Patches are now available to fix a variety of issues in libcrypto and libssl.
For 5.6 and the forthcoming 5.7 release:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences
For 5.5:
CVE-2015-0286 - Apply fix from OpenSSL for ASN1_TYPE_cmp.
CVE-2015-0292 - Backport existing fix for Base64 decoding.
Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt
Thanks to the OpenSSL team for providing patches.
5.5 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/024_openssl.patch.sig
5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/020_openssl.patch.sig
untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhs3L3uaeagbDgYSaBJ3w1MivqvATSTrquGgKHm0sNWVTudl/oumq7hVfVD+KX0LtxlkCQpA5JaPYwTO0OYHyPwE=
OpenBSD 5.6 errata 20, March 19, 2015
Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
CVE-2015-0289 - PKCS7 NULL pointer dereferences
Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt
Apply patch using:
signify -Vep /etc/signify/openbsd-56-base.pub -x 020_openssl.patch.sig \
-m - | (cd /usr/src patch -p0)
Then build and install libcrypto and libssl
cd /usr/src/lib/libcrypto/crypto
make obj
make
make install
cd /usr/src/lib/libssl/ssl
make obj
make
make install
Index: lib/libssl/src/crypto/asn1/a_int.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_int.c,v
retrieving revision 1.24
diff -u -p -r1.24 a_int.c
--- lib/libssl/src/crypto/asn1/a_int.c 11 Jul 2014 08:44:47 - 1.24
+++ lib/libssl/src/crypto/asn1/a_int.c 18 Mar 2015 06:01:34 -
@@ -268,7 +268,7 @@ c2i_ASN1_INTEGER(ASN1_INTEGER **a, const
err:
ASN1err(ASN1_F_C2I_ASN1_INTEGER, i);
- if ((ret != NULL) ((a == NULL) || (*a != ret)))
+ if (a == NULL || *a != ret)
M_ASN1_INTEGER_free(ret);
return (NULL);
}
@@ -335,7 +335,7 @@ d2i_ASN1_UINTEGER(ASN1_INTEGER **a, cons
err:
ASN1err(ASN1_F_D2I_ASN1_UINTEGER, i);
- if ((ret != NULL) ((a == NULL) || (*a != ret)))
+ if (a == NULL || *a != ret)
M_ASN1_INTEGER_free(ret);
return (NULL);
}
Index: lib/libssl/src/crypto/asn1/a_set.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_set.c,v
retrieving revision 1.16
diff -u -p -r1.16 a_set.c
--- lib/libssl/src/crypto/asn1/a_set.c 11 Jul 2014 08:44:47 - 1.16
+++ lib/libssl/src/crypto/asn1/a_set.c 18 Mar 2015 06:01:34 -
@@ -225,7 +225,7 @@ d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a
return ret;
err:
- if (ret != NULL (a == NULL || *a != ret)) {
+ if (a == NULL || *a != ret) {
if (free_func != NULL)
sk_OPENSSL_BLOCK_pop_free(ret, free_func);
else
Index: lib/libssl/src/crypto/asn1/a_type.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_type.c,v
retrieving revision 1.14
diff -u -p -r1.14 a_type.c
--- lib/libssl/src/crypto/asn1/a_type.c 11 Jul 2014 08:44:47 - 1.14
+++ lib/libssl/src/crypto/asn1/a_type.c 18 Mar 2015 06:01:34 -
@@ -122,7 +122,9 @@ ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b
case V_ASN1_OBJECT:
result = OBJ_cmp(a-value.object, b-value.object);
break;
-
+ case V_ASN1_BOOLEAN:
+ result = a-value.boolean - b-value.boolean;
+ break;
case V_ASN1_NULL:
result = 0; /* They do not have content. */
break;
Index: lib/libssl/src/crypto/asn1/d2i_pr.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/d2i_pr.c,v
retrieving revision 1.12
diff -u -p -r1.12 d2i_pr.c
--- lib/libssl/src/crypto/asn1/d2i_pr.c 11 Jul 2014 08:44:47 - 1.12
+++ lib/libssl/src/crypto/asn1/d2i_pr.c 18 Mar 2015 06:01:34 -
@@ -117,7 +117,7 @@ d2i_PrivateKey(int type, EVP_PKEY **a, c
return (ret);
err:
- if ((ret != NULL) ((a == NULL) || (*a != ret)))
+ if (a == NULL || *a != ret)
EVP_PKEY_free(ret);
return (NULL);
}
Index: lib/libssl/src/crypto/asn1/d2i_pu.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/d2i_pu.c,v
retrieving revision