diff -Nru openssl-1.0.1f/debian/changelog openssl-1.0.1f/debian/changelog --- openssl-1.0.1f/debian/changelog 2015-06-11 11:34:44.000000000 +0000 +++ openssl-1.0.1f/debian/changelog 2015-12-04 13:20:52.000000000 +0000 @@ -1,3 +1,20 @@ +openssl (1.0.1f-1ubuntu2.16) trusty-security; urgency=medium + + * SECURITY UPDATE: Certificate verify crash with missing PSS parameter + - debian/patches/CVE-2015-3194.patch: add PSS parameter check to + crypto/rsa/rsa_ameth.c. + - CVE-2015-3194 + * SECURITY UPDATE: X509_ATTRIBUTE memory leak + - debian/patches/CVE-2015-3195.patch: fix leak in + crypto/asn1/tasn_dec.c. + - CVE-2015-3195 + * SECURITY UPDATE: Race condition handling PSK identify hint + - debian/patches/CVE-2015-3196.patch: fix PSK handling in + ssl/s3_clnt.c, ssl/s3_srvr.c. + - CVE-2015-3196 + + -- Marc Deslauriers Fri, 04 Dec 2015 08:20:52 -0500 + openssl (1.0.1f-1ubuntu2.15) trusty-security; urgency=medium * SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits diff -Nru openssl-1.0.1f/debian/patches/CVE-2015-3194.patch openssl-1.0.1f/debian/patches/CVE-2015-3194.patch --- openssl-1.0.1f/debian/patches/CVE-2015-3194.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2015-3194.patch 2015-12-04 13:20:40.000000000 +0000 @@ -0,0 +1,36 @@ +Backport of: + +From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Fri, 2 Oct 2015 13:10:29 +0100 +Subject: [PATCH] Add PSS parameter check. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Avoid seg fault by checking mgf1 parameter is not NULL. This can be +triggered during certificate verification so could be a DoS attack +against a client or a server enabling client authentication. + +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. + +CVE-2015-3194 + +Reviewed-by: Matt Caswell +--- + crypto/rsa/rsa_ameth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.1f/crypto/rsa/rsa_ameth.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/rsa/rsa_ameth.c 2015-12-04 07:35:43.437923518 -0500 ++++ openssl-1.0.1f/crypto/rsa/rsa_ameth.c 2015-12-04 07:36:26.458397427 -0500 +@@ -287,7 +287,7 @@ + { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 +- && param->type == V_ASN1_SEQUENCE) ++ && param && param->type == V_ASN1_SEQUENCE) + { + p = param->value.sequence->data; + plen = param->value.sequence->length; diff -Nru openssl-1.0.1f/debian/patches/CVE-2015-3195.patch openssl-1.0.1f/debian/patches/CVE-2015-3195.patch --- openssl-1.0.1f/debian/patches/CVE-2015-3195.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2015-3195.patch 2015-12-04 13:20:44.000000000 +0000 @@ -0,0 +1,57 @@ +Backport of: + +From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 10 Nov 2015 19:03:07 +0000 +Subject: [PATCH] Fix leak with ASN.1 combine. + +When parsing a combined structure pass a flag to the decode routine +so on error a pointer to the parent structure is not zeroed as +this will leak any additional components in the parent. + +This can leak memory in any application parsing PKCS#7 or CMS structures. + +CVE-2015-3195. + +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using +libFuzzer. + +PR#4131 + +Reviewed-by: Richard Levitte +--- + crypto/asn1/tasn_dec.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: openssl-1.0.1f/crypto/asn1/tasn_dec.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/asn1/tasn_dec.c 2015-12-04 07:36:53.038690220 -0500 ++++ openssl-1.0.1f/crypto/asn1/tasn_dec.c 2015-12-04 07:38:24.187694186 -0500 +@@ -169,6 +169,8 @@ + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -534,7 +536,8 @@ + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -762,7 +765,7 @@ + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, diff -Nru openssl-1.0.1f/debian/patches/CVE-2015-3196.patch openssl-1.0.1f/debian/patches/CVE-2015-3196.patch --- openssl-1.0.1f/debian/patches/CVE-2015-3196.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2015-3196.patch 2015-12-04 13:20:48.000000000 +0000 @@ -0,0 +1,74 @@ +Backport of: + +From d6be3124f22870f1888c532523b74ea5d89795eb Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Wed, 1 Jul 2015 23:40:03 +0100 +Subject: [PATCH] Fix PSK handling. + +The PSK identity hint should be stored in the SSL_SESSION structure +and not in the parent context (which will overwrite values used +by other SSL structures with the same SSL_CTX). + +Use BUF_strndup when copying identity as it may not be null terminated. + +Reviewed-by: Tim Hudson +(cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c) +--- + ssl/s3_clnt.c | 17 +++-------------- + ssl/s3_srvr.c | 2 +- + 2 files changed, 4 insertions(+), 15 deletions(-) + +Index: openssl-1.0.1f/ssl/s3_clnt.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_clnt.c 2015-12-04 07:38:53.628018434 -0500 ++++ openssl-1.0.1f/ssl/s3_clnt.c 2015-12-04 07:53:26.769639822 -0500 +@@ -1374,8 +1374,6 @@ + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) + { +- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; +- + al=SSL_AD_HANDSHAKE_FAILURE; + n2s(p,i); + param_len=i+2; +@@ -1396,16 +1394,8 @@ + SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); + goto f_err; + } +- /* If received PSK identity hint contains NULL +- * characters, the hint is truncated from the first +- * NULL. p may not be ending with NULL, so create a +- * NULL-terminated string. */ +- memcpy(tmp_id_hint, p, i); +- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); +- if (s->ctx->psk_identity_hint != NULL) +- OPENSSL_free(s->ctx->psk_identity_hint); +- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); +- if (s->ctx->psk_identity_hint == NULL) ++ s->session->psk_identity_hint = BUF_strndup((char *)p, i); ++ if (s->session->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto f_err; +@@ -2905,7 +2895,7 @@ + goto err; + } + +- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, ++ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, + identity, PSK_MAX_IDENTITY_LEN, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_len > PSK_MAX_PSK_LEN) +Index: openssl-1.0.1f/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_srvr.c 2015-12-04 07:38:53.628018434 -0500 ++++ openssl-1.0.1f/ssl/s3_srvr.c 2015-12-04 07:54:22.058248733 -0500 +@@ -2733,7 +2733,7 @@ + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); +- s->session->psk_identity = BUF_strdup((char *)p); ++ s->session->psk_identity = BUF_strndup((char *)p, i); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, diff -Nru openssl-1.0.1f/debian/patches/series openssl-1.0.1f/debian/patches/series --- openssl-1.0.1f/debian/patches/series 2015-06-11 11:34:20.000000000 +0000 +++ openssl-1.0.1f/debian/patches/series 2015-12-04 13:20:48.000000000 +0000 @@ -87,3 +87,6 @@ CVE-2015-1792.patch CVE-2015-1791-2.patch CVE-2015-1791-3.patch +CVE-2015-3194.patch +CVE-2015-3195.patch +CVE-2015-3196.patch