[openssl-commits] [openssl] OpenSSL_0_9_8-stable update

Matt Caswell matt at openssl.org
Thu Dec 3 15:35:28 UTC 2015


The branch OpenSSL_0_9_8-stable has been updated
       via  74743418dca737ff584530470c54d1a7061e7e0a (commit)
       via  c2ef67100cd0ca2321b5f1a437abb93fc7e11e37 (commit)
       via  35c8d0d85fe71e41eb990655b249e398c7fd1435 (commit)
       via  2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3 (commit)
      from  e979e4715f3795cb59fcf46c77e7c714a184edd8 (commit)


- Log -----------------------------------------------------------------
commit 74743418dca737ff584530470c54d1a7061e7e0a
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Dec 3 15:00:54 2015 +0000

    Prepare for 0.9.8zi-dev
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit c2ef67100cd0ca2321b5f1a437abb93fc7e11e37
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Dec 3 15:00:17 2015 +0000

    Prepare for 0.9.8zh release
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 35c8d0d85fe71e41eb990655b249e398c7fd1435
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 1 14:39:47 2015 +0000

    Update CHANGES and NEWS
    
    Update the CHANGES and NEWS files for the new release.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Nov 10 19:03:07 2015 +0000

    Fix leak with ASN.1 combine.
    
    When parsing a combined structure pass a flag to the decode routine
    so on error a pointer to the parent structure is not zeroed as
    this will leak any additional components in the parent.
    
    This can leak memory in any application parsing PKCS#7 or CMS structures.
    
    CVE-2015-3195.
    
    Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
    libFuzzer.
    
    PR#4131
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                | 16 +++++++++++++++-
 NEWS                   |  6 +++++-
 README                 |  2 +-
 crypto/asn1/tasn_dec.c |  7 +++++--
 crypto/opensslv.h      |  6 +++---
 openssl.spec           |  2 +-
 6 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index ed2f0ec..d3f43af 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,24 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8zg and 0.9.8zh [xx XXX xxxx]
+ Changes between 0.9.8zh and 0.9.8zi [xx XXX xxxx]
 
   *)
 
+ Changes between 0.9.8zg and 0.9.8zh [3 Dec 2015]
+
+  *) X509_ATTRIBUTE memory leak
+
+     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+     memory. This structure is used by the PKCS#7 and CMS routines so any
+     application which reads PKCS#7 or CMS data from untrusted sources is
+     affected. SSL/TLS is not affected.
+
+     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+     libFuzzer.
+     (CVE-2015-3195)
+     [Stephen Henson]
+
  Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015]
 
   *) Malformed ECParameters causes infinite loop
diff --git a/NEWS b/NEWS
index 4ffbbab..f3130d4 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [under development]
+  Major changes between OpenSSL 0.9.8zh and OpenSSL 0.9.8zi [under development]
 
       o
 
+  Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [3 Dec 2015]
+
+      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
+
   Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [11 Jun 2015]
 
       o Malformed ECParameters causes infinite loop (CVE-2015-1788)
diff --git a/README b/README
index 4827753..52df8f6 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8zh-dev
+ OpenSSL 0.9.8zi-dev
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 6e4a325..91e7698 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -178,6 +178,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
     int otag;
     int ret = 0;
     ASN1_VALUE **pchptr, *ptmpval;
+    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
     if (!pval)
         return 0;
     if (aux && aux->asn1_cb)
@@ -498,7 +500,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
  auxerr:
     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
  err:
-    ASN1_item_ex_free(pval, it);
+    if (combine == 0)
+        ASN1_item_ex_free(pval, it);
     if (errtt)
         ERR_add_error_data(4, "Field=", errtt->field_name,
                            ", Type=", it->sname);
@@ -687,7 +690,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
     } else {
         /* Nothing special */
         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                               -1, 0, opt, ctx);
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
         if (!ret) {
             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 9aadf3e..b81e308 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -26,11 +26,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x00908210L
+# define OPENSSL_VERSION_NUMBER  0x00908220L
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zh-fips-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zi-fips-dev xx XXX xxxx"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zh-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zi-dev xx XXX xxxx"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/openssl.spec b/openssl.spec
index 12e0705..0cbbd62 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,7 +6,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 0.9.8zh
+Version: 0.9.8zi
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries


More information about the openssl-commits mailing list