Attachment #154477 for bug #198681

Lines 3-8 Link Here

(-)security/libressl/Makefile (+1 lines)
3		3
4	PORTNAME= libressl	4	PORTNAME= libressl
5	PORTVERSION= 2.1.5	5	PORTVERSION= 2.1.5
		6	PORTREVISION= 1
6	CATEGORIES= security devel	7	CATEGORIES= security devel
7	MASTER_SITES= ${MASTER_SITE_OPENBSD}	8	MASTER_SITES= ${MASTER_SITE_OPENBSD}
8	MASTER_SITE_SUBDIR= LibreSSL	9	MASTER_SITE_SUBDIR= LibreSSL




# Backport of CVE-2015-0209 vuln mitigation
# Fix a failure to NULL a pointer freed on error.
#
# Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>
# CVE-2015-0209

--- crypto/ec/ec_asn1.c.orig	2015-02-10 14:54:46 UTC
+++ crypto/ec/ec_asn1.c
@@ -1043,13 +1043,8 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi
 	EC_KEY *ret = NULL;
 	EC_PRIVATEKEY *priv_key = NULL;
 
-	if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
-		ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL) {
+	if ((priv_key = d2i_EC_PRIVATEKEY(NULL, in, len)) == NULL) {
 		ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
-		EC_PRIVATEKEY_free(priv_key);
 		return NULL;
 	}
 	if (a == NULL || *a == NULL) {
@@ -1058,8 +1053,6 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi
 			    ERR_R_MALLOC_FAILURE);
 			goto err;
 		}
-		if (a)
-			*a = ret;
 	} else
 		ret = *a;
 
@@ -1109,10 +1102,12 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi
 			goto err;
 		}
 	}
+	if (a)
+		*a = ret;
 	ok = 1;
 err:
 	if (!ok) {
-		if (ret)
+		if (ret && (a == NULL || *a != ret))
 			EC_KEY_free(ret);
 		ret = NULL;
 	}




# Backport of CVE-2015-0288 vuln mitigation
# Check public key is not NULL.
#
# CVE-2015-0288
# PR#3708

--- crypto/x509/x509_req.c.orig	2014-12-06 23:15:50 UTC
+++ crypto/x509/x509_req.c
@@ -95,6 +95,8 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey
 		goto err;
 
 	pktmp = X509_get_pubkey(x);
+	if (pktmp == NULL)
+		goto err;
 	i = X509_REQ_set_pubkey(ret, pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i)

Return to bug 198681

Line 0 Link Here

(-)security/libressl/files/patch-crypto_ec_ec__asn1.c (+46 lines)
	1	# Backport of CVE-2015-0209 vuln mitigation
	2	# Fix a failure to NULL a pointer freed on error.
	3	#
	4	# Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>
	5	# CVE-2015-0209
	6
	7	--- crypto/ec/ec_asn1.c.orig 2015-02-10 14:54:46 UTC
	8	+++ crypto/ec/ec_asn1.c
	9	@@ -1043,13 +1043,8 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi
	10	EC_KEY *ret = NULL;
	11	EC_PRIVATEKEY *priv_key = NULL;
	12
	13	- if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
	14	- ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
	15	- return NULL;
	16	- }
	17	- if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL) {
	18	+ if ((priv_key = d2i_EC_PRIVATEKEY(NULL, in, len)) == NULL) {
	19	ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
	20	- EC_PRIVATEKEY_free(priv_key);
	21	return NULL;
	22	}
	23	if (a == NULL \|\| *a == NULL) {
	24	@@ -1058,8 +1053,6 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi
	25	ERR_R_MALLOC_FAILURE);
	26	goto err;
	27	}
	28	- if (a)
	29	- *a = ret;
	30	} else
	31	ret = *a;
	32
	33	@@ -1109,10 +1102,12 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsi
	34	goto err;
	35	}
	36	}
	37	+ if (a)
	38	+ *a = ret;
	39	ok = 1;
	40	err:
	41	if (!ok) {
	42	- if (ret)
	43	+ if (ret && (a == NULL \|\| *a != ret))
	44	EC_KEY_free(ret);
	45	ret = NULL;
	46	}

Line 0 Link Here

(-)security/libressl/files/patch-crypto_x509_x509__req.c (+17 lines)
	1	# Backport of CVE-2015-0288 vuln mitigation
	2	# Check public key is not NULL.
	3	#
	4	# CVE-2015-0288
	5	# PR#3708
	6
	7	--- crypto/x509/x509_req.c.orig 2014-12-06 23:15:50 UTC
	8	+++ crypto/x509/x509_req.c
	9	@@ -95,6 +95,8 @@ X509_to_X509_REQ(X509 x, EVP_PKEY pkey
	10	goto err;
	11
	12	pktmp = X509_get_pubkey(x);
	13	+ if (pktmp == NULL)
	14	+ goto err;
	15	i = X509_REQ_set_pubkey(ret, pktmp);
	16	EVP_PKEY_free(pktmp);
	17	if (!i)