[Pkg-openssl-changes] r832 - in openssl/branches/jessie/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Thu Sep 22 16:54:33 UTC 2016
Author: kroeckx
Date: 2016-09-22 16:54:33 +0000 (Thu, 22 Sep 2016)
New Revision: 832
Added:
openssl/branches/jessie/debian/patches/CVE-2016-2177.patch
openssl/branches/jessie/debian/patches/CVE-2016-2178.patch
openssl/branches/jessie/debian/patches/CVE-2016-2179.patch
openssl/branches/jessie/debian/patches/CVE-2016-2180.patch
openssl/branches/jessie/debian/patches/CVE-2016-2181.patch
openssl/branches/jessie/debian/patches/CVE-2016-2182.patch
openssl/branches/jessie/debian/patches/CVE-2016-2183.patch
openssl/branches/jessie/debian/patches/CVE-2016-6302.patch
openssl/branches/jessie/debian/patches/CVE-2016-6303.patch
openssl/branches/jessie/debian/patches/CVE-2016-6304.patch
openssl/branches/jessie/debian/patches/CVE-2016-6306.patch
Modified:
openssl/branches/jessie/debian/changelog
openssl/branches/jessie/debian/patches/series
Log:
security update
Modified: openssl/branches/jessie/debian/changelog
===================================================================
--- openssl/branches/jessie/debian/changelog 2016-09-21 19:58:39 UTC (rev 831)
+++ openssl/branches/jessie/debian/changelog 2016-09-22 16:54:33 UTC (rev 832)
@@ -1,3 +1,19 @@
+openssl (1.0.1t-1+deb8u4) jessie-security; urgency=medium
+
+ * Fix CVE-2016-2177
+ * Fix CVE-2016-2178
+ * Fix CVE-2016-2179
+ * Fix CVE-2016-2180
+ * Fix CVE-2016-2181
+ * Fix CVE-2016-2182
+ * Fix CVE-2016-2183
+ * Fix CVE-2016-6302
+ * Fix CVE-2016-6303
+ * Fix CVE-2016-6304
+ * Fix CVE-2016-6306
+
+ -- Kurt Roeckx <kurt at roeckx.be> Wed, 21 Sep 2016 21:58:48 +0200
+
openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
[ Kurt Roeckx ]
Added: openssl/branches/jessie/debian/patches/CVE-2016-2177.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2177.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2177.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,256 @@
+From 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 5 May 2016 11:10:26 +0100
+Subject: [PATCH] Avoid some undefined pointer arithmetic
+
+A common idiom in the codebase is:
+
+if (p + len > limit)
+{
+ return; /* Too long */
+}
+
+Where "p" points to some malloc'd data of SIZE bytes and
+limit == p + SIZE
+
+"len" here could be from some externally supplied data (e.g. from a TLS
+message).
+
+The rules of C pointer arithmetic are such that "p + len" is only well
+defined where len <= SIZE. Therefore the above idiom is actually
+undefined behaviour.
+
+For example this could cause problems if some malloc implementation
+provides an address for "p" such that "p + len" actually overflows for
+values of len that are too big and therefore p + len < limit!
+
+Issue reported by Guido Vranken.
