diff options
| author | tedu <> | 2015-03-19 14:02:56 +0000 |
|---|---|---|
| committer | tedu <> | 2015-03-19 14:02:56 +0000 |
| commit | 9de745fd9147f876720e80d12125f383c4c7f0a2 (patch) | |
| tree | 6507dcfb931ba2b9f10e99a18c01aeca1205057f | |
| parent | e502ff6538568d399fcd1a8d834e7ccddec1ef40 (diff) | |
| download | openbsd-OPENBSD_5_5.tar.gz openbsd-OPENBSD_5_5.tar.bz2 openbsd-OPENBSD_5_5.zip | |
Fix two possible crash causing defects.OPENBSD_5_5
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp.
CVE-2015-0292 - Backport existing fix for Base64 decoding.
| -rw-r--r-- | src/lib/libssl/src/crypto/asn1/a_type.c | 3 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/evp/encode.c | 13 |
2 files changed, 16 insertions, 0 deletions
diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c index a45d2f9d12..b968cf0170 100644 --- a/src/lib/libssl/src/crypto/asn1/a_type.c +++ b/src/lib/libssl/src/crypto/asn1/a_type.c | |||
| @@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) | |||
| 124 | case V_ASN1_OBJECT: | 124 | case V_ASN1_OBJECT: |
| 125 | result = OBJ_cmp(a->value.object, b->value.object); | 125 | result = OBJ_cmp(a->value.object, b->value.object); |
| 126 | break; | 126 | break; |
| 127 | case V_ASN1_BOOLEAN: | ||
| 128 | result = a->value.boolean - b->value.boolean; | ||
| 129 | break; | ||
| 127 | case V_ASN1_NULL: | 130 | case V_ASN1_NULL: |
| 128 | result = 0; /* They do not have content. */ | 131 | result = 0; /* They do not have content. */ |
| 129 | break; | 132 | break; |
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c index 28546a84bc..6a867668f3 100644 --- a/src/lib/libssl/src/crypto/evp/encode.c +++ b/src/lib/libssl/src/crypto/evp/encode.c | |||
| @@ -269,6 +269,13 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 269 | goto end; | 269 | goto end; |
| 270 | } | 270 | } |
| 271 | 271 | ||
| 272 | /* There should not be base64 data after padding. */ | ||
| 273 | if (eof && tmp != '=' && tmp != '\r' && tmp != '\n' && | ||
| 274 | v != B64_EOF) { | ||
| 275 | rv = -1; | ||
| 276 | goto end; | ||
| 277 | } | ||
| 278 | |||
| 272 | /* have we seen a '=' which is 'definitly' the last | 279 | /* have we seen a '=' which is 'definitly' the last |
| 273 | * input line. seof will point to the character that | 280 | * input line. seof will point to the character that |
| 274 | * holds it. and eof will hold how many characters to | 281 | * holds it. and eof will hold how many characters to |
| @@ -279,6 +286,12 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 279 | eof++; | 286 | eof++; |
| 280 | } | 287 | } |
| 281 | 288 | ||
| 289 | /* There should be no more than two padding markers. */ | ||
| 290 | if (eof > 2) { | ||
| 291 | rv = -1; | ||
| 292 | goto end; | ||
| 293 | } | ||
| 294 | |||
| 282 | if (v == B64_CR) | 295 | if (v == B64_CR) |
| 283 | { | 296 | { |
| 284 | ln = 0; | 297 | ln = 0; |