[openssl-commits] [openssl] OpenSSL_1_0_0-stable update
Matt Caswell
matt at openssl.org
Thu Jun 11 14:44:12 UTC 2015
The branch OpenSSL_1_0_0-stable has been updated
via c9f4108465b7fb2ddf5be2d8cc80b120731a7906 (commit)
via a06ec5a26fdb24fd829abef54422d94521ddd14a (commit)
via 62bbfe036da827d7347ed15db2974cac7ebca6ab (commit)
via f46e8095aa16ed61411ab4c231570762261df438 (commit)
via 57de3216e27c2e52bc3bc5bc7c94babdb7022179 (commit)
via 857b2ced04be897488df311a257f254ad8516429 (commit)
from 809bf2eab7b46e2fd768fec0c28127991c927b19 (commit)
- Log -----------------------------------------------------------------
commit c9f4108465b7fb2ddf5be2d8cc80b120731a7906
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 11 15:16:43 2015 +0100
Prepare for 1.0.0t-dev
Reviewed-by: Stephen Henson <steve at openssl.org>
commit a06ec5a26fdb24fd829abef54422d94521ddd14a
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 11 15:13:36 2015 +0100
Prepare for 1.0.0s release
Reviewed-by: Stephen Henson <steve at openssl.org>
commit 62bbfe036da827d7347ed15db2974cac7ebca6ab
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 10 11:49:31 2015 +0100
Update CHANGES and NEWS
Updates to CHANGES and NEWS to take account of the latest security fixes.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit f46e8095aa16ed61411ab4c231570762261df438
Author: Emilia Kasper <emilia at openssl.org>
Date: Tue May 12 19:00:30 2015 +0200
PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 57de3216e27c2e52bc3bc5bc7c94babdb7022179
Author: Emilia Kasper <emilia at openssl.org>
Date: Wed Apr 8 16:56:43 2015 +0200
Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.
CVE-2015-1789
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 857b2ced04be897488df311a257f254ad8516429
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Jun 5 12:11:25 2015 +0100
Fix infinite loop in CMS
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.
CVE-2015-1792
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 70 ++++++++++++++++++++++++++++++++++++++++++++++++-
NEWS | 10 ++++++-
README | 2 +-
crypto/cms/cms_smime.c | 2 +-
crypto/opensslv.h | 6 ++---
crypto/pkcs7/pk7_doit.c | 16 ++++++++++-
crypto/x509/x509_vfy.c | 57 +++++++++++++++++++++++++++++++++-------
openssl.spec | 2 +-
8 files changed, 146 insertions(+), 19 deletions(-)
diff --git a/CHANGES b/CHANGES
index 7660a24..ccf2c03 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,78 @@
OpenSSL CHANGES
_______________
- Changes between 1.0.0r and 1.0.0s [xx XXX xxxx]
+ Changes between 1.0.0s and 1.0.0t [xx XXX xxxx]
*)
+ Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
+
+ *) Malformed ECParameters causes infinite loop
+
+ When processing an ECParameters structure OpenSSL enters an infinite loop
+ if the curve specified is over a specially malformed binary polynomial
+ field.
+
+ This can be used to perform denial of service against any
+ system which processes public keys, certificate requests or
+ certificates. This includes TLS clients and TLS servers with
+ client authentication enabled.
+
+ This issue was reported to OpenSSL by Joseph Barr-Pixton.
+ (CVE-2015-1788)
+ [Andy Polyakov]
+
+ *) Exploitable out-of-bounds read in X509_cmp_time
+
+ X509_cmp_time does not properly check the length of the ASN1_TIME
+ string and can read a few bytes out of bounds. In addition,
+ X509_cmp_time accepts an arbitrary number of fractional seconds in the
+ time string.
+
+ An attacker can use this to craft malformed certificates and CRLs of
+ various sizes and potentially cause a segmentation fault, resulting in
+ a DoS on applications that verify certificates or CRLs. TLS clients
+ that verify CRLs are affected. TLS clients and servers with client
+ authentication enabled may be affected if they use custom verification
+ callbacks.
+
+ This issue was reported to OpenSSL by Robert Swiecki (Google), and
+ independently by Hanno Böck.
+ (CVE-2015-1789)
+ [Emilia Käsper]
+
+ *) PKCS7 crash with missing EnvelopedContent
+
+ The PKCS#7 parsing code does not handle missing inner EncryptedContent
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+ with missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+ structures from untrusted sources are affected. OpenSSL clients and
+ servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ (CVE-2015-1790)
+ [Emilia Käsper]
+
+ *) CMS verify infinite loop with unknown hash function
+
+ When verifying a signedData message the CMS code can enter an infinite loop
+ if presented with an unknown hash function OID. This can be used to perform
+ denial of service against any system which verifies signedData messages using
+ the CMS code.
+ This issue was reported to OpenSSL by Johannes Bauer.
+ (CVE-2015-1792)
+ [Stephen Henson]
+
+ *) Race condition handling NewSessionTicket
+
+ If a NewSessionTicket is received by a multi-threaded client when attempting to
+ reuse a previous ticket then a race condition can occur potentially leading to
+ a double free of the ticket data.
