summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortedu <>2015-03-19 14:02:56 +0000
committertedu <>2015-03-19 14:02:56 +0000
commitd9209f18e13ea0d2d1fccdbb009e6bef1408ab02 (patch)
tree6507dcfb931ba2b9f10e99a18c01aeca1205057f
parentceff6ee056c9f0efcbcb769de1a1479e9be83428 (diff)
downloadopenbsd-OPENBSD_5_5.tar.gz
openbsd-OPENBSD_5_5.tar.bz2
openbsd-OPENBSD_5_5.zip
Fix two possible crash causing defects.OPENBSD_5_5
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp. CVE-2015-0292 - Backport existing fix for Base64 decoding.
Diffstat
-rw-r--r--src/lib/libssl/src/crypto/asn1/a_type.c3
-rw-r--r--src/lib/libssl/src/crypto/evp/encode.c13
2 files changed, 16 insertions, 0 deletions
diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c
index a45d2f9d12..b968cf0170 100644
--- a/src/lib/libssl/src/crypto/asn1/a_type.c
+++ b/src/lib/libssl/src/crypto/asn1/a_type.c
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
124 case V_ASN1_OBJECT: 124 case V_ASN1_OBJECT:
125 result = OBJ_cmp(a->value.object, b->value.object); 125 result = OBJ_cmp(a->value.object, b->value.object);
126 break; 126 break;
127 case V_ASN1_BOOLEAN:
128 result = a->value.boolean - b->value.boolean;
129 break;
127 case V_ASN1_NULL: 130 case V_ASN1_NULL:
128 result = 0; /* They do not have content. */ 131 result = 0; /* They do not have content. */
129 break; 132 break;
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c
index 28546a84bc..6a867668f3 100644
--- a/src/lib/libssl/src/crypto/evp/encode.c
+++ b/src/lib/libssl/src/crypto/evp/encode.c
@@ -269,6 +269,13 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
269 goto end; 269 goto end;
270 } 270 }
271 271
272 /* There should not be base64 data after padding. */
273 if (eof && tmp != '=' && tmp != '\r' && tmp != '\n' &&
274 v != B64_EOF) {
275 rv = -1;
276 goto end;
277 }
278
272 /* have we seen a '=' which is 'definitly' the last 279 /* have we seen a '=' which is 'definitly' the last
273 * input line. seof will point to the character that 280 * input line. seof will point to the character that
274 * holds it. and eof will hold how many characters to 281 * holds it. and eof will hold how many characters to
@@ -279,6 +286,12 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
279 eof++; 286 eof++;
280 } 287 }
281 288
289 /* There should be no more than two padding markers. */
290 if (eof > 2) {
291 rv = -1;
292 goto end;
293 }
294
282 if (v == B64_CR) 295 if (v == B64_CR)
283 { 296 {
284 ln = 0; 297 ln = 0;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-25 14:05:49 +0000