+
+CVE-2016-2177
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+---
+ ssl/s3_srvr.c | 14 +++++++-------
+ ssl/ssl_sess.c | 2 +-
+ ssl/t1_lib.c | 48 ++++++++++++++++++++++++++----------------------
+ 3 files changed, 34 insertions(+), 30 deletions(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index 04cf93a..6c74caa 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s)
+
+ session_length = *(p + SSL3_RANDOM_SIZE);
+
+- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s)
+ /* get the session-id */
+ j = *(p++);
+
+- if (p + j > d + n) {
++ if ((d + n) - p < j) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s)
+
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
+ /* cookie stuff */
+- if (p + 1 > d + n) {
++ if ((d + n) - p < 1) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
+ cookie_len = *(p++);
+
+- if (p + cookie_len > d + n) {
++ if ((d + n ) - p < cookie_len) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s)
+ p += cookie_len;
+ }
+
+- if (p + 2 > d + n) {
++ if ((d + n ) - p < 2) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s)
+ }
+
+ /* i bytes of cipher data + 1 byte for compression length later */
+- if ((p + i + 1) > (d + n)) {
++ if ((d + n) - p < i + 1) {
+ /* not enough data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s)
+
+ /* compression */
+ i = *(p++);
+- if ((p + i) > (d + n)) {
++ if ((d + n) - p < i) {
+ /* not enough data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index 48fc451..a97d060 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+ int r;
+ #endif
+
+- if (session_id + len > limit) {
++ if (limit - session_id < len) {
+ fatal = 1;
+ goto err;
+ }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 0bdb77d..8ed1793 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ 0x02, 0x03, /* SHA-1/ECDSA */
+ };
+
+- if (data >= (limit - 2))
++ if (limit - data <= 2)
+ return;
+ data += 2;
+
+- if (data > (limit - 4))
++ if (limit - data < 4)
+ return;
+ n2s(data, type);
+ n2s(data, size);
+@@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ if (type != TLSEXT_TYPE_server_name)
+ return;
+
+- if (data + size > limit)
++ if (limit - data < size)
+ return;
+ data += size;
+
+@@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ const size_t len1 = sizeof(kSafariExtensionsBlock);
+ const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+
+- if (data + len1 + len2 != limit)
++ if (limit - data != (int)(len1 + len2))
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+ return;
+@@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ } else {
+ const size_t len = sizeof(kSafariExtensionsBlock);
+
+- if (data + len != limit)
++ if (limit - data != (int)(len))
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+ return;
+@@ -1019,19 +1019,19 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ if (data == limit)
+ goto ri_check;
+
+- if (data > (limit - 2))
++ if (limit - data < 2)
+ goto err;
+
+ n2s(data, len);
+
+- if (data + len != limit)
++ if (limit - data != len)
+ goto err;
+
+- while (data <= (limit - 4)) {
++ while (limit - data >= 4) {
+ n2s(data, type);
+ n2s(data, size);
+
+- if (data + size > (limit))
++ if (limit - data < size)
+ goto err;
+ # if 0
+ fprintf(stderr, "Received extension type %d size %d\n", type, size);
+@@ -1460,20 +1460,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
+ SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ # endif
+
+- if (data >= (d + n - 2))
++ if ((d + n) - data <= 2)
+ goto ri_check;
+
+ n2s(data, length);
+- if (data + length != d + n) {
++ if ((d + n) - data != length) {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+- while (data <= (d + n - 4)) {
++ while ((d + n) - data >= 4) {
+ n2s(data, type);
+ n2s(data, size);
+
+- if (data + size > (d + n))
++ if ((d + n) - data < size)
+ goto ri_check;
+
+ if (s->tlsext_debug_cb)
+@@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+ /* Skip past DTLS cookie */
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
+ i = *(p++);
+- p += i;
+- if (p >= limit)
++
++ if (limit - p <= i)
+ return -1;
++
++ p += i;
+ }
+ /* Skip past cipher list */
+ n2s(p, i);
+- p += i;
+- if (p >= limit)
++ if (limit - p <= i)
+ return -1;
++ p += i;
++
+ /* Skip past compression algorithm list */
+ i = *(p++);
+- p += i;
+- if (p > limit)
++ if (limit - p < i)
+ return -1;
++ p += i;
++
+ /* Now at start of extensions */
+- if ((p + 2) >= limit)
++ if (limit - p <= 2)
+ return 0;
+ n2s(p, i);
+- while ((p + 4) <= limit) {
++ while (limit - p >= 4) {
+ unsigned short type, size;
+ n2s(p, type);
+ n2s(p, size);
+- if (p + size > limit)
++ if (limit - p < size)
+ return 0;
+ if (type == TLSEXT_TYPE_session_ticket) {
+ int r;
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-2178.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2178.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2178.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,23 @@
+diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
+index 9a3772e..06cd2a2 100644
+--- a/crypto/dsa/dsa_ossl.c
++++ b/crypto/dsa/dsa_ossl.c
+@@ -247,7 +247,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+ do
+ if (!BN_rand_range(&k, dsa->q))
+ goto err;
+- while (BN_is_zero(&k)) ;
++ while (BN_is_zero(&k));
++
+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+ BN_set_flags(&k, BN_FLG_CONSTTIME);
+ }
+@@ -264,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+ if (!BN_copy(&kq, &k))
+ goto err;
+
++ BN_set_flags(&kq, BN_FLG_CONSTTIME);
++
+ /*
+ * We do not want timing information to leak the length of k, so we
+ * compute g^k using an equivalent exponent of fixed length. (This
Added: openssl/branches/jessie/debian/patches/CVE-2016-2179.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2179.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2179.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,253 @@
+From 00a4c1421407b6ac796688871b0a49a179c694d9 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 30 Jun 2016 13:17:08 +0100
+Subject: [PATCH] Fix DTLS buffered message DoS attack
+
+DTLS can handle out of order record delivery. Additionally since
+handshake messages can be bigger than will fit into a single packet, the
+messages can be fragmented across multiple records (as with normal TLS).
