[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Matt Caswell matt at openssl.org
Thu Jun 11 14:43:59 UTC 2015


The branch OpenSSL_1_0_1-stable has been updated
       via  3adca975dc1175e76bc079306896a09692ed4c15 (commit)
       via  517899e6c8af47d4972dcf9b375386631f6c93f1 (commit)
       via  f61bbf8da532038ed0eae16a9a11771f3da22d30 (commit)
       via  1f31458a77c1e35e9ac80a43c55e7ed78ac248c2 (commit)
       via  5fbc59cac60db4d7c3172152b8bdafe0c675fabd (commit)
       via  370ac320301e28bb615cee80124c042649c95d14 (commit)
       via  dd90a91d8771fd1ad5083fd46a2b3da16a587757 (commit)
      from  176b59d157d1cbfd0b10f9f7be12eaf9896410f2 (commit)


- Log -----------------------------------------------------------------
commit 3adca975dc1175e76bc079306896a09692ed4c15
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 11 15:08:34 2015 +0100

    Prepare for 1.0.1o-dev
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit 517899e6c8af47d4972dcf9b375386631f6c93f1
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 11 15:05:11 2015 +0100

    Prepare for 1.0.1n release
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit f61bbf8da532038ed0eae16a9a11771f3da22d30
Author: Andy Polyakov <appro at openssl.org>
Date:   Thu Jun 11 00:18:01 2015 +0200

    bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
    
    CVE-2015-1788
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 4924b37ee01f71ae19c94a8934b80eeb2f677932)

commit 1f31458a77c1e35e9ac80a43c55e7ed78ac248c2
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jun 10 11:49:31 2015 +0100

    Update CHANGES and NEWS
    
    Updates to CHANGES and NEWS to take account of the latest security fixes.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 5fbc59cac60db4d7c3172152b8bdafe0c675fabd
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue May 12 19:00:30 2015 +0200

    PKCS#7: Fix NULL dereference with missing EncryptedContent.
    
    CVE-2015-1790
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 370ac320301e28bb615cee80124c042649c95d14
Author: Emilia Kasper <emilia at openssl.org>
Date:   Wed Apr 8 16:56:43 2015 +0200

    Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
    
    Also tighten X509_cmp_time to reject more than three fractional
    seconds in the time; and to reject trailing garbage after the offset.
    
    CVE-2015-1789
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit dd90a91d8771fd1ad5083fd46a2b3da16a587757
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jun 5 12:11:25 2015 +0100

    Fix infinite loop in CMS
    
    Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
    to verify and a digest is not recognised. Reported by Johannes Bauer.
    
