Fix multiple OpenSSL vulnerabilities.

Security:	FreeBSD-SA-15:06.openssl
Security:	CVE-2015-0209
Security:	CVE-2015-0286
Security:	CVE-2015-0287
Security:	CVE-2015-0288
Security:	CVE-2015-0289
Security:	CVE-2015-0293

1 files changed, 9 insertions, 1 deletions

diff --git a/secure/lib/libcrypto/man/d2i_X509.3 b/secure/lib/libcrypto/man/d2i_X509.3
index 4dfb31a..ead4c2b 100644
--- a/secure/lib/libcrypto/man/d2i_X509.3
+++ b/secure/lib/libcrypto/man/d2i_X509.3
@@ -342,6 +342,12 @@ In some versions of OpenSSL the \*(L"reuse\*(R" behaviour of \fId2i_X509()\fR wh
 persist if they are not present in the new one. As a result the use
 of this \*(L"reuse\*(R" behaviour is strongly discouraged.
 .PP
+Current versions of OpenSSL will not modify \fB*px\fR if an error occurs.
+If parsing succeeds then \fB*px\fR is freed (if it is not \s-1NULL\s0) and then
+set to the value of the newly decoded structure. As a result \fB*px\fR
+\&\fBmust not\fR be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+.PP
 \&\fIi2d_X509()\fR will not return an error in many versions of OpenSSL,
 if mandatory fields are not initialized due to a programming error
 then the encoded structure may contain invalid data or omit the
@@ -352,7 +358,9 @@ always succeed.
 .IX Header "RETURN VALUES"
 \&\fId2i_X509()\fR, \fId2i_X509_bio()\fR and \fId2i_X509_fp()\fR return a valid \fBX509\fR structure
 or \fB\s-1NULL\s0\fR if an error occurs. The error code that can be obtained by
-\&\fIERR_get_error\fR\|(3).
+\&\fIERR_get_error\fR\|(3). If the \*(L"reuse\*(R" capability has been used
+with a valid X509 structure being passed in via \fBpx\fR then the object is not
+modified in the event of error.
 .PP
 \&\fIi2d_X509()\fR returns the number of bytes successfully encoded or a negative
 value if an error occurs. The error code can be obtained by