From: Dr. Stephen Henson <steve@openssl.org>
Date: Tue, 1 Jun 2010 13:17:06 +0000 (+0000)
Subject: Fix CVE-2010-1633 and CVE-2010-0742.
X-Git-Tag: OpenSSL_1_0_0a~1
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=618265e64540307f0d1764208b9c048702df9b59;p=oweals%2Fopenssl.git

Fix CVE-2010-1633 and CVE-2010-0742.
---

diff --git a/CHANGES b/CHANGES
index 230535d781..ccf09e174f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,9 @@
 
  Changes between 1.0.0 and 1.0.0a  [xx XXX xxxx]
 
-  *)
+  *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
+     (CVE-2010-1633)
+     [Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
 
  Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
 
@@ -849,6 +851,10 @@
   
  Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
 
+  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
+     access or freeing data twice (CVE-2010-0742)
+     [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
+
   *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
      common in certificates and some applications which only call
      SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
diff --git a/NEWS b/NEWS
index 65c0ac933f..3a787ea06c 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
 
   Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
 
+      o Fix for security issue CVE-2010-1633.
       o GOST MAC and CFB fixes.
 
   Major changes between OpenSSL 0.9.8n and OpenSSL 1.0:
@@ -34,6 +35,7 @@
 
   Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
 
+      o Fix for security issue CVE-2010-0742.
       o Various DTLS fixes.
       o Recognise SHA2 certificates if only SSL algorithms added.
       o Fix for no-rc4 compilation.
diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c
index 7f7132c3bb..fcba4dcbcc 100644
--- a/crypto/cms/cms_asn1.c
+++ b/crypto/cms/cms_asn1.c
@@ -131,8 +131,8 @@ ASN1_NDEF_SEQUENCE(CMS_SignedData) = {
 } ASN1_NDEF_SEQUENCE_END(CMS_SignedData)
 
 ASN1_SEQUENCE(CMS_OriginatorInfo) = {
-	ASN1_IMP_SET_OF_OPT(CMS_SignedData, certificates, CMS_CertificateChoices, 0),
-	ASN1_IMP_SET_OF_OPT(CMS_SignedData, crls, CMS_RevocationInfoChoice, 1)
+	ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, certificates, CMS_CertificateChoices, 0),
+	ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1)
 } ASN1_SEQUENCE_END(CMS_OriginatorInfo)
 
 ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = {
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 297e17cdcf..c6892ecd09 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -246,6 +246,8 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
 			ret = int_rsa_verify(EVP_MD_type(rctx->md),
 						NULL, 0, rout, &sltmp,
 					sig, siglen, ctx->pkey->pkey.rsa);
+			if (ret <= 0)
+				return 0;
 			ret = sltmp;
 			}
 		else