+That means that the messages can arrive mixed up, and we have to
+reassemble them. We keep a queue of buffered messages that are "from the
+future", i.e. messages we're not ready to deal with yet but have arrived
+early. The messages held there may not be full yet - they could be one
+or more fragments that are still in the process of being reassembled.
+
+The code assumes that we will eventually complete the reassembly and
+when that occurs the complete message is removed from the queue at the
+point that we need to use it.
+
+However, DTLS is also tolerant of packet loss. To get around that DTLS
+messages can be retransmitted. If we receive a full (non-fragmented)
+message from the peer after previously having received a fragment of
+that message, then we ignore the message in the queue and just use the
+non-fragmented version. At that point the queued message will never get
+removed.
+
+Additionally the peer could send "future" messages that we never get to
+in order to complete the handshake. Each message has a sequence number
+(starting from 0). We will accept a message fragment for the current
+message sequence number, or for any sequence up to 10 into the future.
+However if the Finished message has a sequence number of 2, anything
+greater than that in the queue is just left there.
+
+So, in those two ways we can end up with "orphaned" data in the queue
+that will never get removed - except when the connection is closed. At
+that point all the queues are flushed.
+
+An attacker could seek to exploit this by filling up the queues with
+lots of large messages that are never going to be used in order to
+attempt a DoS by memory exhaustion.
+
+I will assume that we are only concerned with servers here. It does not
+seem reasonable to be concerned about a memory exhaustion attack on a
+client. They are unlikely to process enough connections for this to be
+an issue.
+
+A "long" handshake with many messages might be 5 messages long (in the
+incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
+CertificateVerify, Finished. So this would be message sequence numbers 0
+to 4. Additionally we can buffer up to 10 messages in the future.
+Therefore the maximum number of messages that an attacker could send
+that could get orphaned would typically be 15.
+
+The maximum size that a DTLS message is allowed to be is defined by
+max_cert_list, which by default is 100k. Therefore the maximum amount of
+"orphaned" memory per connection is 1500k.
+
+Message sequence numbers get reset after the Finished message, so
+renegotiation will not extend the maximum number of messages that can be
+orphaned per connection.
+
+As noted above, the queues do get cleared when the connection is closed.
+Therefore in order to mount an effective attack, an attacker would have
+to open many simultaneous connections.
+
+Issue reported by Quan Luo.
+
+CVE-2016-2179
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+---
+ ssl/d1_both.c | 32 ++++++++++++++++----------------
+ ssl/d1_clnt.c | 1 +
+ ssl/d1_lib.c | 37 ++++++++++++++++++++++++++-----------
+ ssl/d1_srvr.c | 3 ++-
+ ssl/ssl_locl.h | 3 ++-
+ 5 files changed, 47 insertions(+), 29 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 1614d88..ae292c4 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -614,11 +614,23 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
+ int al;
+
+ *ok = 0;
+- item = pqueue_peek(s->d1->buffered_messages);
+- if (item == NULL)
+- return 0;
++ do {
++ item = pqueue_peek(s->d1->buffered_messages);
++ if (item == NULL)
++ return 0;
++
++ frag = (hm_fragment *)item->data;
++
++ if (frag->msg_header.seq < s->d1->handshake_read_seq) {
++ /* This is a stale message that has been buffered so clear it */
++ pqueue_pop(s->d1->buffered_messages);
++ dtls1_hm_fragment_free(frag);
++ pitem_free(item);
++ item = NULL;
++ frag = NULL;
++ }
++ } while (item == NULL);
+
+- frag = (hm_fragment *)item->data;
+
+ /* Don't return if reassembly still in progress */
+ if (frag->reassembly != NULL)
+@@ -1416,18 +1428,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
+ return ret;
+ }
+
+-/* call this function when the buffered messages are no longer needed */
+-void dtls1_clear_record_buffer(SSL *s)
+-{
+- pitem *item;
+-
