[OE-core] [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195

Sona Sarmadi sona.sarmadi at enea.com
Mon Dec 14 08:00:18 UTC 2015 

Hi Fan,

dizzy branch has Openssl version 1.0.1p now:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb?h=dizzy

How can this patch be applied to dizzy branch?

You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
CVE-2015-3193 does not seem to affect OpenSSL version 1.0.1 according to Mitre:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
CVE-2015-3193 (OpenSSL 1.0.2)
CVE-2015-3194 (OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e)
CVE-2015-3195 (OpenSSL before before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e)

Regards
//Sona


> -----Original Message-----
> From: openembedded-core-bounces at lists.openembedded.org
> [mailto:openembedded-core-bounces at lists.openembedded.org] On Behalf
> Of Fan Xin
> Sent: den 11 december 2015 09:14
> To: openembedded-core at lists.openembedded.org
> Cc: Fan Xin <fan.xin at jp.fujitsu.com>
> Subject: [OE-core] [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-
> 3195
> 
> This vulnerability  affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
> So the patch also should be merged into dizzy, daisy and dylan.
> 
> Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
> ---
>  .../0001-Fix-leak-with-ASN.1-combine.patch         | 65
> ++++++++++++++++++++++
>  .../recipes-connectivity/openssl/openssl_1.0.1e.bb |  1 +
>  2 files changed, 66 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl-
> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-
> with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl-
> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
> new file mode 100644
> index 0000000..5bda457
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-wit
> +++ h-ASN.1-combine.patch
> @@ -0,0 +1,65 @@
> +Upstream-Status: Backport
> +
> +This patch was imprted from
> +https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da57
> +66243ed55d55948637d
> +
> +Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
> +
> +From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17
> 00:00:00 2001
> +From: Dr. Stephen Henson <steve at openssl.org>
> +Date: Tue, 10 Nov 2015 19:03:07 +0000
> +Subject: [PATCH] Fix leak with ASN.1 combine.
> +
> +When parsing a combined structure pass a flag to the decode routine so
> +on error a pointer to the parent structure is not zeroed as this will
> +leak any additional components in the parent.
> +
> +This can leak memory in any application parsing PKCS#7 or CMS structures.
> +
> +CVE-2015-3195.
> +
> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug
> +using libFuzzer.
> +
> +PR#4131
> +
> +Reviewed-by: Richard Levitte <levitte at openssl.org>
> +---
> + crypto/asn1/tasn_dec.c |    7 +++++--
> + 1 files changed, 5 insertions(+), 2 deletions(-)
> +
> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index
> +febf605..9256049 100644
> +--- a/crypto/asn1/tasn_dec.c
> ++++ b/crypto/asn1/tasn_dec.c
> +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
> unsigned char **in, long len,
> +     int otag;
> +     int ret = 0;
> +     ASN1_VALUE **pchptr, *ptmpval;
> ++    int combine = aclass & ASN1_TFLG_COMBINE;
> ++    aclass &= ~ASN1_TFLG_COMBINE;
> +     if (!pval)
> +         return 0;
> +     if (aux && aux->asn1_cb)
> +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
> +unsigned char **in, long len,
> +  auxerr:
> +     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
> +  err:
> +-    ASN1_item_ex_free(pval, it);
> ++    if (combine == 0)
> ++        ASN1_item_ex_free(pval, it);
> +     if (errtt)
> +         ERR_add_error_data(4, "Field=", errtt->field_name,
> +                            ", Type=", it->sname); @@ -689,7 +692,7 @@
> +static int asn1_template_noexp_d2i(ASN1_VALUE **val,
> +     } else {
> +         /* Nothing special */
> +         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
> +-                               -1, 0, opt, ctx);
> ++                               -1, tt->flags & ASN1_TFLG_COMBINE, opt,
> ++ ctx);
> +         if (!ret) {
> +             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
> ERR_R_NESTED_ASN1_ERROR);
> +             goto err;
> +--
> +1.7.0.4
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> index bc1b944..dbc2da2 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> @@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
>              file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
>              file://CVE-2014-0160.patch \
>              file://openssl-CVE-2014-0198-fix.patch \
> +            file://0001-Fix-leak-with-ASN.1-combine.patch \
>             "
> 
>  SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
> --
> 1.8.4.2
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list