The branch OpenSSL_0_9_8-stable has been updated via 74743418dca737ff584530470c54d1a7061e7e0a (commit) via c2ef67100cd0ca2321b5f1a437abb93fc7e11e37 (commit) via 35c8d0d85fe71e41eb990655b249e398c7fd1435 (commit) via 2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3 (commit) from e979e4715f3795cb59fcf46c77e7c714a184edd8 (commit)
- Log ----------------------------------------------------------------- commit 74743418dca737ff584530470c54d1a7061e7e0a Author: Matt Caswell <m...@openssl.org> Date: Thu Dec 3 15:00:54 2015 +0000 Prepare for 0.9.8zi-dev Reviewed-by: Richard Levitte <levi...@openssl.org> commit c2ef67100cd0ca2321b5f1a437abb93fc7e11e37 Author: Matt Caswell <m...@openssl.org> Date: Thu Dec 3 15:00:17 2015 +0000 Prepare for 0.9.8zh release Reviewed-by: Richard Levitte <levi...@openssl.org> commit 35c8d0d85fe71e41eb990655b249e398c7fd1435 Author: Matt Caswell <m...@openssl.org> Date: Tue Dec 1 14:39:47 2015 +0000 Update CHANGES and NEWS Update the CHANGES and NEWS files for the new release. Reviewed-by: Rich Salz <rs...@openssl.org> commit 2cdafc51f008e65b2d5263a80ad0e89e9b56c8d3 Author: Dr. Stephen Henson <st...@openssl.org> Date: Tue Nov 10 19:03:07 2015 +0000 Fix leak with ASN.1 combine. When parsing a combined structure pass a flag to the decode routine so on error a pointer to the parent structure is not zeroed as this will leak any additional components in the parent. This can leak memory in any application parsing PKCS#7 or CMS structures. CVE-2015-3195. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. PR#4131 Reviewed-by: Richard Levitte <levi...@openssl.org> ----------------------------------------------------------------------- Summary of changes: CHANGES | 16 +++++++++++++++- NEWS | 6 +++++- README | 2 +- crypto/asn1/tasn_dec.c | 7 +++++-- crypto/opensslv.h | 6 +++--- openssl.spec | 2 +- 6 files changed, 30 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index ed2f0ec..d3f43af 100644 --- a/CHANGES +++ b/CHANGES @@ -2,10 +2,24 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8zg and 0.9.8zh [xx XXX xxxx] + Changes between 0.9.8zh and 0.9.8zi [xx XXX xxxx] *) + Changes between 0.9.8zg and 0.9.8zh [3 Dec 2015] + + *) X509_ATTRIBUTE memory leak + + When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak + memory. This structure is used by the PKCS#7 and CMS routines so any + application which reads PKCS#7 or CMS data from untrusted sources is + affected. SSL/TLS is not affected. + + This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using + libFuzzer. + (CVE-2015-3195) + [Stephen Henson] + Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015] *) Malformed ECParameters causes infinite loop diff --git a/NEWS b/NEWS index 4ffbbab..f3130d4 100644 --- a/NEWS +++ b/NEWS @@ -5,10 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [under development] + Major changes between OpenSSL 0.9.8zh and OpenSSL 0.9.8zi [under development] o + Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [3 Dec 2015] + + o X509_ATTRIBUTE memory leak (CVE-2015-3195) + Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [11 Jun 2015] o Malformed ECParameters causes infinite loop (CVE-2015-1788) diff --git a/README b/README index 4827753..52df8f6 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 0.9.8zh-dev + OpenSSL 0.9.8zi-dev Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 6e4a325..91e7698 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -178,6 +178,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -498,7 +500,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -687,7 +690,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, } else { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 9aadf3e..b81e308 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -26,11 +26,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x00908210L +# define OPENSSL_VERSION_NUMBER 0x00908220L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zh-fips-dev xx XXX xxxx" +# define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zi-fips-dev xx XXX xxxx" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zh-dev xx XXX xxxx" +# define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zi-dev xx XXX xxxx" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl.spec b/openssl.spec index 12e0705..0cbbd62 100644 --- a/openssl.spec +++ b/openssl.spec @@ -6,7 +6,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 0.9.8zh +Version: 0.9.8zi Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits