Index: trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch =================================================================== --- trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch (revision 2743) +++ trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch (revision 2743) @@ -0,0 +1,55 @@ +From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 10 Nov 2015 19:03:07 +0000 +Subject: [PATCH] Fix leak with ASN.1 combine. + +When parsing a combined structure pass a flag to the decode routine +so on error a pointer to the parent structure is not zeroed as +this will leak any additional components in the parent. + +This can leak memory in any application parsing PKCS#7 or CMS structures. + +CVE-2015-3195. + +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using +libFuzzer. + +PR#4131 + +Reviewed-by: Richard Levitte + +Edited-to-apply: Alexander Chernyakhovsky +--- + crypto/asn1/tasn_dec.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c +index febf605..9256049 100644 +--- a/crypto/asn1/tasn_dec.c ++++ b/crypto/asn1/tasn_dec.c +@@ -169,6 +169,8 @@ + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -539,6 +541,7 @@ + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: ++ if (combine == 0) + ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, +@@ -767,7 +770,7 @@ + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,