Author: delphij
Date: Wed May 4 15:27:09 2016
New Revision: 299068
URL: https://svnweb.freebsd.org/changeset/base/299068
Log:
Fix multiple OpenSSL vulnerabilitites. [SA-16:17]
Fix memory leak in ZFS. [EN-16:08]
Approved by: so
Modified:
releng/10.1/UPDATING
releng/10.1/crypto/openssl/crypto/asn1/a_type.c
releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c
releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c
releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
releng/10.1/crypto/openssl/crypto/evp/encode.c
releng/10.1/crypto/openssl/crypto/evp/evp_enc.c
releng/10.1/crypto/openssl/crypto/x509/x509_obj.c
releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
releng/10.1/sys/conf/newvers.sh
releng/9.3/UPDATING
releng/9.3/crypto/openssl/crypto/asn1/a_type.c
releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c
releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c
releng/9.3/crypto/openssl/crypto/evp/encode.c
releng/9.3/crypto/openssl/crypto/evp/evp_enc.c
releng/9.3/crypto/openssl/crypto/x509/x509_obj.c
releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
releng/9.3/sys/conf/newvers.sh
Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING Wed May 4 15:26:23 2016 (r299067)
+++ releng/10.1/UPDATING Wed May 4 15:27:09 2016 (r299068)
@@ -16,7 +16,14 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
-20150429 p32 FreeBSD-SA-16:16.ntp
+20160504 p33 FreeBSD-SA-16:17.openssl
+ FreeBSD-EN-16:08.zfs
+
+ Fix multiple OpenSSL vulnerabilitites. [SA-16:17]
+
+ Fix memory leak in ZFS. [EN-16:08]
+
+20160429 p32 FreeBSD-SA-16:16.ntp
Fix multiple vulnerabilities of ntp.
Modified: releng/10.1/crypto/openssl/crypto/asn1/a_type.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:27:09
2016 (r299068)
@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
Modified: releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:27:09
2016 (r299068)
@@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
Modified: releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:27:09
2016 (r299068)
@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
Modified: releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4
15:26:23 2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4
15:27:09 2016 (r299068)
@@ -59,6 +59,7 @@
# include <openssl/aes.h>
# include <openssl/sha.h>
# include "evp_locl.h"
+# include "constant_time_locl.h"
# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@@ -286,6 +287,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask;
Modified: releng/10.1/crypto/openssl/crypto/evp/encode.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/evp/encode.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/evp/encode.c Wed May 4 15:27:09
2016 (r299068)
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/evp.h>
@@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
const unsigned char *in, int inl)
{
int i, j;
- unsigned int total = 0;
+ size_t total = 0;
*outl = 0;
if (inl <= 0)
return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num + inl) < ctx->length) {
+ if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl;
return;
@@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
*out = '\0';
total = j + 1;
}
- while (inl >= ctx->length) {
+ while (inl >= ctx->length && total <= INT_MAX) {
j = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length;
inl -= ctx->length;
@@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
*out = '\0';
total += j + 1;
}
+ if (total > INT_MAX) {
+ /* Too much output data! */
+ *outl = 0;
+ return;
+ }
if (inl != 0)
memcpy(&(ctx->enc_data[0]), in, inl);
ctx->num = inl;
Modified: releng/10.1/crypto/openssl/crypto/evp/evp_enc.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:27:09
2016 (r299068)
@@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + inl < bl) {
+ if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
Modified: releng/10.1/crypto/openssl/crypto/x509/x509_obj.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/10.1/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:27:09
2016 (r299068)
@@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch
type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
- ? sizeof ebcdic_buf : num);
+ if (num > (int)sizeof(ebcdic_buf))
+ num = sizeof(ebcdic_buf);
+ ascii2ebcdic(ebcdic_buf, q, num);
q = ebcdic_buf;
}
#endif
Modified: releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
==============================================================================
--- releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May
4 15:26:23 2016 (r299067)
+++ releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May
4 15:27:09 2016 (r299068)
@@ -196,6 +196,7 @@ mount_snapshot(kthread_t *td, vnode_t **
VI_UNLOCK(vp);
vrele(vp);
vfs_unbusy(mp);
+ vfs_freeopts(mp->mnt_optnew);
vfs_mount_destroy(mp);
*vpp = NULL;
return (error);
Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh Wed May 4 15:26:23 2016
(r299067)
+++ releng/10.1/sys/conf/newvers.sh Wed May 4 15:27:09 2016
(r299068)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.1"
-BRANCH="RELEASE-p32"
+BRANCH="RELEASE-p33"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Wed May 4 15:26:23 2016 (r299067)
+++ releng/9.3/UPDATING Wed May 4 15:27:09 2016 (r299068)
@@ -11,7 +11,14 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
-20150429 p40 FreeBSD-SA-16:16.ntp
+20160504 p41 FreeBSD-SA-16:17.openssl
+ FreeBSD-EN-16:08.zfs
+
+ Fix multiple OpenSSL vulnerabilitites. [SA-16:17]
+
+ Fix memory leak in ZFS. [EN-16:08]
+
+20160429 p40 FreeBSD-SA-16:16.ntp
Fix multiple vulnerabilities of ntp.
Modified: releng/9.3/crypto/openssl/crypto/asn1/a_type.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/9.3/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:27:09
2016 (r299068)
@@ -123,9 +123,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
Modified: releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:27:09
2016 (r299068)
@@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
Modified: releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:27:09
2016 (r299068)
@@ -610,9 +610,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
Modified: releng/9.3/crypto/openssl/crypto/evp/encode.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/evp/encode.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/9.3/crypto/openssl/crypto/evp/encode.c Wed May 4 15:27:09
2016 (r299068)
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/evp.h>
@@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
const unsigned char *in, int inl)
{
int i, j;
- unsigned int total = 0;
+ size_t total = 0;
*outl = 0;
if (inl == 0)
return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num + inl) < ctx->length) {
+ if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl;
return;
@@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
*out = '\0';
total = j + 1;
}
- while (inl >= ctx->length) {
+ while (inl >= ctx->length && total <= INT_MAX) {
j = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length;
inl -= ctx->length;
@@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
*out = '\0';
total += j + 1;
}
+ if (total > INT_MAX) {
+ /* Too much output data! */
+ *outl = 0;
+ return;
+ }
if (inl != 0)
memcpy(&(ctx->enc_data[0]), in, inl);
ctx->num = inl;
Modified: releng/9.3/crypto/openssl/crypto/evp/evp_enc.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/9.3/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:27:09
2016 (r299068)
@@ -166,7 +166,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + inl < bl) {
+ if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
Modified: releng/9.3/crypto/openssl/crypto/x509/x509_obj.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:26:23
2016 (r299067)
+++ releng/9.3/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:27:09
2016 (r299068)
@@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch
type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
- ? sizeof ebcdic_buf : num);
+ if (num > (int)sizeof(ebcdic_buf))
+ num = sizeof(ebcdic_buf);
+ ascii2ebcdic(ebcdic_buf, q, num);
q = ebcdic_buf;
}
#endif
Modified: releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
==============================================================================
--- releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May
4 15:26:23 2016 (r299067)
+++ releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May
4 15:27:09 2016 (r299068)
@@ -196,6 +196,7 @@ mount_snapshot(kthread_t *td, vnode_t **
VI_UNLOCK(vp);
vrele(vp);
vfs_unbusy(mp);
+ vfs_freeopts(mp->mnt_optnew);
vfs_mount_destroy(mp);
*vpp = NULL;
return (error);
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Wed May 4 15:26:23 2016
(r299067)
+++ releng/9.3/sys/conf/newvers.sh Wed May 4 15:27:09 2016
(r299068)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p40"
+BRANCH="RELEASE-p41"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
