[openssl-commits] [openssl] OpenSSL_0_9_8-stable update

Matt Caswell matt at openssl.org
Thu Jun 11 14:44:23 UTC 2015


The branch OpenSSL_0_9_8-stable has been updated
       via  2c9dfa18aacdd22537ced0815d0a53532c019d5b (commit)
       via  0823ddc56e9aaa1de6c4f57bb45457d5eeca404d (commit)
       via  ad6567965dbab184a7e9e84212c6d4f9f9e24519 (commit)
       via  582f1f41d49b5bf5ceaca241356d5f9c986f230f (commit)
       via  fa57f74a3941db6b2efb2f43c6add914ec83db20 (commit)
       via  92f9a8bf3844359bb50d86dab92bc24b074d350d (commit)
      from  39bcfb129e816de00bf2170c3497e8104767beb7 (commit)


- Log -----------------------------------------------------------------
commit 2c9dfa18aacdd22537ced0815d0a53532c019d5b
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 11 15:23:16 2015 +0100

    Prepare for 0.9.8zh-dev
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit 0823ddc56e9aaa1de6c4f57bb45457d5eeca404d
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 11 15:20:22 2015 +0100

    Prepare for 0.9.8zg release
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit ad6567965dbab184a7e9e84212c6d4f9f9e24519
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jun 10 11:49:31 2015 +0100

    Update CHANGES and NEWS
    
    Updates to CHANGES and NEWS to take account of the latest security fixes.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 582f1f41d49b5bf5ceaca241356d5f9c986f230f
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue May 12 19:00:30 2015 +0200

    PKCS#7: Fix NULL dereference with missing EncryptedContent.
    
    CVE-2015-1790
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit fa57f74a3941db6b2efb2f43c6add914ec83db20
Author: Emilia Kasper <emilia at openssl.org>
Date:   Wed Apr 8 16:56:43 2015 +0200

    Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
    
    Also tighten X509_cmp_time to reject more than three fractional
    seconds in the time; and to reject trailing garbage after the offset.
    
    CVE-2015-1789
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 92f9a8bf3844359bb50d86dab92bc24b074d350d
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jun 5 12:11:25 2015 +0100

    Fix infinite loop in CMS
    
    Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
    to verify and a digest is not recognised. Reported by Johannes Bauer.
    
    CVE-2015-1792
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 | 70 ++++++++++++++++++++++++++++++++++++++++++++++++-
 NEWS                    | 10 ++++++-
 README                  |  2 +-
 crypto/cms/cms_smime.c  |  2 +-
 crypto/opensslv.h       |  6 ++---
 crypto/pkcs7/pk7_doit.c | 16 ++++++++++-
 crypto/x509/x509_vfy.c  | 57 +++++++++++++++++++++++++++++++++-------
 openssl.spec            |  2 +-
 8 files changed, 146 insertions(+), 19 deletions(-)

diff --git a/CHANGES b/CHANGES
index c1bb2af..ed2f0ec 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,78 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8zf and 0.9.8zg [xx XXX xxxx]
+ Changes between 0.9.8zg and 0.9.8zh [xx XXX xxxx]
 
   *)
 
+ Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015]
+
+  *) Malformed ECParameters causes infinite loop
+
+     When processing an ECParameters structure OpenSSL enters an infinite loop
+     if the curve specified is over a specially malformed binary polynomial
+     field.
+
+     This can be used to perform denial of service against any
+     system which processes public keys, certificate requests or
+     certificates.  This includes TLS clients and TLS servers with
+     client authentication enabled.
+
+     This issue was reported to OpenSSL by Joseph Barr-Pixton.
+     (CVE-2015-1788)
+     [Andy Polyakov]
+
+  *) Exploitable out-of-bounds read in X509_cmp_time
+
+     X509_cmp_time does not properly check the length of the ASN1_TIME
+     string and can read a few bytes out of bounds. In addition,
+     X509_cmp_time accepts an arbitrary number of fractional seconds in the
+     time string.
+
+     An attacker can use this to craft malformed certificates and CRLs of
+     various sizes and potentially cause a segmentation fault, resulting in
+     a DoS on applications that verify certificates or CRLs. TLS clients
+     that verify CRLs are affected. TLS clients and servers with client
+     authentication enabled may be affected if they use custom verification
+     callbacks.
+
+     This issue was reported to OpenSSL by Robert Swiecki (Google), and
+     independently by Hanno Böck.
+     (CVE-2015-1789)
+     [Emilia Käsper]
+
+  *) PKCS7 crash with missing EnvelopedContent
+
+     The PKCS#7 parsing code does not handle missing inner EncryptedContent
+     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+     with missing content and trigger a NULL pointer dereference on parsing.
+
+     Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+     structures from untrusted sources are affected. OpenSSL clients and
+     servers are not affected.
+
+     This issue was reported to OpenSSL by Michal Zalewski (Google).
+     (CVE-2015-1790)
+     [Emilia Käsper]
+
+  *) CMS verify infinite loop with unknown hash function
+
+     When verifying a signedData message the CMS code can enter an infinite loop
+     if presented with an unknown hash function OID. This can be used to perform
+     denial of service against any system which verifies signedData messages using
+     the CMS code.
+     This issue was reported to OpenSSL by Johannes Bauer.
+     (CVE-2015-1792)
+     [Stephen Henson]
+
+  *) Race condition handling NewSessionTicket
+
+     If a NewSessionTicket is received by a multi-threaded client when attempting to
+     reuse a previous ticket then a race condition can occur potentially leading to
+     a double free of the ticket data.
+     (CVE-2015-1791)
+     [Matt Caswell]
+
  Changes between 0.9.8ze and 0.9.8zf [19 Mar 2015]
 
