Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=383aabd1ca28d9e080eaf41589da83fd9c801249
commit 383aabd1ca28d9e080eaf41589da83fd9c801249 Author: kikadf <kikadf...@gmail.com> Date: Sun Jan 12 10:17:44 2014 +0100 openssl-1.0.1-5-x86_64 * Fix CVE-2013-4353 * Fix CVE-2013-6449 * Fix CVE-2013-6450 diff --git a/source/base/openssl/CVE-2013-4353.patch b/source/base/openssl/CVE-2013-4353.patch new file mode 100644 index 0000000..139b68f --- /dev/null +++ b/source/base/openssl/CVE-2013-4353.patch @@ -0,0 +1,25 @@ +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Mon, 6 Jan 2014 14:35:04 +0000 +Subject: [PATCH] Fix for TLS record tampering bug CVE-2013-4353 +Origin: upstream, commit:197e0ea817ad64820789d86711d55ff50d71f631 + +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index 1e5dcab..53b9390 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s) + { + const char *sender; + int slen; +- ++ /* If no new cipher setup return immediately: other functions will ++ * set the appropriate error. ++ */ ++ if (s->s3->tmp.new_cipher == NULL) ++ return; + if (s->state & SSL_ST_CONNECT) + { + sender=s->method->ssl3_enc->server_finished_label; +-- +1.8.5.2 + diff --git a/source/base/openssl/CVE-2013-6449.patch b/source/base/openssl/CVE-2013-6449.patch new file mode 100644 index 0000000..eba717a --- /dev/null +++ b/source/base/openssl/CVE-2013-6449.patch @@ -0,0 +1,83 @@ +Author: Dr. Stephen Henson <st...@openssl.org> +Date: Thu Dec 19 14:37:39 2013 +0000 +Subject: Fix CVE-2013-6449 + +This is a combination of upstream commits: +0294b2be5f4c11e60620c0018674ff0e17b14238 +ca989269a2876bae79393bd54c3e72d49975fc75 + +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index ead01c8..1e5dcab 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) + + i=s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.finish_md); ++ if (i == 0) ++ return 0; + s->s3->tmp.finish_md_len = i; + memcpy(p, s->s3->tmp.finish_md, i); + p+=i; +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 804291e..c4bc4e7 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) + slen=s->method->ssl3_enc->client_finished_label_len; + } + +- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, ++ i = s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.peer_finish_md); ++ if (i == 0) ++ { ++ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ s->s3->tmp.peer_finish_md_len = i; + + return(1); + } +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 809ad2e..72015f5 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, + if (mask & ssl_get_algorithm2(s)) + { + int hashsize = EVP_MD_size(md); +- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) ++ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; ++ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + { + /* internal error: 'buf' is too small for this cipersuite! */ + err = 1; + } + else + { +- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); +- EVP_DigestFinal_ex(&ctx,q,&i); +- if (i != (unsigned int)hashsize) /* can't really happen */ ++ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || ++ !EVP_DigestFinal_ex(&ctx,q,&i) || ++ (i != (unsigned int)hashsize)) + err = 1; +- q+=i; ++ q+=hashsize; + } + } + } +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index bf832bb..c4ef273 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. + long ssl_get_algorithm2(SSL *s) + { + long alg2 = s->s3->tmp.new_cipher->algorithm2; +- if (TLS1_get_version(s) >= TLS1_2_VERSION && ++ if (s->method->version == TLS1_2_VERSION && + alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; diff --git a/source/base/openssl/CVE-2013-6450.patch b/source/base/openssl/CVE-2013-6450.patch new file mode 100644 index 0000000..971de15 --- /dev/null +++ b/source/base/openssl/CVE-2013-6450.patch @@ -0,0 +1,94 @@ +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Fri, 20 Dec 2013 15:26:50 +0000 +Subject: [PATCH] Fix DTLS retransmission from previous session. +Origin: upstream, commit:34628967f1e65dc8f34e000f0f5518e21afbfc7b, commit:a6c62f0c25a756c263a80ce52afbae888028e986 + +For DTLS we might need to retransmit messages from the previous session +so keep a copy of write context in DTLS retransmission buffers instead +of replacing it after sending CCS. CVE-2013-6450. +--- + CHANGES | 5 +++++ + ssl/d1_both.c | 6 ++++++ + ssl/ssl_locl.h | 2 ++ + ssl/t1_enc.c | 17 +++++++++++------ + 4 files changed, 24 insertions(+), 6 deletions(-) + +Index: openssl-1.0.1e/ssl/d1_both.c +=================================================================== +--- openssl-1.0.1e.orig/ssl/d1_both.c 2013-12-23 17:57:07.916566103 +0100 ++++ openssl-1.0.1e/ssl/d1_both.c 2013-12-23 17:57:07.888566708 +0100 +@@ -214,6 +214,12 @@ + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +Index: openssl-1.0.1e/ssl/ssl_locl.h +=================================================================== +--- openssl-1.0.1e.orig/ssl/ssl_locl.h 2013-12-23 17:57:07.916566103 +0100 ++++ openssl-1.0.1e/ssl/ssl_locl.h 2013-12-23 17:57:07.888566708 +0100 +@@ -621,6 +621,8 @@ + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +Index: openssl-1.0.1e/ssl/t1_enc.c +=================================================================== +--- openssl-1.0.1e.orig/ssl/t1_enc.c 2013-12-23 17:57:07.916566103 +0100 ++++ openssl-1.0.1e/ssl/t1_enc.c 2013-12-23 17:57:07.888566708 +0100 +@@ -414,15 +414,20 @@ + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; +- else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); + dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } ++ else ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 6fc469f..d14e8e4 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count, + + void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) + { +- EVP_MD_CTX_cleanup(ctx); +- OPENSSL_free(ctx); ++ if (ctx) ++ { ++ EVP_MD_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } + } + + /* This call frees resources associated with the context */ diff --git a/source/base/openssl/FrugalBuild b/source/base/openssl/FrugalBuild index 336d608..b70d848 100644 --- a/source/base/openssl/FrugalBuild +++ b/source/base/openssl/FrugalBuild @@ -5,7 +5,7 @@ pkgname=openssl pkgver=1.0.1 pkgextraver=c -pkgrel=4 +pkgrel=5 pkgdesc="The Open Source toolkit for Secure Sockets Layer and Transport Layer Security" url="http://www.openssl.org/source/" groups=('base' 'chroot-core') @@ -17,6 +17,11 @@ source=($url$pkgname-$pkgver$pkgextraver.tar.gz \ http://caunter.ca/ssl.certs.shar man_symlinks.diff) signatures=("$source.asc" '' '') +# FSA fix *** +source=(${source[@]} CVE-2013-4353.patch CVE-2013-6449.patch CVE-2013-6450.patch) +signatures=(${signatures[@]} '' '' '') +# *********** + build() { unset MAKEFLAGS _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git