diff options
| author | Armin Kuster <akuster@mvista.com> | 2016-09-23 23:11:28 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-10-06 08:46:31 +0100 |
| commit | bf3918d613b6b2a9707af1eb3c253d23f84d09a3 (patch) | |
| tree | cd4061ec96a2562857e9e736615fd8a44102aa9f | |
| parent | c3d4cc8e452b29d4ca620b5c93d22a88c5aa1f03 (diff) | |
| download | openembedded-core-bf3918d613b6b2a9707af1eb3c253d23f84d09a3.tar.gz openembedded-core-bf3918d613b6b2a9707af1eb3c253d23f84d09a3.tar.bz2 openembedded-core-bf3918d613b6b2a9707af1eb3c253d23f84d09a3.zip | |
openssl: Security fix CVE-2016-2182
affects openssl < 1.0.1i
Signed-off-by: Armin Kuster <akuster@mvista.com>
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch | 70 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 |
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch new file mode 100644 index 0000000000..5995cbea18 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch @@ -0,0 +1,70 @@ +From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <steve@openssl.org> +Date: Fri, 5 Aug 2016 14:26:03 +0100 +Subject: [PATCH] Check for errors in BN_bn2dec() + +If an oversize BIGNUM is presented to BN_bn2dec() it can cause +BN_div_word() to fail and not reduce the value of 't' resulting +in OOB writes to the bn_data buffer and eventually crashing. + +Fix by checking return value of BN_div_word() and checking writes +don't overflow buffer. + +Thanks to Shi Lei for reporting this bug. + +CVE-2016-2182 + +Reviewed-by: Tim Hudson <tjh@openssl.org> +(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) + +Conflicts: + crypto/bn/bn_print.c + +Upstream-Status: Backport +CVE: CVE-2016-2182 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + crypto/bn/bn_print.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c +index bfa31ef..b44403e 100644 +--- a/crypto/bn/bn_print.c ++++ b/crypto/bn/bn_print.c +@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) + char *p; + BIGNUM *t = NULL; + BN_ULONG *bn_data = NULL, *lp; ++ int bn_data_num; + + /*- + * get an upper bound for the length of the decimal integer +@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) + */ + i = BN_num_bits(a) * 3; + num = (i / 10 + i / 1000 + 1) + 1; +- bn_data = +- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); +- buf = (char *)OPENSSL_malloc(num + 3); ++ bn_data_num = num / BN_DEC_NUM + 1; ++ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); ++ buf = OPENSSL_malloc(num + 3); + if ((buf == NULL) || (bn_data == NULL)) { + BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); + goto err; +@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) + i = 0; + while (!BN_is_zero(t)) { + *lp = BN_div_word(t, BN_DEC_CONV); ++ if (*lp == (BN_ULONG)-1) ++ goto err; + lp++; ++ if (lp - bn_data >= bn_data_num) ++ goto err; + } + lp--; + /* +-- +2.7.4 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index d97b771748..da40a9b48d 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb @@ -44,6 +44,7 @@ SRC_URI += "file://configure-targets.patch \ file://CVE-2016-2181_p1.patch \ file://CVE-2016-2181_p2.patch \ file://CVE-2016-2181_p3.patch \ + file://CVE-2016-2182.patch \ " SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" |