ssl/d1_both.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch 06/16] applying same fix as in
 dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok
 to be clear, but the return value would still be the number of bytes read.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem identified by Emilia Ksper, based on previous issue/patch by Adam
Langley.

ssl/d1_both.c | 16 4 + 12 - 0 !
1 file changed, 4 insertions(+), 12 deletions(-)

 [patch 07/16] remove some duplicate dtls code.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

ssl/s23_srvr.c | 30 23 + 7 - 0 !
1 file changed, 23 insertions(+), 7 deletions(-)

 [patch 08/16] fix protocol downgrade bug in case of fragmented
 packets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2014-3511

ssl/d1_clnt.c | 23 21 + 2 - 0 !
ssl/s3_clnt.c | 7 7 + 0 - 0 !
2 files changed, 28 insertions(+), 2 deletions(-)

 [patch 09/16] fix dtls anonymous ec(dh) denial of service

CVE-2014-3510

crypto/asn1/a_object.c | 30 21 + 9 - 0 !
crypto/objects/obj_dat.c | 16 9 + 7 - 0 !
2 files changed, 30 insertions(+), 16 deletions(-)

 [patch 10/16] fix oid handling:

- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

ssl/t1_lib.c | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 [patch 11/16] fix race condition in ssl_parse_serverhello_tlsext

CVE-2014-3509

ssl/s3_lib.c | 6 3 + 3 - 0 !
ssl/ssl.h | 1 1 + 0 - 0 !
ssl/ssl_ciph.c | 4 4 + 0 - 0 !
ssl/ssl_locl.h | 1 1 + 0 - 0 !
4 files changed, 9 insertions(+), 3 deletions(-)

 [patch] srp ciphersuite correction.

SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
(cherry picked from commit a86b88acc373ac1fb0ca709a5fb8a8fa74683f67)

ssl/s3_clnt.c | 9 9 + 0 - 0 !
ssl/ssl_lib.c | 5 5 + 0 - 0 !
2 files changed, 14 insertions(+)

 [patch 12/16] fix srp ciphersuite dos vulnerability.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamki from Codenomicon
for reporting this issue.

CVE-2014-5139

crypto/srp/srp_lib.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 13/16] fix srp buffer overrun vulnerability.

Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.

ssl/s3_clnt.c | 6 6 + 0 - 0 !
ssl/s3_srvr.c | 7 7 + 0 - 0 !
ssl/ssl.h | 1 1 + 0 - 0 !
ssl/ssl_err.c | 1 1 + 0 - 0 !
ssl/ssl_locl.h | 2 2 + 0 - 0 !
ssl/tls_srp.c | 48 37 + 11 - 0 !
6 files changed, 54 insertions(+), 11 deletions(-)

 [patch 14/16] check srp parameters early.

Check SRP parameters when they are received so we can send back an
appropriate alert.

apps/s_client.c | 10 10 + 0 - 0 !
crypto/err/openssl.ec | 1 1 + 0 - 0 !
doc/apps/s_client.pod | 14 10 + 4 - 0 !
doc/ssl/SSL_CTX_set_mode.pod | 6 6 + 0 - 0 !
ssl/d1_lib.c | 10 10 + 0 - 0 !
ssl/dtls1.h | 3 2 + 1 - 0 !
ssl/s23_clnt.c | 3 3 + 0 - 0 !
ssl/s23_srvr.c | 3 3 + 0 - 0 !
ssl/s2_lib.c | 4 3 + 1 - 0 !
ssl/s3_enc.c | 2 1 + 1 - 0 !
ssl/s3_lib.c | 29 28 + 1 - 0 !
ssl/ssl.h | 9 9 + 0 - 0 !
ssl/ssl3.h | 7 6 + 1 - 0 !
ssl/ssl_err.c | 2 2 + 0 - 0 !
ssl/ssl_lib.c | 60 46 + 14 - 0 !
ssl/t1_enc.c | 1 1 + 0 - 0 !
ssl/tls1.h | 15 9 + 6 - 0 !
17 files changed, 150 insertions(+), 29 deletions(-)

 [patch] support tls_fallback_scsv.

ssl/d1_srtp.c | 93 31 + 62 - 0 !
ssl/t1_lib.c | 9 5 + 4 - 0 !
2 files changed, 36 insertions(+), 66 deletions(-)

 [patch 1/4] fix for srtp memory leak

CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an origi
issue and patch developed by the LibreSSL project. Further analysis of the i
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

ssl/t1_lib.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch 3/4] fix for session tickets memory leak.