   *) Segmentation fault in ASN1_TYPE_cmp fix
diff --git a/NEWS b/NEWS
index 0422981..4ffbbab 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,18 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [under development]
+  Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [under development]
 
       o
 
+  Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [11 Jun 2015]
+
+      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+      o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+      o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+      o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+      o Race condition handling NewSessionTicket (CVE-2015-1791)
+
   Major changes between OpenSSL 0.9.8ze and OpenSSL 0.9.8zf [19 Mar 2015]
 
       o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
diff --git a/README b/README
index b4c4a21..5ca30cf 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8zg-dev
+ OpenSSL 0.9.8zh-dev
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index ecb05c4..9717789 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -131,7 +131,7 @@ static void do_free_upto(BIO *f, BIO *upto)
             BIO_free(f);
             f = tbio;
         }
-        while (f != upto);
+        while (f && f != upto);
     } else
         BIO_free_all(f);
 }
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index fa12139..9aadf3e 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -26,11 +26,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x00908200L
+# define OPENSSL_VERSION_NUMBER  0x00908210L
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zg-fips-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zh-fips-dev xx XXX xxxx"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zg-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zh-dev xx XXX xxxx"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index db134dd..0a12f03 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -359,12 +359,19 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 
     switch (i) {
     case NID_pkcs7_signed:
+        /*
+         * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
+         * field and optional content.
+         * data_body is NULL if that structure has no (=detached) content
+         * or if the contentType is wrong (i.e., not "data").
+         */
         data_body = PKCS7_get_octet_string(p7->d.sign->contents);
         md_sk = p7->d.sign->md_algs;
         break;
     case NID_pkcs7_signedAndEnveloped:
         rsk = p7->d.signed_and_enveloped->recipientinfo;
         md_sk = p7->d.signed_and_enveloped->md_algs;
+        /* data_body is NULL if the optional EncryptedContent is missing. */
         data_body = p7->d.signed_and_enveloped->enc_data->enc_data;
         enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;
         evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
@@ -377,6 +384,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     case NID_pkcs7_enveloped:
         rsk = p7->d.enveloped->recipientinfo;
         enc_alg = p7->d.enveloped->enc_data->algorithm;
+        /* data_body is NULL if the optional EncryptedContent is missing. */
         data_body = p7->d.enveloped->enc_data->enc_data;
         evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
         if (evp_cipher == NULL) {
@@ -390,6 +398,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         goto err;
     }
 
+    /* Detached content must be supplied via in_bio instead. */
+    if (data_body == NULL && in_bio == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+        goto err;
+    }
+
     /* We will be checking the signature */
     if (md_sk != NULL) {
         for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
@@ -557,7 +571,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         etmp = NULL;
     }
 #if 1
-    if (PKCS7_is_detached(p7) || (in_bio != NULL)) {
+    if (in_bio != NULL) {
         bio = in_bio;
     } else {
 # if 0
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 4fa493c..5269cc1 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1007,47 +1007,84 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
     ASN1_TIME atm;
     long offset;
     char buff1[24], buff2[24], *p;
-    int i, j;
+    int i, j, remaining;
 
     p = buff1;
-    i = ctm->length;
+    remaining = ctm->length;
     str = (char *)ctm->data;
+    /*
+     * Note that the following (historical) code allows much more slack in the
+     * time format than RFC5280. In RFC5280, the representation is fixed:
+     * UTCTime: YYMMDDHHMMSSZ
+     * GeneralizedTime: YYYYMMDDHHMMSSZ
+     */
     if (ctm->type == V_ASN1_UTCTIME) {
-        if ((i < 11) || (i > 17))
+        /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
+        int min_length = sizeof("YYMMDDHHMMZ") - 1;
+        int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
+        if (remaining < min_length || remaining > max_length)
             return 0;
         memcpy(p, str, 10);
         p += 10;
         str += 10;
+        remaining -= 10;
     } else {
-        if (i < 13)
+        /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
+        int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
+        int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
+        if (remaining < min_length || remaining > max_length)
             return 0;
         memcpy(p, str, 12);
         p += 12;
         str += 12;
+        remaining -= 12;
     }
 
     if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
         *(p++) = '0';
         *(p++) = '0';
     } else {
+        /* SS (seconds) */
+        if (remaining < 2)
+            return 0;
         *(p++) = *(str++);
         *(p++) = *(str++);
-        /* Skip any fractional seconds... */
-        if (*str == '.') {
+        remaining -= 2;
+        /*
+         * Skip any (up to three) fractional seconds...
+         * TODO(emilia): in RFC5280, fractional seconds are forbidden.
+         * Can we just kill them altogether?
+         */
+        if (remaining && *str == '.') {
             str++;
-            while ((*str >= '0') && (*str <= '9'))
-                str++;
+            remaining--;
+            for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
+                if (*str < '0' || *str > '9')
+                    break;
+            }
         }
 
     }
     *(p++) = 'Z';
     *(p++) = '\0';
 
-    if (*str == 'Z')
+    /* We now need either a terminating 'Z' or an offset. */
+    if (!remaining)
+        return 0;
+    if (*str == 'Z') {
+        if (remaining != 1)
+            return 0;
         offset = 0;
-    else {
+    } else {
+        /* (+-)HHMM */
         if ((*str != '+') && (*str != '-'))
             return 0;
+        /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
+        if (remaining != 5)
+            return 0;
+        if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
+            str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
+            return 0;
         offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
         offset += (str[3] - '0') * 10 + (str[4] - '0');
         if (*str == '-')
diff --git a/openssl.spec b/openssl.spec
index ff48b84..12e0705 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,7 +6,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 0.9.8zg
+Version: 0.9.8zh
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries


More information about the openssl-commits mailing list