    CVE-2015-1792
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++-
 NEWS                    | 10 ++++++-
 README                  |  2 +-
 crypto/bn/bn_gf2m.c     | 15 +++++++----
 crypto/cms/cms_smime.c  |  2 +-
 crypto/opensslv.h       |  6 ++---
 crypto/pkcs7/pk7_doit.c | 16 ++++++++++-
 crypto/x509/x509_vfy.c  | 57 ++++++++++++++++++++++++++++++++-------
 openssl.spec            |  2 +-
 9 files changed, 158 insertions(+), 24 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9d2f9f9..06601b4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,77 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.1m and 1.0.1n [xx XXX xxxx]
+ Changes between 1.0.1n and 1.0.1o [xx XXX xxxx]
+
+  *)
+
+ Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
+
+  *) Malformed ECParameters causes infinite loop
+
+     When processing an ECParameters structure OpenSSL enters an infinite loop
+     if the curve specified is over a specially malformed binary polynomial
+     field.
+
+     This can be used to perform denial of service against any
+     system which processes public keys, certificate requests or
+     certificates.  This includes TLS clients and TLS servers with
+     client authentication enabled.
+
+     This issue was reported to OpenSSL by Joseph Barr-Pixton.
+     (CVE-2015-1788)
+     [Andy Polyakov]
+
+  *) Exploitable out-of-bounds read in X509_cmp_time
+
+     X509_cmp_time does not properly check the length of the ASN1_TIME
+     string and can read a few bytes out of bounds. In addition,
+     X509_cmp_time accepts an arbitrary number of fractional seconds in the
+     time string.
+
+     An attacker can use this to craft malformed certificates and CRLs of
+     various sizes and potentially cause a segmentation fault, resulting in
+     a DoS on applications that verify certificates or CRLs. TLS clients
+     that verify CRLs are affected. TLS clients and servers with client
+     authentication enabled may be affected if they use custom verification
+     callbacks.
+
+     This issue was reported to OpenSSL by Robert Swiecki (Google), and
+     independently by Hanno Böck.
+     (CVE-2015-1789)
+     [Emilia Käsper]
+
+  *) PKCS7 crash with missing EnvelopedContent
+
+     The PKCS#7 parsing code does not handle missing inner EncryptedContent
+     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+     with missing content and trigger a NULL pointer dereference on parsing.
+
+     Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+     structures from untrusted sources are affected. OpenSSL clients and
+     servers are not affected.
+
+     This issue was reported to OpenSSL by Michal Zalewski (Google).
+     (CVE-2015-1790)
+     [Emilia Käsper]
+
+  *) CMS verify infinite loop with unknown hash function
+
+     When verifying a signedData message the CMS code can enter an infinite loop
+     if presented with an unknown hash function OID. This can be used to perform
+     denial of service against any system which verifies signedData messages using
+     the CMS code.
+     This issue was reported to OpenSSL by Johannes Bauer.
+     (CVE-2015-1792)
+     [Stephen Henson]
+
+  *) Race condition handling NewSessionTicket
+
+     If a NewSessionTicket is received by a multi-threaded client when attempting to
+     reuse a previous ticket then a race condition can occur potentially leading to
+     a double free of the ticket data.
+     (CVE-2015-1791)
+     [Matt Caswell]
 
   *) Reject DH handshakes with parameters shorter than 768 bits.
      [Kurt Roeckx and Emilia Kasper]
diff --git a/NEWS b/NEWS
index aa72ab0..286059c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,18 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [under development]
+  Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [under development]
 
       o
 
+  Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015]
+
+      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+      o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+      o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+      o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+      o Race condition handling NewSessionTicket (CVE-2015-1791)
+
   Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015]
 
       o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
diff --git a/README b/README
index caddc93..d379b03 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1n-dev
+ OpenSSL 1.0.1o-dev
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
index aeee49a..a0ba8de 100644
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -694,9 +694,10 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     }
 # else
     {
-        int i, ubits = BN_num_bits(u), vbits = BN_num_bits(v), /* v is copy
-                                                                * of p */
-            top = p->top;
+        int i;
+        int ubits = BN_num_bits(u);
+        int vbits = BN_num_bits(v); /* v is copy of p */
+        int top = p->top;
         BN_ULONG *udp, *bdp, *vdp, *cdp;
 
         bn_wexpand(u, top);
@@ -740,8 +741,12 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 ubits--;
             }
 
-            if (ubits <= BN_BITS2 && udp[0] == 1)
-                break;
+            if (ubits <= BN_BITS2) {
+                if (udp[0] == 0) /* poly was reducible */
+                    goto err;
+                if (udp[0] == 1)
+                    break;
+            }
 
             if (ubits < vbits) {
                 i = ubits;
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 8851603..8b37560 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -131,7 +131,7 @@ static void do_free_upto(BIO *f, BIO *upto)
             BIO_free(f);
             f = tbio;
         }
-        while (f != upto);
+        while (f && f != upto);
     } else
         BIO_free_all(f);
 }
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index d40d5da..14bc8bd 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x100010e0L
+# define OPENSSL_VERSION_NUMBER  0x100010f0L
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1n-fips-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1o-fips-dev xx XXX xxxx"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1n-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1o-dev xx XXX xxxx"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 31a1b98..c8d7db0 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -445,6 +445,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 
     switch (i) {
     case NID_pkcs7_signed:
+        /*
+         * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
+         * field and optional content.
+         * data_body is NULL if that structure has no (=detached) content
+         * or if the contentType is wrong (i.e., not "data").
+         */
         data_body = PKCS7_get_octet_string(p7->d.sign->contents);
         if (!PKCS7_is_detached(p7) && data_body == NULL) {
             PKCS7err(PKCS7_F_PKCS7_DATADECODE,
@@ -456,6 +462,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     case NID_pkcs7_signedAndEnveloped:
         rsk = p7->d.signed_and_enveloped->recipientinfo;
         md_sk = p7->d.signed_and_enveloped->md_algs;
+        /* data_body is NULL if the optional EncryptedContent is missing. */
         data_body = p7->d.signed_and_enveloped->enc_data->enc_data;
         enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;
         evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
@@ -468,6 +475,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     case NID_pkcs7_enveloped:
         rsk = p7->d.enveloped->recipientinfo;
         enc_alg = p7->d.enveloped->enc_data->algorithm;
+        /* data_body is NULL if the optional EncryptedContent is missing. */
         data_body = p7->d.enveloped->enc_data->enc_data;
         evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
         if (evp_cipher == NULL) {
@@ -481,6 +489,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         goto err;
     }
 
