Hello community, here is the log from the commit of package libserf.2957 for openSUSE:12.3:Update checked in at 2014-08-23 01:07:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libserf.2957 (Old) and /work/SRC/openSUSE:12.3:Update/.libserf.2957.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libserf.2957" Changes: -------- New Changes file: --- /dev/null 2014-07-24 01:57:42.080040256 +0200 +++ /work/SRC/openSUSE:12.3:Update/.libserf.2957.new/libserf.changes 2014-08-23 01:07:59.000000000 +0200 @@ -0,0 +1,140 @@ +------------------------------------------------------------------- +Mon Aug 11 16:07:48 UTC 2014 - [email protected] + +- Serf may not provide the full value for fields contained in X.509 + certificates. Allowing for clients to potentially improperly + accept certificates. + * Handle NUL bytes in fields of an X.509 certificate. + [bnc#890510] [CVE-2014-3504] adds serf-1.1.1-CVE-2014-3504.patch + +------------------------------------------------------------------- +Thu Oct 4 21:45:29 UTC 2012 - [email protected] + +- update to Serf 1.1.1 + This patch release contains fixes for some important connection + stability issues. + * ensure requeued requests are correctly handled. This fixes: + - infinite loop with multiple connection resets or SIGPIPE errors + - "connection" hang where we would not re-queue requests that are held after + we re-connect + * test_all goes in an endless loop + * Fix memory leak when conn. is closed explicitly/due to pool cleanups + * Add new error codes for the SSL bucket + +------------------------------------------------------------------- +Thu Jun 7 20:54:34 UTC 2012 - [email protected] + +- update to upstream Serf 1.1.0 + New: serf_bucket_request_set_CL() for C-L based, non-chunked requests + New: serf_ssl_server_cert_chain_callback_set() for full-chain validation + +------------------------------------------------------------------- +Tue Mar 20 20:07:43 UTC 2012 - [email protected] + +- update to upstream 1.0.3 (1.0.2 was not released) +- changes in Serf 1.0.3: + Map more OpenSSL errors into SERF_SSL_CERT_UNKNOWNCA + +------------------------------------------------------------------- +Thu Mar 15 07:26:35 UTC 2012 - [email protected] + +- move headers into /usr/include/serf-1 to match what subversion + configure script expects + +------------------------------------------------------------------- +Thu Feb 23 21:51:49 UTC 2012 - [email protected] + +- update to upstream 1.0.1 +- license is Apache-2.0 +- changes in Serf 1.0.1: + * FreeBSD fixes in the test suite + * Minor build fixes +- changes Serf 1.0.0: + * Fixed issue 38: enable builds using non-GNU make + * Fixed issue 49: support SSL tunnels for HTTPS via a proxy + * Fixed issue 56: allow Subject Alternative Name, and enable SNI + * Fixed issue 61: include order dependencies + * Fixed issue 66: improved error reporting when creating install dirs + * Fixed issue 71: handle ECONNREFUSED on Windows + * Fixed issue 79: destroy the APR allocator, if we create one + * Fixed issue 81: build failed on APR 0.9.x + * Major performance improvements and bug fixes for SSL buckets/handling + * Add a new "iovec" bucket type (r1434) + * Minimize network packet writes based on ra_serf analysis + * Fix out of order issue with multiple priority requests + * Work around broken WSAPoll() impl on Windows introduced in APR 1.4.0 + * Fix 100% CPU usage with many pipelined requests + * Corrected contents of build/serf.def; it now includes bucket types + * Removed "snapshot" feature from buckets + * Various improvements to the test system + * Various memory leak fixes + +------------------------------------------------------------------- +Tue Jan 31 10:42:34 UTC 2012 - [email protected] + +- Remove redundant tags/sections per specfile guideline suggestions +- Parallel building using %_smp_mflags + +------------------------------------------------------------------- +Fri Jul 29 13:10:31 UTC 2011 - [email protected] + +- update to upstream 0.7.2 +- changes in 0.7.2: + * Actually disable Nagle when creating a connection (r1441). + * Return error when app asks for HTTPS over proxy connection (r1433). +- changes in 0.7.1 + Fix memory leak when using SSL (r1408, r1416). + Fix build for blank apr-util directory (r1421). +- changes in 0.7.0 + Fix double free abort when destroying request buckets. + Fix test server in unit test framework to avoid random test failures. + Allow older Serf programs which don't use the new authn framework to still + handle authn without