diff options
author | tedu <> | 2015-03-19 14:02:56 +0000 |
---|---|---|
committer | tedu <> | 2015-03-19 14:02:56 +0000 |
commit | 9de745fd9147f876720e80d12125f383c4c7f0a2 (patch) | |
tree | 6507dcfb931ba2b9f10e99a18c01aeca1205057f | |
parent | e502ff6538568d399fcd1a8d834e7ccddec1ef40 (diff) | |
download | openbsd-OPENBSD_5_5.tar.gz openbsd-OPENBSD_5_5.tar.bz2 openbsd-OPENBSD_5_5.zip |
Fix two possible crash causing defects.OPENBSD_5_5
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp.
CVE-2015-0292 - Backport existing fix for Base64 decoding.
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/a_type.c | 3 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/evp/encode.c | 13 |
2 files changed, 16 insertions, 0 deletions
diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c index a45d2f9d12..b968cf0170 100644 --- a/src/lib/libssl/src/crypto/asn1/a_type.c +++ b/src/lib/libssl/src/crypto/asn1/a_type.c | |||
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) | |||
124 | case V_ASN1_OBJECT: | 124 | case V_ASN1_OBJECT: |
125 | result = OBJ_cmp(a->value.object, b->value.object); | 125 | result = OBJ_cmp(a->value.object, b->value.object); |
126 | break; | 126 | break; |
127 | case V_ASN1_BOOLEAN: | ||
128 | result = a->value.boolean - b->value.boolean; | ||
129 | break; | ||
127 | case V_ASN1_NULL: | 130 | case V_ASN1_NULL: |
128 | result = 0; /* They do not have content. */ | 131 | result = 0; /* They do not have content. */ |
129 | break; | 132 | break; |
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c index 28546a84bc..6a867668f3 100644 --- a/src/lib/libssl/src/crypto/evp/encode.c +++ b/src/lib/libssl/src/crypto/evp/encode.c | |||
@@ -269,6 +269,13 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
269 | goto end; | 269 | goto end; |
270 | } | 270 | } |
271 | 271 | ||
272 | /* There should not be base64 data after padding. */ | ||
273 | if (eof && tmp != '=' && tmp != '\r' && tmp != '\n' && | ||
274 | v != B64_EOF) { | ||
275 | rv = -1; | ||
276 | goto end; | ||
277 | } | ||
278 | |||
272 | /* have we seen a '=' which is 'definitly' the last | 279 | /* have we seen a '=' which is 'definitly' the last |
273 | * input line. seof will point to the character that | 280 | * input line. seof will point to the character that |
274 | * holds it. and eof will hold how many characters to | 281 | * holds it. and eof will hold how many characters to |
@@ -279,6 +286,12 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
279 | eof++; | 286 | eof++; |
280 | } | 287 | } |
281 | 288 | ||
289 | /* There should be no more than two padding markers. */ | ||
290 | if (eof > 2) { | ||
291 | rv = -1; | ||
292 | goto end; | ||
293 | } | ||
294 | |||
282 | if (v == B64_CR) | 295 | if (v == B64_CR) |
283 | { | 296 | { |
284 | ln = 0; | 297 | ln = 0; |