+    /* Detached content must be supplied via in_bio instead. */
+    if (data_body == NULL && in_bio == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+        goto err;
+    }
+
     /* We will be checking the signature */
     if (md_sk != NULL) {
         for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
@@ -623,7 +637,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         etmp = NULL;
     }
 #if 1
-    if (PKCS7_is_detached(p7) || (in_bio != NULL)) {
+    if (in_bio != NULL) {
         bio = in_bio;
     } else {
 # if 0
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 29dd86c..16db4c0 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1637,47 +1637,84 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
     ASN1_TIME atm;
     long offset;
     char buff1[24], buff2[24], *p;
-    int i, j;
+    int i, j, remaining;
 
     p = buff1;
-    i = ctm->length;
+    remaining = ctm->length;
     str = (char *)ctm->data;
+    /*
+     * Note that the following (historical) code allows much more slack in the
+     * time format than RFC5280. In RFC5280, the representation is fixed:
+     * UTCTime: YYMMDDHHMMSSZ
+     * GeneralizedTime: YYYYMMDDHHMMSSZ
+     */
     if (ctm->type == V_ASN1_UTCTIME) {
-        if ((i < 11) || (i > 17))
+        /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
+        int min_length = sizeof("YYMMDDHHMMZ") - 1;
+        int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
+        if (remaining < min_length || remaining > max_length)
             return 0;
         memcpy(p, str, 10);
         p += 10;
         str += 10;
+        remaining -= 10;
     } else {
-        if (i < 13)
+        /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
+        int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
+        int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
+        if (remaining < min_length || remaining > max_length)
             return 0;
         memcpy(p, str, 12);
         p += 12;
         str += 12;
+        remaining -= 12;
     }
 
     if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
         *(p++) = '0';
         *(p++) = '0';
     } else {
+        /* SS (seconds) */
+        if (remaining < 2)
+            return 0;
         *(p++) = *(str++);
         *(p++) = *(str++);
-        /* Skip any fractional seconds... */
-        if (*str == '.') {
+        remaining -= 2;
+        /*
+         * Skip any (up to three) fractional seconds...
+         * TODO(emilia): in RFC5280, fractional seconds are forbidden.
+         * Can we just kill them altogether?
+         */
+        if (remaining && *str == '.') {
             str++;
-            while ((*str >= '0') && (*str <= '9'))
-                str++;
+            remaining--;
+            for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
+                if (*str < '0' || *str > '9')
+                    break;
+            }
         }
 
     }
     *(p++) = 'Z';
     *(p++) = '\0';
 
-    if (*str == 'Z')
+    /* We now need either a terminating 'Z' or an offset. */
+    if (!remaining)
+        return 0;
+    if (*str == 'Z') {
+        if (remaining != 1)
+            return 0;
         offset = 0;
-    else {
+    } else {
+        /* (+-)HHMM */
         if ((*str != '+') && (*str != '-'))
             return 0;
+        /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
+        if (remaining != 5)
+            return 0;
+        if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
+            str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
+            return 0;
         offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
         offset += (str[3] - '0') * 10 + (str[4] - '0');
         if (*str == '-')
diff --git a/openssl.spec b/openssl.spec
index 71e907e..3e8f3a9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -7,7 +7,7 @@ Release: 1
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
 #Version: %{libmaj}.%{libmin}.%{librel}
-Version: 1.0.1n
+Version: 1.0.1o
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries


More information about the openssl-commits mailing list