subject:"libre\/openssl patches available"

Re: libre/openssl patches available

2015-03-19 Thread Ted Unangst

Ted Unangst wrote:
 Patches are now available to fix a variety of issues in libcrypto and libssl.
 5.5 patch:
 http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/024_openssl.patch.sig

And I boned the instructions again.
cd /usr/src/lib/libcrypto/crypto
should be
cd /usr/src/lib/libssl/crypto
instead.

libre/openssl patches available

2015-03-19 Thread Ted Unangst

Patches are now available to fix a variety of issues in libcrypto and libssl.

For 5.6 and the forthcoming 5.7 release:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

For 5.5:
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp.
CVE-2015-0292 - Backport existing fix for Base64 decoding.

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

Thanks to the OpenSSL team for providing patches.

5.5 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/024_openssl.patch.sig

5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/020_openssl.patch.sig

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhs3L3uaeagbDgYSaBJ3w1MivqvATSTrquGgKHm0sNWVTudl/oumq7hVfVD+KX0LtxlkCQpA5JaPYwTO0OYHyPwE=

OpenBSD 5.6 errata 20, March 19, 2015

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

Apply patch using:

signify -Vep /etc/signify/openbsd-56-base.pub -x 020_openssl.patch.sig \
-m - | (cd /usr/src  patch -p0)

Then build and install libcrypto and libssl

cd /usr/src/lib/libcrypto/crypto
make obj
make
make install
cd /usr/src/lib/libssl/ssl
make obj
make
make install


Index: lib/libssl/src/crypto/asn1/a_int.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_int.c,v
retrieving revision 1.24
diff -u -p -r1.24 a_int.c
--- lib/libssl/src/crypto/asn1/a_int.c  11 Jul 2014 08:44:47 -  1.24
+++ lib/libssl/src/crypto/asn1/a_int.c  18 Mar 2015 06:01:34 -
@@ -268,7 +268,7 @@ c2i_ASN1_INTEGER(ASN1_INTEGER **a, const
 
 err:
ASN1err(ASN1_F_C2I_ASN1_INTEGER, i);
-   if ((ret != NULL)  ((a == NULL) || (*a != ret)))
+   if (a == NULL || *a != ret)
M_ASN1_INTEGER_free(ret);
return (NULL);
 }
@@ -335,7 +335,7 @@ d2i_ASN1_UINTEGER(ASN1_INTEGER **a, cons
 
 err:
ASN1err(ASN1_F_D2I_ASN1_UINTEGER, i);
-   if ((ret != NULL)  ((a == NULL) || (*a != ret)))
+   if (a == NULL || *a != ret)
M_ASN1_INTEGER_free(ret);
return (NULL);
 }
Index: lib/libssl/src/crypto/asn1/a_set.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_set.c,v
retrieving revision 1.16
diff -u -p -r1.16 a_set.c
--- lib/libssl/src/crypto/asn1/a_set.c  11 Jul 2014 08:44:47 -  1.16
+++ lib/libssl/src/crypto/asn1/a_set.c  18 Mar 2015 06:01:34 -
@@ -225,7 +225,7 @@ d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a
return ret;
 
 err:
-   if (ret != NULL  (a == NULL || *a != ret)) {
+   if (a == NULL || *a != ret) {
if (free_func != NULL)
sk_OPENSSL_BLOCK_pop_free(ret, free_func);
else
Index: lib/libssl/src/crypto/asn1/a_type.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_type.c,v
retrieving revision 1.14
diff -u -p -r1.14 a_type.c
--- lib/libssl/src/crypto/asn1/a_type.c 11 Jul 2014 08:44:47 -  1.14
+++ lib/libssl/src/crypto/asn1/a_type.c 18 Mar 2015 06:01:34 -
@@ -122,7 +122,9 @@ ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b
case V_ASN1_OBJECT:
result = OBJ_cmp(a-value.object, b-value.object);
break;
-
+   case V_ASN1_BOOLEAN:
+   result = a-value.boolean - b-value.boolean;
+   break;
case V_ASN1_NULL:
result = 0; /* They do not have content. */
break;
Index: lib/libssl/src/crypto/asn1/d2i_pr.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/d2i_pr.c,v
retrieving revision 1.12
diff -u -p -r1.12 d2i_pr.c
--- lib/libssl/src/crypto/asn1/d2i_pr.c 11 Jul 2014 08:44:47 -  1.12
+++ lib/libssl/src/crypto/asn1/d2i_pr.c 18 Mar 2015 06:01:34 -
@@ -117,7 +117,7 @@ d2i_PrivateKey(int type, EVP_PKEY **a, c
return (ret);
 
 err:
-   if ((ret != NULL)  ((a == NULL) || (*a != ret)))
+   if (a == NULL || *a != ret)
EVP_PKEY_free(ret);
return (NULL);
 }
Index: lib/libssl/src/crypto/asn1/d2i_pu.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/d2i_pu.c,v
retrieving revision

Re: libre/openssl patches available

2015-03-19 Thread John Merriam

On Thu, 19 Mar 2015, John Merriam wrote:
 On Thu, 19 Mar 2015, Ted Unangst wrote:
 
  Ted Unangst wrote:
   Patches are now available to fix a variety of issues in libcrypto and 
   libssl.
   5.5 patch:
   http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/024_openssl.patch.sig
  
  And I boned the instructions again.
  cd /usr/src/lib/libcrypto/crypto
  should be
  cd /usr/src/lib/libssl/crypto
  instead.
  
 
 Hmmm:
 
 # cd /usr/src/lib/libssl/crypto
 ksh: cd: /usr/src/lib/libssl/crypto - No such file or directory
 
 On 5.6-release amd64.
 
 I'll look back to see if I can find it but is there a different process to 
 build all of libssl to be sure it's all patched?
 

Nevermind.  I see my failure.  That change is for the 5.5 patch only I'm 
thinking.  Sorry for the noise again.

-- 

John Merriam

Re: libre/openssl patches available

libre/openssl patches available

Re: libre/openssl patches available

3 matches

Site Navigation

Mail list logo

Footer information