forcing them to switch to the new framework. (r1401) + Remove the SERF_DECLARE macros, preferring a .DEF file for Windows + Barrier buckets now pass read_iovec to their wrapped bucket. + Fix HTTP header parsing to allow for empty header values. +- changes in 0.6.1 + Generally: this release fixes problems with the 0.4.0 packaging. + Small compilation fix in outgoing.c for Windows builds. +- changes in 0.4.0 + [NOTE: this release misstated itself as 0.5.0; use a later release instead] + Provide authn framework, supporting Basic, Digest, Kerberos (SSPI, GSS), + along with proxy authn using Basic or Digest + Added experimental listener framework, along with test_server.c + Improvements and fixes to SSL support, including connection setup changes + Experimental support for unrequested, arriving ("async") responses + Experimental BWTP support using the async arrival feature + Headers are combined on read (not write), to ease certian classes of parsing + Experimental feature on aggregate buckets for a callback-on-empty + Fix the bucket allocator for when APR is using its pool debugging features + Proxy support in the serf_get testing utility + Fix to include the port number in the Host header + serf_get propagates errors from the response, instead of aborting (Issue 52) + Added serf_lib_version() for runtime version tests +- changes in 0.3.1 + Fix loss of error on request->setup() callback. (Issue 47) + Support APR 2.x. (Issue 48) + Fixed slowdown in aggregate bucket with millions of child buckets. + Avoid hang in apr_pollset_poll() by unclosed connections after fork(). + +------------------------------------------------------------------- +Sun Apr 11 14:26:54 CEST 2010 - [email protected] + +- fix dependencies of libserf-devel package + +------------------------------------------------------------------- +Sun Apr 11 14:26:03 CEST 2010 - [email protected] + +- created .changes: + * Sun Jun 21 2009 Pascal Bleser <[email protected]> 0.3.0 + - update to 0.3.0: + * fix small race condition in OpenSSL initialization (Issue 39) + * handle content streams larger than 4GB on 32-bit OSes (Issue 41) + * fix conn close segfault by explicitly closing conn when pool is destroyed + * expose the depth of the SSL certificate so the validator can use that info + * fix socket address family issue when opening a connection to a proxy + * provide new API to take snapshots of buckets + * implement snapshot API for simple and aggregate buckets + + * Mon Aug 4 2008 Pascal Bleser <[email protected]> 0.2.0 + - new package New: ---- libserf.changes libserf.spec serf-1.1.1-CVE-2014-3504.patch serf-1.1.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libserf.spec ++++++ # # spec file for package libserf # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libserf %define soname 0 %define major 1 Version: 1.1.1 Release: 0 Summary: High-Performance Asynchronous HTTP Client Library License: Apache-2.0 Group: System/Libraries Source: https://serf.googlecode.com/files/serf-%{version}.tar.bz2 Patch1: serf-1.1.1-CVE-2014-3504.patch Url: https://serf.googlecode.com BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc BuildRequires: glibc-devel BuildRequires: libapr-util1-devel BuildRequires: libapr1-devel BuildRequires: libexpat-devel BuildRequires: libopenssl-devel BuildRequires: libtool BuildRequires: make BuildRequires: openldap2-devel BuildRequires: pkgconfig BuildRequires: zlib-devel %description The serf library is a C-based HTTP client library built upon the Apache Portable Runtime (APR) library. It multiplexes connections, running the read/write communication asynchronously. Memory copies and transformations are kept to a minimum to provide high performance operation. Authors: -------- Greg Stein <[email protected]> Justin Erenkrantz <[email protected]> %package -n libserf-1-0 Summary: High-Performance Asynchronous HTTP Client Library Group: Development/Libraries/C and C++ %description -n libserf-1-0 The serf library is a C-based HTTP client library built upon the Apache Portable Runtime (APR) library. It multiplexes connections, running the read/write communication asynchronously. Memory copies and transformations are kept to a minimum to provide high performance operation. Authors: -------- Greg Stein <[email protected]> Justin Erenkrantz <[email protected]> %package -n libserf-devel Summary: High-Performance Asynchronous HTTP Client Library Group: Development/Libraries/C and C++ Requires: libapr-util1-devel Requires: libapr1-devel Requires: libexpat-devel Requires: libopenssl-devel Requires: libserf-1-0 = %{version} Requires: openldap2-devel Requires: zlib-devel %description -n libserf-devel The serf library is a C-based HTTP client library built upon the Apache Portable Runtime (APR) library. It multiplexes connections, running the read/write communication asynchronously. Memory copies and transformations are kept to a minimum to provide high performance operation. Authors: -------- Greg Stein <[email protected]> Justin Erenkrantz <[email protected]> %prep %setup -q -n "serf-%{version}" %patch1 -p1 %build %configure \ --includedir=%{_includedir}/serf-%{major} make %{?