From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: [PATCH] gnu: openssl: Fixes for CVE-2010-5298 and extension checking Date: Mon, 21 Apr 2014 10:17:12 -0400 Message-ID: <87oazu3gyf.fsf@yeeloong.lan> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54544) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WcF41-0007cr-K0 for guix-devel@gnu.org; Mon, 21 Apr 2014 10:19:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WcF3x-000473-1h for guix-devel@gnu.org; Mon, 21 Apr 2014 10:19:17 -0400 Received: from world.peace.net ([96.39.62.75]:59596) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WcF3w-00044V-S1 for guix-devel@gnu.org; Mon, 21 Apr 2014 10:19:12 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org --=-=-= Content-Type: text/plain This applies security fixes to openssl which were recently pushed by the Debian security team. Mark --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-openssl-Fixes-for-CVE-2010-5298-and-extension-ch.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH] gnu: openssl: Fixes for CVE-2010-5298 and extension checking >From d05dad7e9fc785ce00df942b4d42af3d8c320321 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 21 Apr 2014 10:04:17 -0400 Subject: [PATCH] gnu: openssl: Fixes for CVE-2010-5298 and extension checki= ng. * gnu/packages/patches/openssl-CVE-2010-5298.patch: New file. * gnu/packages/patches/openssl-extension-checking-fixes.patch: New file. * gnu/packages/openssl.scm (openssl): Add them. * gnu-system.am (dist_patch_DATA): Add them. --- gnu-system.am | 2 ++ gnu/packages/openssl.scm | 6 +++- gnu/packages/patches/openssl-CVE-2010-5298.patch | 27 +++++++++++++++ .../patches/openssl-extension-checking-fixes.patch | 40 ++++++++++++++++++= ++++ 4 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssl-CVE-2010-5298.patch create mode 100644 gnu/packages/patches/openssl-extension-checking-fixes.p= atch diff --git a/gnu-system.am b/gnu-system.am index 86bdb69..0b18b08 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -315,6 +315,8 @@ dist_patch_DATA =3D \ gnu/packages/patches/mcron-install.patch \ gnu/packages/patches/mit-krb5-init-fix.patch \ gnu/packages/patches/mpc123-initialize-ao.patch \ + gnu/packages/patches/openssl-CVE-2010-5298.patch \ + gnu/packages/patches/openssl-extension-checking-fixes.patch \ gnu/packages/patches/patchelf-page-size.patch \ gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \ gnu/packages/patches/perl-no-sys-dirs.patch \ diff --git a/gnu/packages/openssl.scm b/gnu/packages/openssl.scm index 8c12ff9..eb03bb9 100644 --- a/gnu/packages/openssl.scm +++ b/gnu/packages/openssl.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2013 Andreas Enge +;;; Copyright =C2=A9 2014 Mark H Weaver ;;; ;;; This file is part of GNU Guix. ;;; @@ -34,7 +35,10 @@ ".tar.gz")) (sha256 (base32 - "0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk")))) + "0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk")) + (patches + (list (search-patch "openssl-CVE-2010-5298.patch") + (search-patch "openssl-extension-checking-fixes.patch")= )))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) (arguments diff --git a/gnu/packages/patches/openssl-CVE-2010-5298.patch b/gnu/package= s/patches/openssl-CVE-2010-5298.patch new file mode 100644 index 0000000..707a24d --- /dev/null +++ b/gnu/packages/patches/openssl-CVE-2010-5298.patch @@ -0,0 +1,27 @@ +From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001 +From: Kurt Roeckx +Date: Sun, 13 Apr 2014 15:05:30 +0200 +Subject: [PATCH] Don't release the buffer when there still is data in it + +RT: 2167, 3265 +--- + ssl/s3_pkt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index b9e45c7..32e9207 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char = *buf, int len, int peek) + { + s->rstate=3DSSL_ST_READ_HEADER; + rr->off=3D0; +- if (s->mode & SSL_MODE_RELEASE_BUFFERS) ++ if (s->mode & SSL_MODE_RELEASE_BUFFERS && ++ s->s3->rbuf.left =3D=3D 0) + ssl3_release_read_buffer(s); + } + } +--=20 +1.9.1 + diff --git a/gnu/packages/patches/openssl-extension-checking-fixes.patch b/= gnu/packages/patches/openssl-extension-checking-fixes.patch new file mode 100644 index 0000000..3fdd893 --- /dev/null +++ b/gnu/packages/patches/openssl-extension-checking-fixes.patch @@ -0,0 +1,40 @@ +From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 15 Apr 2014 18:48:54 +0100 +Subject: [PATCH] Extension checking fixes. + +When looking for an extension we need to set the last found +position to -1 to properly search all extensions. + +PR#3309. +--- + crypto/x509v3/v3_purp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c +index 6c40c7d..5f931db 100644 +--- a/crypto/x509v3/v3_purp.c ++++ b/crypto/x509v3/v3_purp.c +@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x) + /* Handle proxy certificates */ + if((pci=3DX509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if (x->ex_flags & EXFLAG_CA +- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >=3D 0 +- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >=3D 0) { ++ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >=3D 0 ++ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >=3D 0) { + x->ex_flags |=3D EXFLAG_INVALID; + } + if (pci->pcPathLengthConstraint) { +@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PUR= POSE *xp, const X509 *x, + return 0; +=20 + /* Extended Key Usage MUST be critical */ +- i_ext =3D X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0); ++ i_ext =3D X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1); + if (i_ext >=3D 0) + { + X509_EXTENSION *ext =3D X509_get_ext((X509 *) x, i_ext); +--=20 +1.9.1 + --=20 1.8.4 --=-=-=--