+ (CVE-2015-1791)
+ [Matt Caswell]
+
Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
diff --git a/NEWS b/NEWS
index e87b07f..99ba960 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,18 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [under development]
+ Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [under development]
o
+ Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015]
+
+ o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+ o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+ o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+ o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+ o Race condition handling NewSessionTicket (CVE-2015-1791)
+
Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015]
o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
diff --git a/README b/README
index 6a9fb12..2556b8c 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.0.0s-dev
+ OpenSSL 1.0.0t-dev
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index d6f5c1a..e9e6a98 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -131,7 +131,7 @@ static void do_free_upto(BIO *f, BIO *upto)
BIO_free(f);
f = tbio;
}
- while (f != upto);
+ while (f && f != upto);
} else
BIO_free_all(f);
}
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index b5a8d27..5f79fb0 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -26,11 +26,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10000130L
+# define OPENSSL_VERSION_NUMBER 0x10000140L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0s-fips-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0t-fips-dev xx XXX xxxx"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0s-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0t-dev xx XXX xxxx"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 22cfb6c..4f5caf2 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -445,6 +445,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
switch (i) {
case NID_pkcs7_signed:
+ /*
+ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
+ * field and optional content.
+ * data_body is NULL if that structure has no (=detached) content
+ * or if the contentType is wrong (i.e., not "data").
+ */
data_body = PKCS7_get_octet_string(p7->d.sign->contents);
if (!PKCS7_is_detached(p7) && data_body == NULL) {
PKCS7err(PKCS7_F_PKCS7_DATADECODE,
@@ -456,6 +462,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
case NID_pkcs7_signedAndEnveloped:
rsk = p7->d.signed_and_enveloped->recipientinfo;
md_sk = p7->d.signed_and_enveloped->md_algs;
+ /* data_body is NULL if the optional EncryptedContent is missing. */
data_body = p7->d.signed_and_enveloped->enc_data->enc_data;
enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;
evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
@@ -468,6 +475,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
case NID_pkcs7_enveloped:
rsk = p7->d.enveloped->recipientinfo;
enc_alg = p7->d.enveloped->enc_data->algorithm;
+ /* data_body is NULL if the optional EncryptedContent is missing. */
data_body = p7->d.enveloped->enc_data->enc_data;
evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
if (evp_cipher == NULL) {
@@ -481,6 +489,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
goto err;
}
+ /* Detached content must be supplied via in_bio instead. */
+ if (data_body == NULL && in_bio == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ goto err;
+ }
+
/* We will be checking the signature */
if (md_sk != NULL) {
for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
@@ -623,7 +637,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
etmp = NULL;
}
#if 1
- if (PKCS7_is_detached(p7) || (in_bio != NULL)) {
+ if (in_bio != NULL) {
bio = in_bio;
} else {
# if 0
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 559b5cd..b356228 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1604,47 +1604,84 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
ASN1_TIME atm;
long offset;
char buff1[24], buff2[24], *p;
- int i, j;
+ int i, j, remaining;
p = buff1;
- i = ctm->length;
+ remaining = ctm->length;
str = (char *)ctm->data;
+ /*
+ * Note that the following (historical) code allows much more slack in the
+ * time format than RFC5280. In RFC5280, the representation is fixed:
+ * UTCTime: YYMMDDHHMMSSZ
+ * GeneralizedTime: YYYYMMDDHHMMSSZ
+ */
if (ctm->type == V_ASN1_UTCTIME) {
- if ((i < 11) || (i > 17))
+ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
+ int min_length = sizeof("YYMMDDHHMMZ") - 1;
+ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
+ if (remaining < min_length || remaining > max_length)
return 0;
memcpy(p, str, 10);
p += 10;
str += 10;
+ remaining -= 10;
} else {
- if (i < 13)
+ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
+ int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
+ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
+ if (remaining < min_length || remaining > max_length)
return 0;
memcpy(p, str, 12);
p += 12;
str += 12;
+ remaining -= 12;
}
if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
*(p++) = '0';
*(p++) = '0';
} else {
+ /* SS (seconds) */
+ if (remaining < 2)
+ return 0;
*(p++) = *(str++);
*(p++) = *(str++);
- /* Skip any fractional seconds... */
- if (*str == '.') {
+ remaining -= 2;
+ /*
+ * Skip any (up to three) fractional seconds...
+ * TODO(emilia): in RFC5280, fractional seconds are forbidden.
+ * Can we just kill them altogether?
+ */
+ if (remaining && *str == '.') {
str++;
- while ((*str >= '0') && (*str <= '9'))
- str++;
+ remaining--;
+ for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
+ if (*str < '0' || *str > '9')
+ break;
+ }
}
}
*(p++) = 'Z';
*(p++) = '\0';
- if (*str == 'Z')
+ /* We now need either a terminating 'Z' or an offset. */
+ if (!remaining)
+ return 0;
+ if (*str == 'Z') {
+ if (remaining != 1)
+ return 0;
offset = 0;
- else {
+ } else {
+ /* (+-)HHMM */
if ((*str != '+') && (*str != '-'))
return 0;
+ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
+ if (remaining != 5)
+ return 0;
+ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
+ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
+ return 0;
offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
offset += (str[3] - '0') * 10 + (str[4] - '0');
if (*str == '-')
diff --git a/openssl.spec b/openssl.spec
index a85f0fe..e282aca 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,7 +6,7 @@ Release: 1
Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
-Version: 1.0.0s
+Version: 1.0.0t
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
More information about the openssl-commits
mailing list