+- for (item = pqueue_pop(s->d1->sent_messages);
+- item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
+- dtls1_hm_fragment_free((hm_fragment *)item->data);
+- pitem_free(item);
+- }
+-}
+-
+ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+ unsigned char mt, unsigned long len,
+ unsigned long frag_off,
+diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
+index eb371a2..e1f167b 100644
+--- a/ssl/d1_clnt.c
++++ b/ssl/d1_clnt.c
+@@ -751,6 +751,7 @@ int dtls1_connect(SSL *s)
+ /* done with handshaking */
+ s->d1->handshake_read_seq = 0;
+ s->d1->next_handshake_write_seq = 0;
++ dtls1_clear_received_buffer(s);
+ goto end;
+ /* break; */
+
+diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
+index 011d7b7..99984df 100644
+--- a/ssl/d1_lib.c
++++ b/ssl/d1_lib.c
+@@ -144,7 +144,6 @@ int dtls1_new(SSL *s)
+ static void dtls1_clear_queues(SSL *s)
+ {
+ pitem *item = NULL;
+- hm_fragment *frag = NULL;
+ DTLS1_RECORD_DATA *rdata;
+
+ while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
+@@ -165,28 +164,44 @@ static void dtls1_clear_queues(SSL *s)
+ pitem_free(item);
+ }
+
++ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
++ rdata = (DTLS1_RECORD_DATA *)item->data;
++ if (rdata->rbuf.buf) {
++ OPENSSL_free(rdata->rbuf.buf);
++ }
++ OPENSSL_free(item->data);
++ pitem_free(item);
++ }
++
++ dtls1_clear_received_buffer(s);
++ dtls1_clear_sent_buffer(s);
++}
++
++void dtls1_clear_received_buffer(SSL *s)
++{
++ pitem *item = NULL;
++ hm_fragment *frag = NULL;
++
+ while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
+ frag = (hm_fragment *)item->data;
+ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+ }
++}
++
++void dtls1_clear_sent_buffer(SSL *s)
++{
++ pitem *item = NULL;
++ hm_fragment *frag = NULL;
+
+ while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
+ frag = (hm_fragment *)item->data;
+ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+ }
+-
+- while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
+- rdata = (DTLS1_RECORD_DATA *)item->data;
+- if (rdata->rbuf.buf) {
+- OPENSSL_free(rdata->rbuf.buf);
+- }
+- OPENSSL_free(item->data);
+- pitem_free(item);
+- }
+ }
+
++
+ void dtls1_free(SSL *s)
+ {
+ ssl3_free(s);
+@@ -420,7 +435,7 @@ void dtls1_stop_timer(SSL *s)
+ BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
+ &(s->d1->next_timeout));
+ /* Clear retransmission buffer */
+- dtls1_clear_record_buffer(s);
++ dtls1_clear_sent_buffer(s);
+ }
+
+ int dtls1_check_timeout_num(SSL *s)
+diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
+index 60af230..bc30433 100644
+--- a/ssl/d1_srvr.c
++++ b/ssl/d1_srvr.c
+@@ -295,7 +295,7 @@ int dtls1_accept(SSL *s)
+ case SSL3_ST_SW_HELLO_REQ_B:
+
+ s->shutdown = 0;
+- dtls1_clear_record_buffer(s);
++ dtls1_clear_sent_buffer(s);
+ dtls1_start_timer(s);
+ ret = dtls1_send_hello_request(s);
+ if (ret <= 0)
+@@ -866,6 +866,7 @@ int dtls1_accept(SSL *s)
+ /* next message is server hello */
+ s->d1->handshake_write_seq = 0;
+ s->d1->next_handshake_write_seq = 0;
++ dtls1_clear_received_buffer(s);
+ goto end;
+ /* break; */
+
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index d57b902..7b1fd1f 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -1026,7 +1026,8 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq,
+ unsigned long frag_off, int *found);
+ int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
+ int dtls1_retransmit_buffered_messages(SSL *s);
+-void dtls1_clear_record_buffer(SSL *s);
++void dtls1_clear_received_buffer(SSL *s);
++void dtls1_clear_sent_buffer(SSL *s);
+ void dtls1_get_message_header(unsigned char *data,
+ struct hm_header_st *msg_hdr);
+ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-2180.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2180.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2180.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,39 @@
+From 6adf409c7432b90c06d9890787fe56c48f2a16e7 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Thu, 21 Jul 2016 15:24:16 +0100
+Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
+
+TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
+as a null terminated buffer. The length value returned is the total
+length the complete text reprsentation would need not the amount of
+data written.