CVE-2014-3567

ssl/s23_clnt.c | 9 7 + 2 - 0 !
ssl/s23_srvr.c | 18 9 + 9 - 0 !
2 files changed, 16 insertions(+), 11 deletions(-)

 [patch 4/4] fix no-ssl3 configuration option

CVE-2014-3568

ssl/s23_srvr.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch] keep old method in case of an unsupported protocol
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

crypto/asn1/a_bitstr.c | 7 6 + 1 - 0 !
crypto/asn1/asn1.h | 1 1 + 0 - 0 !
crypto/asn1/asn1_err.c | 1 1 + 0 - 0 !
3 files changed, 8 insertions(+), 1 deletion(-)

 [patch 082/117] return error when a bit string indicates an invalid
 amount of bits left

crypto/asn1/a_verify.c | 12 12 + 0 - 0 !
crypto/dsa/dsa_asn1.c | 14 13 + 1 - 0 !
crypto/ecdsa/ecs_vrf.c | 15 14 + 1 - 0 !
crypto/x509/x_all.c | 2 2 + 0 - 0 !
4 files changed, 41 insertions(+), 2 deletions(-)

 [patch 094/117] fix various certificate fingerprint issues.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275

crypto/asn1/a_type.c | 2 1 + 1 - 0 !
crypto/asn1/asn1.h | 2 1 + 1 - 0 !
crypto/asn1/x_algor.c | 11 11 + 0 - 0 !
crypto/x509/x509.h | 1 1 + 0 - 0 !
4 files changed, 14 insertions(+), 2 deletions(-)

 [patch 095/117] constify asn1_type_cmp add x509_algor_cmp.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ssl/s3_clnt.c | 18 15 + 3 - 0 !
1 file changed, 15 insertions(+), 3 deletions(-)

 [patch 098/117] ecdh downgrade bug fix.

Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572

doc/ssl/SSL_CTX_set_options.pod | 10 1 + 9 - 0 !
doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 8 + 15 - 0 !
ssl/d1_srvr.c | 21 6 + 15 - 0 !
ssl/s3_clnt.c | 7 7 + 0 - 0 !
ssl/s3_srvr.c | 21 6 + 15 - 0 !
ssl/ssl.h | 5 2 + 3 - 0 !
6 files changed, 30 insertions(+), 57 deletions(-)

 [patch 099/117] only allow ephemeral rsa keys in export ciphersuites.

OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)

crypto/asn1/a_verify.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 102/117] use correct function name

ssl/s3_clnt.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 107/117] fix error discrepancy

crypto/bn/asm/mips.pl | 611 131 + 480 - 0 !
crypto/bn/asm/mips3.s | 2201 0 + 2201 - 0 !
crypto/bn/asm/x86_64-gcc.c | 34 15 + 19 - 0 !
crypto/bn/bn_asm.c | 16 10 + 6 - 0 !
crypto/bn/bntest.c | 102 78 + 24 - 0 !
5 files changed, 234 insertions(+), 2730 deletions(-)

 [patch 108/117] fix for cve-2014-3570.

ssl/d1_pkt.c | 2 0 + 2 - 0 !
ssl/s3_pkt.c | 2 2 + 0 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch 109/117] fix crash in dtls1_get_record whilst in the listen
 state where you get two separate reads performed - one for the header and one
 for the body of the handshake record.

CVE-2014-3571

ssl/d1_pkt.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 110/117] follow on from cve-2014-3571. this fixes the code
 that was the original source of the crash due to p being NULL. Steve's fix
 prevents this situation from occuring - however this is by no means obvious
 by looking at the code for dtls1_get_record. This fix just makes things look
 a bit more sane.

ssl/s3_srvr.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 111/117] unauthenticated dh client certificate fix.

Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205

ssl/d1_pkt.c | 30 21 + 9 - 0 !
1 file changed, 21 insertions(+), 9 deletions(-)

 [patch 112/117] a memory leak can occur in dtls1_buffer_record if
 either of the calls to ssl3_setup_buffers or pqueue_insert fail. The former
 will fail if there is a malloc failure, whilst the latter will fail if
 attempting to add a duplicate record to the queue. This should never happen
 because duplicate records should be detected and dropped before any attempt
 to add them to the queue. Unfortunately records that arrive that are for the
 next epoch are not being recorded correctly, and therefore replays are not
 being detected. Additionally, these "should not happen" failures that can
 occur in dtls1_buffer_record are not being treated as fatal and therefore an
 attacker could exploit this by sending repeated replay records for the next
 epoch, eventually causing a DoS through memory exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.

CVE-2015-0206

ssl/s2_lib.c | 2 1 + 1 - 0 !
ssl/s2_srvr.c | 55 46 + 9 - 0 !
2 files changed, 47 insertions(+), 10 deletions(-)

 [patch 6/6] fix reachable assert in sslv2 servers.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Ksper of
the OpenSSL development team.

crypto/pkcs7/pk7_doit.c | 94 76 + 18 - 0 !
crypto/pkcs7/pk7_lib.c | 3 3 + 0 - 0 !
2 files changed, 79 insertions(+), 18 deletions(-)

 [patch 5/6] pkcs#7: avoid null pointer dereferences with missing
 content

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

crypto/asn1/a_type.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch 4/6] fix asn1_type_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

crypto/asn1/tasn_dec.c | 24 21 + 3 - 0 !
1 file changed, 21 insertions(+), 3 deletions(-)

 [patch 2/6] free up adb and choice if already initialised.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2015-0287

ssl/ssl_locl.h | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch 1/6] fix warning

doc/apps/ciphers.pod | 4 2 + 2 - 0 !
ssl/ssl.h | 2 1 + 1 - 0 !
ssl/ssl_ciph.c | 8 7 + 1 - 0 !
3 files changed, 10 insertions(+), 4 deletions(-)

 [patch] remove export ciphers from the default cipher list

They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

ssl/s3_pkt.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] make dtls always act as if read_ahead is set. the actual
 value of read_ahead is ignored for DTLS.

