OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src openpkg-web Date: 30-Sep-2003 14:46:23 Branch: OPENPKG_1_2_SOLID HEAD Handle: 2003093013462102 Modified files: openpkg-web news.txt Modified files: (Branch: OPENPKG_1_2_SOLID) openpkg-src/openssl openssl.patch openssl.spec Log: SA-2003.044-openssl; CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 Summary: Revision Changes Path 1.7.4.4 +66 -0 openpkg-src/openssl/openssl.patch 1.37.2.1.2.6+1 -1 openpkg-src/openssl/openssl.spec 1.6792 +1 -0 openpkg-web/news.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/openssl/openssl.patch ============================================================================ $ cvs diff -u -r1.7.4.3 -r1.7.4.4 openssl.patch --- openpkg-src/openssl/openssl.patch 20 Mar 2003 20:09:39 -0000 1.7.4.3 +++ openpkg-src/openssl/openssl.patch 30 Sep 2003 12:46:23 -0000 1.7.4.4 @@ -229,3 +229,69 @@ } s->session->master_key_length= + +----------------------------------------------------------------------------- + +Security Bugfixes +OpenPKG-SA-2003.044-openssl +http://www.openssl.org/news/secadv_20030930.txt +CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 + +--- crypto/asn1/asn1_lib.c Sun Sep 28 14:20:55 2003 ++++ crypto/asn1/asn1_lib.c Fri Sep 26 13:51:38 2003 +@@ -104,10 +104,12 @@ + l<<=7L; + l|= *(p++)&0x7f; + if (--max == 0) goto err; ++ if (l > (INT_MAX >> 7L)) goto err; + } + l<<=7L; + l|= *(p++)&0x7f; + tag=(int)l; ++ if (--max == 0) goto err; + } + else + { +--- crypto/asn1/tasn_dec.c Sun Sep 28 14:20:55 2003 ++++ crypto/asn1/tasn_dec.c Fri Sep 26 13:51:38 2003 +@@ -691,6 +691,7 @@ + + int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) + { ++ ASN1_VALUE **opval = NULL; + ASN1_STRING *stmp; + ASN1_TYPE *typ = NULL; + int ret = 0; +@@ -705,6 +706,7 @@ + *pval = (ASN1_VALUE *)typ; + } else typ = (ASN1_TYPE *)*pval; + if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL); ++ opval = pval; + pval = (ASN1_VALUE **)&typ->value.ptr; + } + switch(utype) { +@@ -796,7 +798,12 @@ + + ret = 1; + err: +- if(!ret) ASN1_TYPE_free(typ); ++ if(!ret) ++ { ++ ASN1_TYPE_free(typ); ++ if (opval) ++ *opval = NULL; ++ } + return ret; + } + +--- crypto/x509/x509_vfy.c Sun Sep 28 14:20:55 2003 ++++ crypto/x509/x509_vfy.c Fri Sep 26 13:51:38 2003 +@@ -674,7 +674,7 @@ + ok=(*cb)(0,ctx); + if (!ok) goto end; + } +- if (X509_verify(xs,pkey) <= 0) ++ else if (X509_verify(xs,pkey) <= 0) + /* XXX For the final trusted self-signed cert, + * this is a waste of time. That check should + * optional so that e.g. 'openssl x509' can be @@ . patch -p0 <<'@@ .' Index: openpkg-src/openssl/openssl.spec ============================================================================ $ cvs diff -u -r1.37.2.1.2.5 -r1.37.2.1.2.6 openssl.spec --- openpkg-src/openssl/openssl.spec 20 Mar 2003 20:09:39 -0000 1.37.2.1.2.5 +++ openpkg-src/openssl/openssl.spec 30 Sep 2003 12:46:23 -0000 1.37.2.1.2.6 @@ -33,7 +33,7 @@ Group: Cryptography License: BSD-style Version: 0.9.7 -Release: 1.2.3 +Release: 1.2.4 # list of sources Source0: ftp://ftp.openssl.org/source/openssl-%{version}.tar.gz @@ . patch -p0 <<'@@ .' Index: openpkg-web/news.txt ============================================================================ $ cvs diff -u -r1.6791 -r1.6792 news.txt --- openpkg-web/news.txt 30 Sep 2003 12:45:40 -0000 1.6791 +++ openpkg-web/news.txt 30 Sep 2003 12:46:21 -0000 1.6792 @@ -1,3 +1,4 @@ +30-Sep-2003: Upgraded package: P<openssl-0.9.7-1.2.4> 30-Sep-2003: Upgraded package: P<openssl-0.9.7b-1.3.2> 30-Sep-2003: Upgraded package: P<openssl-0.9.7b-20030930> 29-Sep-2003: New package: P<vile-9.4-20030929> @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]