From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: [PATCH] gnu: openssl: Fixes for CVE-2010-5298 and extension checking
Date: Mon, 21 Apr 2014 10:17:12 -0400
Message-ID: <87oazu3gyf.fsf@yeeloong.lan>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54544)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1WcF41-0007cr-K0
	for guix-devel@gnu.org; Mon, 21 Apr 2014 10:19:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1WcF3x-000473-1h
	for guix-devel@gnu.org; Mon, 21 Apr 2014 10:19:17 -0400
Received: from world.peace.net ([96.39.62.75]:59596)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1WcF3w-00044V-S1
	for guix-devel@gnu.org; Mon, 21 Apr 2014 10:19:12 -0400
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain

This applies security fixes to openssl which were recently pushed by the
Debian security team.

     Mark


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0001-gnu-openssl-Fixes-for-CVE-2010-5298-and-extension-ch.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: [PATCH] gnu: openssl: Fixes for CVE-2010-5298 and
 extension checking

>From d05dad7e9fc785ce00df942b4d42af3d8c320321 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Mon, 21 Apr 2014 10:04:17 -0400
Subject: [PATCH] gnu: openssl: Fixes for CVE-2010-5298 and extension checki=
ng.

* gnu/packages/patches/openssl-CVE-2010-5298.patch: New file.
* gnu/packages/patches/openssl-extension-checking-fixes.patch: New file.
* gnu/packages/openssl.scm (openssl): Add them.
* gnu-system.am (dist_patch_DATA): Add them.
---
 gnu-system.am                                      |  2 ++
 gnu/packages/openssl.scm                           |  6 +++-
 gnu/packages/patches/openssl-CVE-2010-5298.patch   | 27 +++++++++++++++
 .../patches/openssl-extension-checking-fixes.patch | 40 ++++++++++++++++++=
++++
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssl-CVE-2010-5298.patch
 create mode 100644 gnu/packages/patches/openssl-extension-checking-fixes.p=
atch

diff --git a/gnu-system.am b/gnu-system.am
index 86bdb69..0b18b08 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -315,6 +315,8 @@ dist_patch_DATA =3D						\
   gnu/packages/patches/mcron-install.patch			\
   gnu/packages/patches/mit-krb5-init-fix.patch			\
   gnu/packages/patches/mpc123-initialize-ao.patch		\
+  gnu/packages/patches/openssl-CVE-2010-5298.patch		\
+  gnu/packages/patches/openssl-extension-checking-fixes.patch	\
   gnu/packages/patches/patchelf-page-size.patch			\
   gnu/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   gnu/packages/patches/perl-no-sys-dirs.patch			\
diff --git a/gnu/packages/openssl.scm b/gnu/packages/openssl.scm
index 8c12ff9..eb03bb9 100644
--- a/gnu/packages/openssl.scm
+++ b/gnu/packages/openssl.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright =C2=A9 2013 Andreas Enge <andreas@enge.fr>
+;;; Copyright =C2=A9 2014 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -34,7 +35,10 @@
                                 ".tar.gz"))
             (sha256
              (base32
-              "0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))))
+              "0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))
+            (patches
+             (list (search-patch "openssl-CVE-2010-5298.patch")
+                   (search-patch "openssl-extension-checking-fixes.patch")=
))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))
    (arguments
diff --git a/gnu/packages/patches/openssl-CVE-2010-5298.patch b/gnu/package=
s/patches/openssl-CVE-2010-5298.patch
new file mode 100644
index 0000000..707a24d
--- /dev/null
+++ b/gnu/packages/patches/openssl-CVE-2010-5298.patch
@@ -0,0 +1,27 @@
+From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 13 Apr 2014 15:05:30 +0200
+Subject: [PATCH] Don't release the buffer when there still is data in it
+
+RT: 2167, 3265
+---
+ ssl/s3_pkt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index b9e45c7..32e9207 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char =
*buf, int len, int peek)
+ 				{
+ 				s->rstate=3DSSL_ST_READ_HEADER;
+ 				rr->off=3D0;
+-				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
++				if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
++					s->s3->rbuf.left =3D=3D 0)
+ 					ssl3_release_read_buffer(s);
+ 				}
+ 			}
+--=20
+1.9.1
+
diff --git a/gnu/packages/patches/openssl-extension-checking-fixes.patch b/=
gnu/packages/patches/openssl-extension-checking-fixes.patch
new file mode 100644
index 0000000..3fdd893
--- /dev/null
+++ b/gnu/packages/patches/openssl-extension-checking-fixes.patch
@@ -0,0 +1,40 @@
+From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 15 Apr 2014 18:48:54 +0100
+Subject: [PATCH] Extension checking fixes.
+
+When looking for an extension we need to set the last found
+position to -1 to properly search all extensions.
+
+PR#3309.
+---
+ crypto/x509v3/v3_purp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 6c40c7d..5f931db 100644
+--- a/crypto/x509v3/v3_purp.c
++++ b/crypto/x509v3/v3_purp.c
+@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
+ 	/* Handle proxy certificates */
+ 	if((pci=3DX509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+ 		if (x->ex_flags & EXFLAG_CA
+-		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >=3D 0
+-		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >=3D 0) {
++		    || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >=3D 0
++		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >=3D 0) {
+ 			x->ex_flags |=3D EXFLAG_INVALID;
+ 		}
+ 		if (pci->pcPathLengthConstraint) {
+@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PUR=
POSE *xp, const X509 *x,
+ 		return 0;
+=20
+ 	/* Extended Key Usage MUST be critical */
+-	i_ext =3D X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
++	i_ext =3D X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
+ 	if (i_ext >=3D 0)
+ 		{
+ 		X509_EXTENSION *ext =3D X509_get_ext((X509 *) x, i_ext);
+--=20
+1.9.1
+
--=20
1.8.4


--=-=-=--