+
+CVE-2016-2180
+
+Thanks to Shi Lei for reporting this bug.
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
+---
+ crypto/ts/ts_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
+index c51538a..e0f1063 100644
+--- a/crypto/ts/ts_lib.c
++++ b/crypto/ts/ts_lib.c
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
+ {
+ char obj_txt[128];
+
+- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+- BIO_write(bio, obj_txt, len);
+- BIO_write(bio, "\n", 1);
++ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
++ BIO_printf(bio, "%s\n", obj_txt);
+
+ return 1;
+ }
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-2181.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2181.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2181.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,209 @@
+diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
+index ea93a8e..d3ceae0 100644
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
+ #endif
+ static int dtls1_buffer_record(SSL *s, record_pqueue *q,
+ unsigned char *priority);
+-static int dtls1_process_record(SSL *s);
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
+
+ /* copy buffered record into SSL structure */
+ static int dtls1_copy_record(SSL *s, pitem *item)
+@@ -319,21 +319,70 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
+ static int dtls1_process_buffered_records(SSL *s)
+ {
+ pitem *item;
++ SSL3_BUFFER *rb;
++ SSL3_RECORD *rr;
++ DTLS1_BITMAP *bitmap;
++ unsigned int is_next_epoch;
++ int replayok = 1;
+
+ item = pqueue_peek(s->d1->unprocessed_rcds.q);
+ if (item) {
+ /* Check if epoch is current. */
+ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+- return (1); /* Nothing to do. */
++ return 1; /* Nothing to do. */
++
++ rr = &s->s3->rrec;
++ rb = &s->s3->rbuf;
++
++ if (rb->left > 0) {
++ /*
++ * We've still got data from the current packet to read. There could
++ * be a record from the new epoch in it - so don't overwrite it
++ * with the unprocessed records yet (we'll do it when we've
++ * finished reading the current packet).
++ */
++ return 1;
++ }
++
+
+ /* Process all the records. */
+ while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+ dtls1_get_unprocessed_record(s);
+- if (!dtls1_process_record(s))
+- return (0);
++ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
++ if (bitmap == NULL) {
++ /*
++ * Should not happen. This will only ever be NULL when the
++ * current record is from a different epoch. But that cannot
++ * be the case because we already checked the epoch above
++ */
++ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++#ifndef OPENSSL_NO_SCTP
++ /* Only do replay check if no SCTP bio */
++ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
++#endif
++ {
++ /*
++ * Check whether this is a repeat, or aged record. We did this
++ * check once already when we first received the record - but
++ * we might have updated the window since then due to
++ * records we subsequently processed.
++ */
++ replayok = dtls1_record_replay_check(s, bitmap);
++ }
++
++ if (!replayok || !dtls1_process_record(s, bitmap)) {
++ /* dump this record */
++ rr->length = 0;
++ s->packet_length = 0;
++ continue;
++ }
++
+ if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
+ s->s3->rrec.seq_num) < 0)
+- return -1;
++ return 0;
+ }
+ }
+
+@@ -344,7 +393,7 @@ static int dtls1_process_buffered_records(SSL *s)
+ s->d1->processed_rcds.epoch = s->d1->r_epoch;
+ s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+
+- return (1);
++ return 1;
+ }
+
+ #if 0
+@@ -391,7 +440,7 @@ static int dtls1_get_buffered_record(SSL *s)
+
+ #endif
+
+-static int dtls1_process_record(SSL *s)
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+ {
+ int i, al;
+ int enc_err;
+@@ -551,6 +600,10 @@ static int dtls1_process_record(SSL *s)
+
+ /* we have pulled in a full packet so zero things */
+ s->packet_length = 0;
++
++ /* Mark receipt of record. */
++ dtls1_record_bitmap_update(s, bitmap);
++
+ return (1);
+
+ f_err:
+@@ -581,11 +634,12 @@ int dtls1_get_record(SSL *s)
+
+ rr = &(s->s3->rrec);
+
++ again:
+ /*
+ * The epoch may have changed. If so, process all the pending records.
+ * This is a non-blocking operation.