RT#3657

crypto/ec/ec_asn1.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] fix a failure to null a pointer freed on error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

crypto/x509/x509_req.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] check public key is not null.

CVE-2015-0288
PR#3708

crypto/evp/encode.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] evp: prevent underflow in base64 decoding

This patch resolves RT ticket #2608.

Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>

crypto/asn1/x_x509.c | 12 11 + 1 - 0 !
crypto/ec/ec_asn1.c | 7 5 + 2 - 0 !
2 files changed, 16 insertions(+), 3 deletions(-)

 [patch 08/12] fix a failure to null a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209

ssl/s3_clnt.c | 32 32 + 0 - 0 !
ssl/ssl.h | 1 1 + 0 - 0 !
ssl/ssl_err.c | 1 1 + 0 - 0 !
ssl/ssl_locl.h | 1 1 + 0 - 0 !
ssl/ssl_sess.c | 126 126 + 0 - 0 !
5 files changed, 161 insertions(+)

---

crypto/cms/cms_smime.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix infinite loop in cms

Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.

CVE-2015-1792

crypto/x509/x509_vfy.c | 77 58 + 19 - 0 !
1 file changed, 58 insertions(+), 19 deletions(-)

 [patch] fix length checks in x509_cmp_time to avoid out-of-bounds
 reads.

Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

crypto/pkcs7/pk7_doit.c | 16 15 + 1 - 0 !
1 file changed, 15 insertions(+), 1 deletion(-)

 [patch] pkcs#7: fix null dereference with missing encryptedcontent.

CVE-2015-1790

crypto/bn/bn_gf2m.c | 14 10 + 4 - 0 !
1 file changed, 10 insertions(+), 4 deletions(-)

 [patch] bn/bn_gf2m.c: avoid infinite loop wich malformed ecparamters.

CVE-2015-1788

ssl/s3_clnt.c | 33 20 + 13 - 0 !
ssl/ssl.h | 1 1 + 0 - 0 !
ssl/ssl_err.c | 1 1 + 0 - 0 !
3 files changed, 22 insertions(+), 13 deletions(-)

 [patch] client: reject handshakes with dh parameters < 768 bits.

Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

ssl/d1_lib.c | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 [patch] free up s->d1->buffered_app_data.q properly.

PR#3286
(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)

crypto/rsa/rsa_ameth.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/2] add pss parameter check.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Avoid seg fault by checking mgf1 parameter is not NULL. This can be
triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

Thanks to Loc Jonas Etienne (Qnective AG) for discovering this bug.

CVE-2015-3194

crypto/asn1/tasn_dec.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch 1/2] fix leak with asn.1 combine.

When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

ssl/s3_clnt.c | 16 3 + 13 - 0 !
ssl/s3_srvr.c | 2 1 + 1 - 0 !
2 files changed, 4 insertions(+), 14 deletions(-)

 [patch] fix psk handling.

The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Use BUF_strndup when copying identity as it may not be null terminated.

ssl/t1_lib.c | 16 0 + 16 - 0 !
1 file changed, 16 deletions(-)

 [patch] don't use rsa+md5 with tls 1.2

Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.

doc/apps/ciphers.pod | 34 23 + 11 - 0 !
ssl/s3_lib.c | 467 0 + 467 - 0 !
2 files changed, 23 insertions(+), 478 deletions(-)

---

crypto/bn/bn.h | 14 12 + 2 - 0 !
crypto/bn/bn_print.c | 17 11 + 6 - 0 !
2 files changed, 23 insertions(+), 8 deletions(-)

 [patch] fix bn_hex2bn/bn_dec2bn null ptr/heap corruption

apps/s_server.c | 25 17 + 8 - 0 !
crypto/srp/srp.h | 11 11 + 0 - 0 !
crypto/srp/srp_vfy.c | 57 52 + 5 - 0 !
util/libeay.num | 2 2 + 0 - 0 !
4 files changed, 82 insertions(+), 13 deletions(-)

 [patch] cve-2016-0798: avoid memory leak in srp

The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

crypto/bio/b_print.c | 196 120 + 76 - 0 !
1 file changed, 120 insertions(+), 76 deletions(-)

 [patch] fix memory issues in bio_*printf functions

The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

crypto/bn/asm/x86_64-mont5.pl | 517 316 + 201 - 0 !
crypto/bn/bn_exp.c | 73 55 + 18 - 0 !
crypto/constant_time_locl.h | 206 206 + 0 - 0 !
crypto/perlasm/x86_64-xlate.pl | 2 1 + 1 - 0 !
4 files changed, 578 insertions(+), 220 deletions(-)

---

crypto/dsa/dsa_ameth.c | 22 11 + 11 - 0 !
1 file changed, 11 insertions(+), 11 deletions(-)

 [patch] fix double free in dsa private key parsing.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix double free bug when parsing malformed DSA private keys.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

CVE-2016-0705