[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 89/246] openssl: Security fix CVE-2016-2182
- From: Emmanuele Bassi <ebassi src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-continuous-yocto/gnomeostree-3.22-krogoth: 89/246] openssl: Security fix CVE-2016-2182
- Date: Thu, 14 Dec 2017 11:55:40 +0000 (UTC)
commit 8e5e92193a0924d7019caaaa7c7afaec7c773726
Author: Armin Kuster <akuster mvista com>
Date: Fri Sep 23 23:11:28 2016 -0700
openssl: Security fix CVE-2016-2182
affects openssl < 1.0.1i
(From OE-Core rev: 4be4162d5a03af6a20adc2314575e4d0baa5337a)
Signed-off-by: Armin Kuster <akuster mvista com>
Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>
.../openssl/openssl/CVE-2016-2182.patch | 70 ++++++++++++++++++++
.../recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 +
2 files changed, 71 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
new file mode 100644
index 0000000..5995cbe
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
@@ -0,0 +1,70 @@
+From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve openssl org>
+Date: Fri, 5 Aug 2016 14:26:03 +0100
+Subject: [PATCH] Check for errors in BN_bn2dec()
+
+If an oversize BIGNUM is presented to BN_bn2dec() it can cause
+BN_div_word() to fail and not reduce the value of 't' resulting
+in OOB writes to the bn_data buffer and eventually crashing.
+
+Fix by checking return value of BN_div_word() and checking writes
+don't overflow buffer.
+
+Thanks to Shi Lei for reporting this bug.
+
+CVE-2016-2182
+
+Reviewed-by: Tim Hudson <tjh openssl org>
+(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
+
+Conflicts:
+ crypto/bn/bn_print.c
+
+Upstream-Status: Backport
+CVE: CVE-2016-2182
+Signed-off-by: Armin Kuster <akuster mvista com>
+
+---
+ crypto/bn/bn_print.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
+index bfa31ef..b44403e 100644
+--- a/crypto/bn/bn_print.c
++++ b/crypto/bn/bn_print.c
+@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
+ char *p;
+ BIGNUM *t = NULL;
+ BN_ULONG *bn_data = NULL, *lp;
++ int bn_data_num;
+
+ /*-
+ * get an upper bound for the length of the decimal integer
+@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
+ */
+ i = BN_num_bits(a) * 3;
+ num = (i / 10 + i / 1000 + 1) + 1;
+- bn_data =
+- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+- buf = (char *)OPENSSL_malloc(num + 3);
++ bn_data_num = num / BN_DEC_NUM + 1;
++ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
++ buf = OPENSSL_malloc(num + 3);
+ if ((buf == NULL) || (bn_data == NULL)) {
+ BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
+ goto err;
+@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
+ i = 0;
+ while (!BN_is_zero(t)) {
+ *lp = BN_div_word(t, BN_DEC_CONV);
++ if (*lp == (BN_ULONG)-1)
++ goto err;
+ lp++;
++ if (lp - bn_data >= bn_data_num)
++ goto err;
+ }
+ lp--;
+ /*
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 4b0ad7e..3d6474b 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -44,6 +44,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
file://CVE-2016-2181_p1.patch \
file://CVE-2016-2181_p2.patch \
file://CVE-2016-2181_p3.patch \
+ file://CVE-2016-2182.patch \
"
SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]