+ */
+- if (dtls1_process_buffered_records(s) < 0)
++ if (!dtls1_process_buffered_records(s))
+ return -1;
+
+ /* if we're renegotiating, then there may be buffered records */
+@@ -593,7 +647,6 @@ int dtls1_get_record(SSL *s)
+ return 1;
+
+ /* get something from the wire */
+- again:
+ /* check if we have the header */
+ if ((s->rstate != SSL_ST_READ_BODY) ||
+ (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
+@@ -717,20 +770,17 @@ int dtls1_get_record(SSL *s)
+ if (dtls1_buffer_record
+ (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0)
+ return -1;
+- /* Mark receipt of record. */
+- dtls1_record_bitmap_update(s, bitmap);
+ }
+ rr->length = 0;
+ s->packet_length = 0;
+ goto again;
+ }
+
+- if (!dtls1_process_record(s)) {
++ if (!dtls1_process_record(s, bitmap)) {
+ rr->length = 0;
+ s->packet_length = 0; /* dump this record */
+ goto again; /* get another record */
+ }
+- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
+
+ return (1);
+
+@@ -1815,8 +1865,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
+ if (rr->epoch == s->d1->r_epoch)
+ return &s->d1->bitmap;
+
+- /* Only HM and ALERT messages can be from the next epoch */
++ /*
++ * Only HM and ALERT messages can be from the next epoch and only if we
++ * have already processed all of the unprocessed records from the last
++ * epoch
++ */
+ else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
++ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
+ (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+ *is_next_epoch = 1;
+ return &s->d1->next_bitmap;
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index d6c475c..8094450 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -2256,6 +2256,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_F_DTLS1_HEARTBEAT 305
+ # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
+ # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
++# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
+ # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
+ # define SSL_F_DTLS1_PROCESS_RECORD 257
+ # define SSL_F_DTLS1_READ_BYTES 258
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index caa671a..ed679d1 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -1,6 +1,6 @@
+ /* ssl/ssl_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
+ {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
+ {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
+ {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
++ {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS),
++ "DTLS1_PROCESS_BUFFERED_RECORDS"},
+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),
+ "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
Added: openssl/branches/jessie/debian/patches/CVE-2016-2182.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2182.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2182.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,65 @@
+From 28a89639da50b1caed4ff3015508f23173bf3e49 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Fri, 5 Aug 2016 14:26:03 +0100
+Subject: [PATCH] Check for errors in BN_bn2dec()
+
+If an oversize BIGNUM is presented to BN_bn2dec() it can cause
+BN_div_word() to fail and not reduce the value of 't' resulting
+in OOB writes to the bn_data buffer and eventually crashing.
+
+Fix by checking return value of BN_div_word() and checking writes
+don't overflow buffer.
+
+Thanks to Shi Lei for reporting this bug.
+
+CVE-2016-2182
+
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
+
+Conflicts:
+ crypto/bn/bn_print.c
+---
+ crypto/bn/bn_print.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
+index bfa31ef..b44403e 100644
+--- a/crypto/bn/bn_print.c
++++ b/crypto/bn/bn_print.c
+@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
+ char *p;
+ BIGNUM *t = NULL;
+ BN_ULONG *bn_data = NULL, *lp;
++ int bn_data_num;
+
+ /*-
+ * get an upper bound for the length of the decimal integer
+@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
+ */
+ i = BN_num_bits(a) * 3;
+ num = (i / 10 + i / 1000 + 1) + 1;
+- bn_data =
+- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+- buf = (char *)OPENSSL_malloc(num + 3);
++ bn_data_num = num / BN_DEC_NUM + 1;
++ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
++ buf = OPENSSL_malloc(num + 3);
+ if ((buf == NULL) || (bn_data == NULL)) {
+ BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
+ goto err;
+@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
+ i = 0;
+ while (!BN_is_zero(t)) {
+ *lp = BN_div_word(t, BN_DEC_CONV);
++ if (*lp == (BN_ULONG)-1)
++ goto err;
+ lp++;
++ if (lp - bn_data >= bn_data_num)
++ goto err;
+ }
+ lp--;
+ /*
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-2183.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2183.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2183.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,176 @@
+From e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60 Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz at openssl.org>
+Date: Thu, 18 Aug 2016 09:26:52 -0400
+Subject: [PATCH] SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+(cherry picked from commit 0fff5065884d5ac61123a604bbcee30a53c808ff)
+---
+ CHANGES | 4 +++-
+ ssl/s3_lib.c | 34 +++++++++++++++++-----------------
+ 2 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index 35d6587..6b1822d 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -334,7 +334,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -387,7 +387,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -439,7 +439,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -544,7 +544,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -717,7 +717,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_MD5,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -1733,7 +1733,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2110,7 +2110,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2190,7 +2190,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2270,7 +2270,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2350,7 +2350,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2480,7 +2480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2496,7 +2496,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2512,7 +2512,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-6302.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6302.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6302.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,52 @@
+From 1bbe48ab149893a78bf99c8eb8895c928900a16f Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 23 Aug 2016 18:14:54 +0100
+Subject: [PATCH] Sanity check ticket length.
