Re: OpenSSL security updates

[Efraim Flashner <efraim@flashner.co.il>]

[-- Attachment #1: Type: text/plain, Size: 5813 bytes --]

On Mon, Sep 26, 2016 at 01:01:38PM -0400, Leo Famulari wrote:
> There is a new round of OpenSSL security updates [0]. Patches are
> attached to this message.
> 
> [0]
> https://www.openssl.org/news/secadv/20160926.txt
> 
> Quoted from the link above:
> 
> OpenSSL Security Advisory [26 Sep 2016]
> ========================================
> 
> This security update addresses issues that were caused by patches
> included in our previous security update, released on 22nd September
> 2016.  Given the Critical severity of one of these flaws we have
> chosen to release this advisory immediately to prevent upgrades to the
> affected version, rather than delaying in order to provide our usual
> public pre-notification.
> 
> 
> Fix Use After Free for large message sizes (CVE-2016-6309)
> ==========================================================
> 
> Severity: Critical
> 
> This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
> 
> The patch applied to address CVE-2016-6307 resulted in an issue where if a
> message larger than approx 16k is received then the underlying buffer to store
> the incoming message is reallocated and moved. Unfortunately a dangling pointer
> to the old location is left which results in an attempt to write to the
> previously freed location. This is likely to result in a crash, however it
> could potentially lead to execution of arbitrary code.
> 
> OpenSSL 1.1.0 users should upgrade to 1.1.0b
> 
> This issue was reported to OpenSSL on 23rd September 2016 by Robert
> Święcki (Google Security Team), and was found using honggfuzz. The fix
> was developed by Matt Caswell of the OpenSSL development team.
> 
> Missing CRL sanity check (CVE-2016-7052)
> ========================================
> 
> Severity: Moderate
> 
> This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
> 
> A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
> but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
> CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
> 
> OpenSSL 1.0.2i users should upgrade to 1.0.2j
> 
> The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
> Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
> team.

> From 0f38dcc4f37853c831d11c5291b1c099ba36ea99 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 26 Sep 2016 12:53:00 -0400
> Subject: [PATCH] gnu: openssl-next: Update to 1.1.0b [fixes CVE-2016-6309].
> 
> * gnu/packages/tls.scm (openssl-next): Update to 1.1.0b.
> ---
>  gnu/packages/tls.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 93c78ae..9d91f15 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -391,7 +391,7 @@ required structures.")
>      (inherit openssl)
>      (name "openssl")
>      (replacement #f)
> -    (version "1.1.0a")
> +    (version "1.1.0b")
>      (source (origin
>               (method url-fetch)
>               (uri (list (string-append "ftp://ftp.openssl.org/source/"
> @@ -402,7 +402,7 @@ required structures.")
>                (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
>                (sha256
>                 (base32
> -                "0as40a1lipl9qfax7495jc1xfb049ygavkaxxk4y5kcn8birdrn2"))))
> +                "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4"))))
>      (outputs '("out"
>                 "doc"        ;1.3MiB of man3 pages
>                 "static"))   ; 5.5MiB of .a files
> -- 
> 2.10.0
> 

> From 0006affb67ef6513e8b8923824ca0cee37ea839b Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 26 Sep 2016 12:51:39 -0400
> Subject: [PATCH] gnu: openssl: Update replacement to 1.0.2j [fixes
>  CVE-2016-7052].
> 
> * gnu/packages/tls.scm (openssl): Update replacement to 1.0.2j.
> (openssl-1.0.2i): Replace with...
> (openssl-1.0.2j): ... new variable.
> ---
>  gnu/packages/tls.scm | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 15e3e43..93c78ae 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -229,7 +229,7 @@ required structures.")
>  (define-public openssl
>    (package
>     (name "openssl")
> -   (replacement openssl-1.0.2i)
> +   (replacement openssl-1.0.2j)
>     (version "1.0.2h")
>     (source (origin
>               (method url-fetch)
> @@ -368,11 +368,11 @@ required structures.")
>     (license license:openssl)
>     (home-page "http://www.openssl.org/")))
>  
> -(define openssl-1.0.2i
> +(define openssl-1.0.2j
>    (package (inherit openssl)
>      (source
>        (let ((name "openssl")
> -            (version "1.0.2i"))
> +            (version "1.0.2j"))
>          (origin
>            (method url-fetch)
>            (uri (list (string-append "ftp://ftp.openssl.org/source/"
> @@ -382,7 +382,7 @@ required structures.")
>                                      "/" name "-" version ".tar.gz")))
>            (sha256
>             (base32
> -            "0vyy038676cv3m2523fi9ll9nkjxadqdnz18zdp5nm6925yli1wj"))
> +            "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
>            (patches (search-patches "openssl-runpath.patch"
>                                     "openssl-c-rehash-in.patch")))))))
>  
> -- 
> 2.10.0
> 

This looks pretty straight-forward.


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]