Fixes the following security issues:
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
There are no such structures used within SSL/TLS that come from untrusted
sources so this is considered safe.
Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the HP-UX
assembler, so that only HP-UX PA-RISC targets are affected.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
This issue has been reported in a previous OpenSSL security advisory and a
fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was
released at that time for OpenSSL 1.1.0. The fix is now available in
OpenSSL 1.1.0h.
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
For more details, see https://www.openssl.org/news/secadv/20180327.txt
The copyright year changed in LICENSE, so adjust the hash to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6938c219d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-3731 - Truncated packet could crash via OOB read.
CVE-2017-3732 - BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055 - Montgomery multiplication may produce incorrect results
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-7052 - Missing CRL sanity check
[Peter: drop CVE 6309 from description as pointed out by Baruch]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://www.openssl.org/news/secadv/20160922.txt
Fixes
SSL_peek() hang on empty record (CVE-2016-6305)
SWEET32 Mitigation (CVE-2016-2183)
OOB write in MDC2_Update() (CVE-2016-6303)
Malformed SHA512 ticket DoS (CVE-2016-6302)
OOB write in BN_bn2dec() (CVE-2016-2182)
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
Pointer arithmetic undefined behaviour (CVE-2016-2177)
Constant time flag not preserved in DSA signing (CVE-2016-2178)
DTLS buffered message DoS (CVE-2016-2179)
DTLS replay protection DoS (CVE-2016-2181)
Certificate message OOB reads (CVE-2016-6306)
Excessive allocation of memory in tls_get_message_header()
(CVE-2016-6307)
Excessive allocation of memory in dtls1_preprocess_fragment()
(CVE-2016-6308)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The previous incarnation was incomplete, it only applied one of the
Gentoo patches, hence it had corner cases.
Apply all 4 patches as pointed out by Mike on the mailing list.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-3193 - BN_mod_exp may produce incorrect results on x86_64
CVE-2015-3194 - Certificate verify crash with missing PSS parameter
CVE-2015-3195 - X509_ATTRIBUTE memory leak
Enable IDEA as well since otherwise the build breaks (always great
upstream) - it's no longer patent encumbered.
[Peter: correct sha256]
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a patch that is originally based on a patch Thomas P.
submitted for an earlier version of this package. I have adopted this
patch to use the latest available Gentoo parallel patch. I have also
seen about a minute improvement on my build times of openssl.
Part of Thomas P's original message:
On my build server, the current build of OpenSSL takes 1 minutes and
20 seconds. With this commit applied, enabling parallel build and
installation, the build only takes 28 seconds.
All the patches are downloaded from Gentoo.
There is apparently some interest in upstream OpenSSL to enable
parallel build, see for example commit
c3f22253b1. This
commit is not part of any OpenSSL release, but we can hope that the
problem will resolved in the future.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Gustavo Zacarias <gustavo@zacarias.com.ar>
CC: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Bump version to 1.0.2
- Adapt patches to new version
- Update hash value
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