+
+If a ticket callback changes the HMAC digest to SHA512 the existing
+sanity checks are not sufficient and an attacker could perform a DoS
+attack with a malformed ticket. Add additional checks based on
+HMAC size.
+
+Thanks to Shi Lei for reporting this bug.
+
+CVE-2016-6302
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+(cherry picked from commit baaabfd8fdcec04a691695fad9a664bea43202b6)
+---
+ ssl/t1_lib.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index d961e4a..7680491 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -2273,9 +2273,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
+ HMAC_CTX hctx;
+ EVP_CIPHER_CTX ctx;
+ SSL_CTX *tctx = s->initial_ctx;
+- /* Need at least keyname + iv + some encrypted data */
+- if (eticklen < 48)
+- return 2;
++
+ /* Initialize session ticket encryption and HMAC contexts */
+ HMAC_CTX_init(&hctx);
+ EVP_CIPHER_CTX_init(&ctx);
+@@ -2309,6 +2307,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
+ if (mlen < 0) {
+ goto err;
+ }
++ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
++ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
++ HMAC_CTX_cleanup(&hctx);
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return 2;
++ }
++
+ eticklen -= mlen;
+ /* Check HMAC of encrypted ticket */
+ if (HMAC_Update(&hctx, etick, eticklen) <= 0
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-6303.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6303.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6303.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,31 @@
+From 2b4029e68fd7002d2307e6c3cde0f3784eef9c83 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Fri, 19 Aug 2016 23:28:29 +0100
+Subject: [PATCH] Avoid overflow in MDC2_Update()
+
+Thanks to Shi Lei for reporting this issue.
+
+CVE-2016-6303
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)
+---
+ crypto/mdc2/mdc2dgst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
+index 6615cf8..2dce493 100644
+--- a/crypto/mdc2/mdc2dgst.c
++++ b/crypto/mdc2/mdc2dgst.c
+@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len)
+
+ i = c->num;
+ if (i != 0) {
+- if (i + len < MDC2_BLOCK) {
++ if (len < MDC2_BLOCK - i) {
+ /* partial block */
+ memcpy(&(c->data[i]), in, len);
+ c->num += (int)len;
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-6304.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6304.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6304.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,70 @@
+From 73e8ae66b0b7d6534699492d127d457d2540a762 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Fri, 9 Sep 2016 10:08:45 +0100
+Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
+
+A malicious client can send an excessively large OCSP Status Request
+extension. If that client continually requests renegotiation,
+sending a large OCSP Status Request extension each time, then there will
+be unbounded memory growth on the server. This will eventually lead to a
+Denial Of Service attack through memory exhaustion. Servers with a
+default configuration are vulnerable even if they do not support OCSP.
+Builds using the "no-ocsp" build time option are not affected.
+
+I have also checked other extensions to see if they suffer from a similar
+problem but I could not find any other issues.
+
+CVE-2016-6304
+
+Issue reported by Shi Lei.
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+---
+ ssl/t1_lib.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 7680491..4bc13ca 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -1284,6 +1284,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ size -= 2;
+ if (dsize > size)
+ goto err;
++
++ /*
++ * We remove any OCSP_RESPIDs from a previous handshake
++ * to prevent unbounded memory growth - CVE-2016-6304
++ */
++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
++ OCSP_RESPID_free);
++ if (dsize > 0) {
++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
++ if (s->tlsext_ocsp_ids == NULL) {
++ *al = SSL_AD_INTERNAL_ERROR;
++ return 0;
++ }
++ } else {
++ s->tlsext_ocsp_ids = NULL;
++ }
++
+ while (dsize > 0) {
+ OCSP_RESPID *id;
+ int idsize;
+@@ -1303,13 +1320,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ OCSP_RESPID_free(id);
+ goto err;
+ }
+- if (!s->tlsext_ocsp_ids
+- && !(s->tlsext_ocsp_ids =
+- sk_OCSP_RESPID_new_null())) {
+- OCSP_RESPID_free(id);
+- *al = SSL_AD_INTERNAL_ERROR;
+- return 0;
+- }
+ if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+ OCSP_RESPID_free(id);
+ *al = SSL_AD_INTERNAL_ERROR;
+--
+2.9.3
+
Added: openssl/branches/jessie/debian/patches/CVE-2016-6306.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6306.patch (rev 0)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6306.patch 2016-09-22 16:54:33 UTC (rev 832)
@@ -0,0 +1,102 @@
+From 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Sat, 17 Sep 2016 12:36:58 +0100
+Subject: [PATCH] Fix small OOB reads.
