untrusted comment: signature from openbsd 5.7 base secret key RWSvUZXnw9gUb/RUef97IvNWdo/ATqh/E6SLVblpV5x/ydtJGAYlpfJKMm1aZS25L9Mv37ogb9SMlj2CEzyxLy4ZtWqNfiHGvAg= OpenBSD 5.7 errata 9, June 11, 2015 Fix several defects from OpenSSL. These include: CVE-2015-1788 - Malformed ECParameters causes infinite loop CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time CVE-2015-1792 - CMS verify infinite loop with unknown hash function Several other issues did not apply or were already fixed. One low severity issue is still in review. For further details, please refer to https://www.openssl.org/news/secadv_20150611.txt Apply patch using: signify -Vep /etc/signify/openbsd-57-base.pub -x 009_openssl.patch.sig \ -m - | (cd /usr/src && patch -p0) Then build and install libcrypto cd /usr/src/lib/libcrypto/crypto make obj make make install Index: lib/libssl/src/crypto/bn/bn_gf2m.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_gf2m.c,v retrieving revision 1.18 diff -u -p -r1.18 bn_gf2m.c --- lib/libssl/src/crypto/bn/bn_gf2m.c 10 Feb 2015 09:50:12 -0000 1.18 +++ lib/libssl/src/crypto/bn/bn_gf2m.c 11 Jun 2015 16:21:08 -0000 @@ -745,8 +745,13 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM ubits--; } - if (ubits <= BN_BITS2 && udp[0] == 1) - break; + if (ubits <= BN_BITS2) { + /* See if poly was reducible. */ + if (udp[0] == 0) + goto err; + if (udp[0] == 1) + break; + } if (ubits < vbits) { i = ubits; Index: lib/libssl/src/crypto/cms/cms_smime.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/cms/cms_smime.c,v retrieving revision 1.12 diff -u -p -r1.12 cms_smime.c --- lib/libssl/src/crypto/cms/cms_smime.c 11 Jul 2014 12:12:39 -0000 1.12 +++ lib/libssl/src/crypto/cms/cms_smime.c 11 Jun 2015 16:21:09 -0000 @@ -132,7 +132,7 @@ do_free_upto(BIO *f, BIO *upto) tbio = BIO_pop(f); BIO_free(f); f = tbio; - } while (f != upto); + } while (f != NULL && f != upto); } else BIO_free_all(f); } Index: lib/libssl/src/crypto/x509/x509_vfy.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/x509/x509_vfy.c,v retrieving revision 1.40 diff -u -p -r1.40 x509_vfy.c --- lib/libssl/src/crypto/x509/x509_vfy.c 11 Feb 2015 02:17:59 -0000 1.40 +++ lib/libssl/src/crypto/x509/x509_vfy.c 11 Jun 2015 16:21:09 -0000 @@ -1650,34 +1650,57 @@ X509_cmp_time(const ASN1_TIME *ctm, time memcpy(p, str, 10); p += 10; str += 10; + i -= 10; } else { if (i < 13) return 0; memcpy(p, str, 12); p += 12; str += 12; + i -= 12; } + if (i < 1) + return 0; if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++) = '0'; *(p++) = '0'; } else { + if (i < 2) + return 0; *(p++) = *(str++); *(p++) = *(str++); + i -= 2; + if (i < 1) + return 0; /* Skip any fractional seconds... */ if (*str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) + i--; + while (i > 1 && (*str >= '0') && (*str <= '9')) { str++; + i--; + } } } *(p++) = 'Z'; *(p++) = '\0'; - if (*str == 'Z') + if (i < 1) + return 0; + if (*str == 'Z') { + if (i != 1) + return 0; offset = 0; - else { + } else { + if (i != 5) + return 0; if ((*str != '+') && (*str != '-')) + return 0; + if (str[1] < '0' || str[1] > '9' || + str[2] < '0' || str[2] > '9' || + str[3] < '0' || str[3] > '9' || + str[4] < '0' || str[4] > '9') return 0; offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; offset += (str[3] - '0') * 10 + (str[4] - '0');