Index: /trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch =================================================================== --- /trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch (revision 2743) +++ /trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch (revision 2743) @@ -0,0 +1,55 @@ +From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 10 Nov 2015 19:03:07 +0000 +Subject: [PATCH] Fix leak with ASN.1 combine. + +When parsing a combined structure pass a flag to the decode routine +so on error a pointer to the parent structure is not zeroed as +this will leak any additional components in the parent. + +This can leak memory in any application parsing PKCS#7 or CMS structures. + +CVE-2015-3195. + +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using +libFuzzer. + +PR#4131 + +Reviewed-by: Richard Levitte + +Edited-to-apply: Alexander Chernyakhovsky +--- + crypto/asn1/tasn_dec.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c +index febf605..9256049 100644 +--- a/crypto/asn1/tasn_dec.c ++++ b/crypto/asn1/tasn_dec.c +@@ -169,6 +169,8 @@ + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -539,6 +541,7 @@ + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: ++ if (combine == 0) + ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, +@@ -767,7 +770,7 @@ + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, Index: /trunk/server/fedora/Makefile =================================================================== --- /trunk/server/fedora/Makefile (revision 2742) +++ /trunk/server/fedora/Makefile (revision 2743) @@ -19,5 +19,5 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i686 httpd openssh libgsasl +upstream_yum = krb5 krb5.i686 httpd openssh libgsasl openssl openssl.i686 hackage = cgi-3001.1.8.5 unix-handle-0.0.0 upstream_hackage = ghc-cgi ghc-unix-handle Index: /trunk/server/fedora/specs/openssl.spec.patch =================================================================== --- /trunk/server/fedora/specs/openssl.spec.patch (revision 2743) +++ /trunk/server/fedora/specs/openssl.spec.patch (revision 2743) @@ -0,0 +1,29 @@ +--- openssl.spec.orig 2015-12-03 22:15:29.139540047 -0500 ++++ openssl.spec 2015-12-03 22:16:46.418241254 -0500 +@@ -21,7 +21,7 @@ + Summary: Utilities from the general purpose cryptography library with TLS implementation + Name: openssl + Version: 1.0.1e +-Release: 42%{?dist} ++Release: 42%{?dist}.scripts.%{scriptsversion} + Epoch: 1 + # We have to remove certain patented algorithms from the openssl source + # tarball with the hobble-openssl script which is included below. +@@ -123,6 +123,8 @@ + Patch127: openssl-1.0.1e-cve-2015-0292.patch + Patch128: openssl-1.0.1e-cve-2015-0293.patch + ++Patch1000: openssl-1.0.1e-cve-2015-3195.patch ++ + License: OpenSSL + Group: System Environment/Libraries + URL: http://www.openssl.org/ +@@ -280,6 +282,8 @@ + %patch127 -p1 -b .b64-underflow + %patch128 -p1 -b .ssl2-assert + ++%patch1000 -p1 -b .x509-leak ++ + sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h + + # Modify the various perl scripts to reference perl in the right location.