[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Fri Feb 1 16:06:03 UTC 2019


The branch OpenSSL_1_1_0-stable has been updated
       via  152abc5522d869668f50deeb99cd0d948d0df4c1 (commit)
      from  47c55f881ffef8aa5fafcb88d4230700bb279449 (commit)


- Log -----------------------------------------------------------------
commit 152abc5522d869668f50deeb99cd0d948d0df4c1
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Wed Jan 30 16:20:31 2019 +0100

    Fix a crash in reuse of d2i_X509_PUBKEY
    
    If the second PUBKEY is malformed there is use after free.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8135)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                | 4 ++++
 crypto/x509/x_pubkey.c | 1 +
 2 files changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index b810a12..d634252 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.0j and 1.1.0k [xx XXX xxxx]
 
+  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+     re-used X509_PUBKEY object if the second PUBKEY is malformed.
+     [Bernd Edlinger]
+
   *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
      [Richard Levitte]
 
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index cc69283..03271cb 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         /* Attempt to decode public key and cache in pubkey structure. */
         X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
         EVP_PKEY_free(pubkey->pkey);
+        pubkey->pkey = NULL;
         /*
          * Opportunistically decode the key but remove any non fatal errors
          * from the queue. Subsequent explicit attempts to decode/use the key


More information about the openssl-commits mailing list