Update from stable branch.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 25 Mar 2009 12:53:50 +0000 (12:53 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 25 Mar 2009 12:53:50 +0000 (12:53 +0000)
CHANGES
crypto/asn1/asn1_err.c
crypto/asn1/tasn_dec.c

diff --git a/CHANGES b/CHANGES
index 024b05d..1b034ce 100644 (file)
--- a/CHANGES
+++ b/CHANGES
 
  Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
 
+  *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
+     checked correctly. This would allow some invalid signed attributes to
+     appear to verify correctly. (CVE-2009-0591)
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
   *) Reject UniversalString and BMPString types with invalid lengths. This
      prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
      a legal length. (CVE-2009-0590)
index 063d705..cdee663 100644 (file)
@@ -199,6 +199,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
 {ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
 {ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
 {ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
 {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
 {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
@@ -290,6 +291,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
 {ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
 {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},
index b8fa208..359e9c3 100644 (file)
@@ -1016,6 +1016,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                case V_ASN1_SET:
                case V_ASN1_SEQUENCE:
                default:
+               if (utype == V_ASN1_BMPSTRING && (len & 1))
+                       {
+                       ASN1err(ASN1_F_ASN1_EX_C2I,
+                                       ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+                       goto err;
+                       }
+               if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+                       {
+                       ASN1err(ASN1_F_ASN1_EX_C2I,
+                                       ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+                       goto err;
+                       }
                /* All based on ASN1_STRING and handled the same */
                if (!*pval)
                        {