+
+In ssl3_get_client_certificate, ssl3_get_server_certificate and
+ssl3_get_certificate_request check we have enough room
+before reading a length.
+
+Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
+
+CVE-2016-6306
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)
+---
+ ssl/s3_clnt.c | 11 +++++++++++
+ ssl/s3_srvr.c | 6 ++++++
+ 2 files changed, 17 insertions(+)
+
+Index: openssl-1.0.1t/ssl/s3_clnt.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_clnt.c
++++ openssl-1.0.1t/ssl/s3_clnt.c
+@@ -1143,6 +1143,12 @@ int ssl3_get_server_certificate(SSL *s)
+ goto f_err;
+ }
+ for (nc = 0; nc < llen;) {
++ if (nc + 3 > llen) {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
++ SSL_R_CERT_LENGTH_MISMATCH);
++ goto f_err;
++ }
+ n2l3(p, l);
+ if ((l + nc + 3) > llen) {
+ al = SSL_AD_DECODE_ERROR;
+@@ -2072,6 +2078,11 @@ int ssl3_get_certificate_request(SSL *s)
+ }
+
+ for (nc = 0; nc < llen;) {
++ if (nc + 2 > llen) {
++ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
++ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
++ goto err;
++ }
+ n2s(p, l);
+ if ((l + nc + 2) > llen) {
+ if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
+Index: openssl-1.0.1t/ssl/s3_srvr.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_srvr.c
++++ openssl-1.0.1t/ssl/s3_srvr.c
+@@ -3237,6 +3237,12 @@ int ssl3_get_client_certificate(SSL *s)
+ goto f_err;
+ }
+ for (nc = 0; nc < llen;) {
++ if (nc + 3 > llen) {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
++ SSL_R_CERT_LENGTH_MISMATCH);
++ goto f_err;
++ }
+ n2l3(p, l);
+ if ((l + nc + 3) > llen) {
+ al = SSL_AD_DECODE_ERROR;
+Index: openssl-1.0.1t/ssl/d1_both.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/d1_both.c
++++ openssl-1.0.1t/ssl/d1_both.c
+@@ -577,9 +577,12 @@ static int dtls1_preprocess_fragment(SSL
+ /*
+ * msg_len is limited to 2^24, but is effectively checked against max
+ * above
++ *
++ * Make buffer slightly larger than message length as a precaution
++ * against small OOB reads e.g. CVE-2016-6306
+ */
+ if (!BUF_MEM_grow_clean
+- (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
++ (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
+ SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
+ return SSL_AD_INTERNAL_ERROR;
+ }
+Index: openssl-1.0.1t/ssl/s3_both.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_both.c
++++ openssl-1.0.1t/ssl/s3_both.c
+@@ -502,7 +502,11 @@ long ssl3_get_message(SSL *s, int st1, i
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto f_err;
+ }
+- if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) {
++ /*
++ * Make buffer slightly larger than message length as a precaution
++ * against small OOB reads e.g. CVE-2016-6306
++ */
++ if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4 + 16)) {
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+ goto err;
+ }
Modified: openssl/branches/jessie/debian/patches/series
===================================================================
--- openssl/branches/jessie/debian/patches/series 2016-09-21 19:58:39 UTC (rev 831)
+++ openssl/branches/jessie/debian/patches/series 2016-09-22 16:54:33 UTC (rev 832)
@@ -21,3 +21,14 @@
ppc64el.patch
Update-S-MIME-certificates.patch
Fix-name-length-limit-check.patch
+CVE-2016-2177.patch
+CVE-2016-2178.patch
+CVE-2016-2179.patch
+CVE-2016-2180.patch
+CVE-2016-2181.patch
+CVE-2016-2182.patch
+CVE-2016-2183.patch
+CVE-2016-6302.patch
+CVE-2016-6303.patch
+CVE-2016-6304.patch
+CVE-2016-6306.patch
More information about the Pkg-openssl-changes
mailing list