_smp_mflags} %install %makeinstall %__rm -f "%{buildroot}%{_libdir}"/lib*.a %__rm "%{buildroot}%{_libdir}"/lib*.la %check %__make check %post -n libserf-1-0 -p /sbin/ldconfig %postun -n libserf-1-0 -p /sbin/ldconfig %files -n libserf-1-0 %defattr(-,root,root) %doc CHANGES LICENSE NOTICE README %doc design-guide.txt %{_libdir}/libserf-%{major}.so.%{soname} %{_libdir}/libserf-%{major}.so.%{soname}.*.* %files -n libserf-devel %defattr(-,root,root) %_includedir/serf-%major %{_libdir}/libserf-%{major}.so %{_libdir}/pkgconfig/serf-%{major}.pc %changelog ++++++ serf-1.1.1-CVE-2014-3504.patch ++++++ From: Andreas Stieger <[email protected]> Date: Sun, 10 Aug 2014 20:02:04 +0100 Subject: VUL-0: CVE-2014-3504: serf: handling of NUL bytes in fields of an X.509 cert References: bnc#890510 CVE-2014-3504 https://code.google.com/p/serf/source/detail?r=2392 https://code.google.com/p/serf/source/detail?r=2398 --- buckets/ssl_buckets.c | 184 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 148 insertions(+), 36 deletions(-) Index: serf-1.1.1/buckets/ssl_buckets.c =================================================================== --- serf-1.1.1.orig/buckets/ssl_buckets.c 2012-09-11 21:01:04.000000000 +0100 +++ serf-1.1.1/buckets/ssl_buckets.c 2014-08-10 20:01:06.000000000 +0100 @@ -202,6 +202,9 @@ struct serf_ssl_certificate_t { int depth; }; +static char * + pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool); + /* Returns the amount read. */ static int bio_bucket_read(BIO *bio, char *in, int inlen) { @@ -390,6 +393,85 @@ static BIO_METHOD bio_file_method = { #endif }; +typedef enum san_copy_t { + EscapeNulAndCopy = 0, + ErrorOnNul = 1, +} san_copy_t; + + +static apr_status_t +get_subject_alt_names(apr_array_header_t **san_arr, X509 *ssl_cert, + san_copy_t copy_action, apr_pool_t *pool) +{ + STACK_OF(GENERAL_NAME) *names; + + /* assert: copy_action == ErrorOnNul || (san_arr && pool) */ + + if (san_arr) { + *san_arr = NULL; + } + + /* Get subjectAltNames */ + names = X509_get_ext_d2i(ssl_cert, NID_subject_alt_name, NULL, NULL); + if (names) { + int names_count = sk_GENERAL_NAME_num(names); + int name_idx; + + if (san_arr) + *san_arr = apr_array_make(pool, names_count, sizeof(char*)); + for (name_idx = 0; name_idx < names_count; name_idx++) { + char *p = NULL; + GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, name_idx); + + switch (nm->type) { + case GEN_DNS: + if (copy_action == ErrorOnNul && + strlen(nm->d.ia5->data) != nm->d.ia5->length) + return SERF_ERROR_SSL_CERT_FAILED; + if (san_arr && *san_arr) + p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data, + nm->d.ia5->length, + pool); + break; + default: + /* Don't know what to do - skip. */ + break; + } + + if (p) { + APR_ARRAY_PUSH(*san_arr, char*) = p; + } + } + sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); + } + + return APR_SUCCESS; +} + +static apr_status_t validate_cert_hostname(X509 *server_cert, apr_pool_t *pool) +{ + char buf[1024]; + int length; + apr_status_t ret; + + ret = get_subject_alt_names(NULL, server_cert, ErrorOnNul, NULL); + if (ret) { + return ret; + } else { + /* Fail if the subject's CN field contains \0 characters. */ + X509_NAME *subject = X509_get_subject_name(server_cert); + if (!subject) + return SERF_ERROR_SSL_CERT_FAILED; + + length = X509_NAME_get_text_by_NID(subject, NID_commonName, buf, 1024); + if (length != -1) + if (strlen(buf) != length) + return SERF_ERROR_SSL_CERT_FAILED; + } + + return APR_SUCCESS; +} + static int validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx) { @@ -398,6 +480,7 @@ validate_server_certificate(int cert_val X509 *server_cert; int err, depth; int failures = 0; + apr_status_t status; ssl = X509_STORE_CTX_get_ex_data(store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); @@ -434,6 +517,11 @@ validate_server_certificate(int cert_val } } + /* Validate hostname */ + status = validate_cert_hostname(server_cert, ctx->pool); + if (status) + failures |= SERF_SSL_CERT_UNKNOWN_FAILURE; + /* Check certificate expiry dates. */ if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) { failures |= SERF_SSL_CERT_NOTYETVALID; @@ -444,7 +532,6 @@ validate_server_certificate(int cert_val if (ctx->server_cert_callback && (depth == 0 || failures)) { - apr_status_t status; serf_ssl_certificate_t *cert; apr_pool_t *subpool; @@ -467,7 +554,6 @@ validate_server_certificate(int cert_val if (ctx->server_cert_chain_callback && (depth == 0 || failures)) { - apr_status_t status; STACK_OF(X509) *chain; const serf_ssl_certificate_t **certs; int certs_len; @@ -1367,7 +1453,50 @@ serf_ssl_context_t *serf_bucket_ssl_encr /* Functions to read a serf_ssl_certificate structure. */ -/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). */ +/* Takes a counted length string and escapes any NUL bytes so that + * it can be used as a C string. NUL bytes are escaped as 3 characters + * "\00" (that's a literal backslash). + * The returned string is allocated in POOL. + */ +static char * +pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool) +{ + int i, nul_count = 0; + char *ret; + + /* First determine if there are any nul bytes in the string. */ + for (i = 0; i < len; i++) { + if (buf[i] == '\0') + nul_count++; + } + + if (nul_count == 0) { + /* There aren't so easy case to just copy the string */ + ret = apr_pstrdup(pool, buf); + } else { + /* There are so we have to replace nul bytes with escape codes + * Proper length is the length of the original string, plus + * 2 times the number of nulls (for two digit hex code for + * the value) + the trailing null. */ + char *pos; + ret = pos = apr_palloc(pool, len + 2 * nul_count + 1); + for (i = 0; i < len; i++) { + if (buf[i] != '\0') { + *(pos++) = buf[i]; + } else { + *(pos++) = '\\'; + *(pos++) = '0'; + *(pos++) = '0'; + } + } + *pos = '\0'; + } + + return ret; +} + +/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). Any NUL bytes in + these fields in the certificate will be escaped as \00. */ static apr_hash_t * convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool) { @@ -1380,37 +1509,44 @@ convert_X509_NAME_to_table(X509_NAME *or NID_commonName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_pkcs9_emailAddress, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "E", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "E", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_organizationalUnitName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_organizationName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "O", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "O", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_localityName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "L", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "L", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_stateOrProvinceName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); ret = X509_NAME_get_text_by_NID(org, NID_countryName, buf, 1024); if (ret != -1) - apr_hash_set(tgt, "C", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf)); + apr_hash_set(tgt, "C", APR_HASH_KEY_STRING, + pstrdup_escape_nul_bytes(buf, ret, pool)); return tgt; } @@ -1456,7 +1592,7 @@ apr_hash_t *serf_ssl_cert_certificate( unsigned int md_size, i; unsigned char md[EVP_MAX_MD_SIZE]; BIO *bio; - STACK_OF(GENERAL_NAME) *names; + apr_array_header_t *san_arr; /* sha1 fingerprint */ if (X509_digest(cert->ssl_cert, EVP_sha1(), md, &md_size)) { @@ -1501,32 +1637,8 @@ apr_hash_t *serf_ssl_cert_certificate( BIO_free(bio); /* Get subjectAltNames */ - names = X509_get_ext_d2i(cert->ssl_cert, NID_subject_alt_name, NULL, NULL); - if (names) { - int names_count = sk_GENERAL_NAME_num(names); - - apr_array_header_t *san_arr = apr_array_make(pool, names_count, - sizeof(char*)); + if (!get_subject_alt_names(&san_arr, cert->ssl_cert, EscapeNulAndCopy, pool)) apr_hash_set(tgt, "subjectAltName", APR_HASH_KEY_STRING, san_arr); - for (i = 0; i < names_count; i++) { - char *p = NULL; - GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, i); - - switch (nm->type) { - case GEN_DNS: - p = apr_pstrmemdup(pool, (const char *)nm->d.ia5->data, - nm->d.ia5->length); - break; - default: - /* Don't know what to do - skip. */ - break; - } - if (p) { - APR_ARRAY_PUSH(san_arr, char*) = p; - } - } - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); - } return tgt; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
