From 7ef74dad52fbca9122cd668d868d85d0e0762a1a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 11 Jun 2015 16:09:23 +0000 Subject: MFC: Fix several defects from OpenSSL. These include: CVE-2015-1788 - Malformed ECParameters causes infinite loop CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time CVE-2015-1792 - CMS verify infinite loop with unknown hash function --- src/lib/libssl/src/crypto/bn/bn_gf2m.c | 11 ++++++++--- src/lib/libssl/src/crypto/cms/cms_smime.c | 4 ++-- src/lib/libssl/src/crypto/x509/x509_vfy.c | 31 +++++++++++++++++++++++++++---- 3 files changed, 37 insertions(+), 9 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/src/crypto/bn/bn_gf2m.c b/src/lib/libssl/src/crypto/bn/bn_gf2m.c index e84729bdad..9b931e04e1 100644 --- a/src/lib/libssl/src/crypto/bn/bn_gf2m.c +++ b/src/lib/libssl/src/crypto/bn/bn_gf2m.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_gf2m.c,v 1.18 2015/02/10 09:50:12 miod Exp $ */ +/* $OpenBSD: bn_gf2m.c,v 1.18.4.1 2015/06/11 16:09:20 jsing Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -745,8 +745,13 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) ubits--; } - if (ubits <= BN_BITS2 && udp[0] == 1) - break; + if (ubits <= BN_BITS2) { + /* See if poly was reducible. */ + if (udp[0] == 0) + goto err; + if (udp[0] == 1) + break; + } if (ubits < vbits) { i = ubits; diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c index 712f08c32f..50a0917465 100644 --- a/src/lib/libssl/src/crypto/cms/cms_smime.c +++ b/src/lib/libssl/src/crypto/cms/cms_smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */ +/* $OpenBSD: cms_smime.c,v 1.12.6.1 2015/06/11 16:09:20 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -132,7 +132,7 @@ do_free_upto(BIO *f, BIO *upto) tbio = BIO_pop(f); BIO_free(f); f = tbio; - } while (f != upto); + } while (f != NULL && f != upto); } else BIO_free_all(f); } diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index c383fda4f2..bbb949f633 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.40 2015/02/11 02:17:59 jsing Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.40.4.1 2015/06/11 16:09:20 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1650,35 +1650,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) memcpy(p, str, 10); p += 10; str += 10; + i -= 10; } else { if (i < 13) return 0; memcpy(p, str, 12); p += 12; str += 12; + i -= 12; } + if (i < 1) + return 0; if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++) = '0'; *(p++) = '0'; } else { + if (i < 2) + return 0; *(p++) = *(str++); *(p++) = *(str++); + i -= 2; + if (i < 1) + return 0; /* Skip any fractional seconds... */ if (*str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) + i--; + while (i > 1 && (*str >= '0') && (*str <= '9')) { str++; + i--; + } } } *(p++) = 'Z'; *(p++) = '\0'; - if (*str == 'Z') + if (i < 1) + return 0; + if (*str == 'Z') { + if (i != 1) + return 0; offset = 0; - else { + } else { + if (i != 5) + return 0; if ((*str != '+') && (*str != '-')) return 0; + if (str[1] < '0' || str[1] > '9' || + str[2] < '0' || str[2] > '9' || + str[3] < '0' || str[3] > '9' || + str[4] < '0' || str[4] > '9') + return 0; offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; offset += (str[3] - '0') * 10 + (str[4] - '0'); if (*str == '-') -- cgit v1.2.3-55-g6feb