:
-	DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
+        DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_DECODE_ERROR);
 	dsaerr:
-	BN_CTX_free (ctx);
-	if (privkey)
-		ASN1_INTEGER_free(privkey);
-	sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
 	DSA_free(dsa);
-	return 0;
+
+done:
+        BN_CTX_free(ctx);
+        if (ndsa)
+          sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+        else
+          ASN1_STRING_clear_free(privkey);
+        return ret;
+
 	}
 
 static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
openSUSE Build Service is sponsored by
Places