mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-31 00:39:46 +00:00
Code Issues Projects Releases Wiki Activity

openssl: Security fix CVE-2016-2182

Browse Source 
affects openssl < 1.0.1i

(From OE-Core rev: 4be4162d5a03af6a20adc2314575e4d0baa5337a)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2016-09-23 23:11:28 -07:00
committed by Richard Purdie
parent 06ed5c5a10
commit 8e5e92193a
2 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch
+70
View File
@@ -0,0 +1,70 @@
From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 5 Aug 2016 14:26:03 +0100
Subject: [PATCH] Check for errors in BN_bn2dec()
If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.
Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.
Thanks to Shi Lei for reporting this bug.
CVE-2016-2182
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
Conflicts:
crypto/bn/bn_print.c
Upstream-Status: Backport
CVE: CVE-2016-2182
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
crypto/bn/bn_print.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index bfa31ef..b44403e 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
char *p;
BIGNUM *t = NULL;
BN_ULONG *bn_data = NULL, *lp;
+ int bn_data_num;
/*-
* get an upper bound for the length of the decimal integer
@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
*/
i = BN_num_bits(a) * 3;
num = (i / 10 + i / 1000 + 1) + 1;
- bn_data =
- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
- buf = (char *)OPENSSL_malloc(num + 3);
+ bn_data_num = num / BN_DEC_NUM + 1;
+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+ buf = OPENSSL_malloc(num + 3);
if ((buf == NULL) || (bn_data == NULL)) {
BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
goto err;
@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
i = 0;
while (!BN_is_zero(t)) {
*lp = BN_div_word(t, BN_DEC_CONV);
+ if (*lp == (BN_ULONG)-1)
+ goto err;
lp++;
+ if (lp - bn_data >= bn_data_num)
+ goto err;
}
lp--;
/*
--
2.7.4
meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+1
View File
@@ -44,6 +44,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
file://CVE-2016-2181_p1.patch \ file://CVE-2016-2181_p1.patch \
file://CVE-2016-2181_p2.patch \ file://CVE-2016-2181_p2.patch \
file://CVE-2016-2181_p3.patch \ file://CVE-2016-2181_p3.patch \
file://CVE-2016-2182.patch \
" "
SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"