From 9de745fd9147f876720e80d12125f383c4c7f0a2 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Thu, 19 Mar 2015 14:02:56 +0000
Subject: Fix two possible crash causing defects. CVE-2015-0286 - Apply fix
 from OpenSSL for ASN1_TYPE_cmp. CVE-2015-0292 - Backport existing fix for
 Base64 decoding.

---
 src/lib/libssl/src/crypto/asn1/a_type.c |  3 +++
 src/lib/libssl/src/crypto/evp/encode.c  | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c
index a45d2f9d12..b968cf0170 100644
--- a/src/lib/libssl/src/crypto/asn1/a_type.c
+++ b/src/lib/libssl/src/crypto/asn1/a_type.c
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
 	case V_ASN1_OBJECT:
 		result = OBJ_cmp(a->value.object, b->value.object);
 		break;
+	case V_ASN1_BOOLEAN:
+		result = a->value.boolean - b->value.boolean;
+		break;
 	case V_ASN1_NULL:
 		result = 0;	/* They do not have content. */
 		break;
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c
index 28546a84bc..6a867668f3 100644
--- a/src/lib/libssl/src/crypto/evp/encode.c
+++ b/src/lib/libssl/src/crypto/evp/encode.c
@@ -269,6 +269,13 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 			goto end;
 			}
 
+		/* There should not be base64 data after padding. */
+		if (eof && tmp != '=' && tmp != '\r' && tmp != '\n' &&
+		    v != B64_EOF) {
+			rv = -1;
+			goto end;
+		}
+
 		/* have we seen a '=' which is 'definitly' the last
 		 * input line.  seof will point to the character that
 		 * holds it. and eof will hold how many characters to
@@ -279,6 +286,12 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 			eof++;
 			}
 
+		/* There should be no more than two padding markers. */
+		if (eof > 2) {
+			rv = -1;
+			goto end;
+		}
+
 		if (v == B64_CR)
 			{
 			ln = 0;
-- 
cgit v1.2.3-55-g6feb