Hello community,

here is the log from the commit of package openssl for openSUSE:Factory checked 
in at 2012-08-26 14:22:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
 and      /work/SRC/openSUSE:Factory/.openssl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "openssl", Maintainer is "g...@suse.com"

Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes  2012-08-08 
11:18:04.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes     2012-08-26 
14:22:13.000000000 +0200
@@ -1,0 +2,7 @@
+Sun Aug 19 23:38:32 UTC 2012 - crrodrig...@opensuse.org
+
+- Open Internal file descriptors with O_CLOEXEC, leaving
+  those open across fork()..execve() makes a perfect
+  vector for a side-channel attack... 
+
+-------------------------------------------------------------------

New:
----
  openssl-ocloexec.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.ncRTax/_old  2012-08-26 14:22:14.000000000 +0200
+++ /var/tmp/diff_new_pack.ncRTax/_new  2012-08-26 14:22:14.000000000 +0200
@@ -46,6 +46,7 @@
 Patch0:         merge_from_0.9.8k.patch
 Patch1:         openssl-1.0.0-c_rehash-compat.diff
 Patch2:         bug610223.patch
+Patch3:         openssl-ocloexec.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -174,6 +175,7 @@
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # 
$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@@ -366,11 +368,9 @@
 %clean
 if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 
-%post -n libopenssl1_0_0
-/sbin/ldconfig
+%post -n libopenssl1_0_0 -p /sbin/ldconfig
 
-%postun -n libopenssl1_0_0
-/sbin/ldconfig
+%postun -n libopenssl1_0_0 -p /sbin/ldconfig
 
 %files -n libopenssl1_0_0
 %defattr(-, root, root)

++++++ openssl-ocloexec.patch ++++++
--- crypto/bio/b_sock.c.orig
+++ crypto/bio/b_sock.c
@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in
                }
 
 again:
-       s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+       s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
        if (s == INVALID_SOCKET)
                {
                SYSerr(SYS_F_SOCKET,get_last_socket_error());
@@ -784,7 +784,7 @@ again:
                                        }
                                else    goto err;
                                }
-                       
cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+                       
cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
                        if (cs != INVALID_SOCKET)
                                {
                                int ii;
--- crypto/bio/bss_conn.c.orig
+++ crypto/bio/bss_conn.c
@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC
                        c->them.sin_addr.s_addr=htonl(l);
                        c->state=BIO_CONN_S_CREATE_SOCKET;
 
-                       ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+                       
ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
                        if (ret == INVALID_SOCKET)
                                {
                                SYSerr(SYS_F_SOCKET,get_last_socket_error());
--- crypto/bio/bss_dgram.c.orig
+++ crypto/bio/bss_dgram.c
@@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char
                        msg.msg_control = cmsgbuf;
                        msg.msg_controllen = 512;
                        msg.msg_flags = 0;
-                       n = recvmsg(b->num, &msg, 0);
+                       n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
                        if (msg.msg_controllen > 0)
                                {
@@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
        msg.msg_controllen = 0;
        msg.msg_flags = 0;
 
-       n = recvmsg(b->num, &msg, MSG_PEEK);
+       n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC);
        if (n <= 0)
                {
                if ((n < 0) && (get_last_socket_error() != EAGAIN) && 
(get_last_socket_error() != EWOULDBLOCK))
@@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
                msg.msg_controllen = 0;
                msg.msg_flags = 0;
 
-               n = recvmsg(b->num, &msg, 0);
+               n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
                if (n <= 0)
                        {
                        if ((n < 0) && (get_last_socket_error() != EAGAIN) && 
(get_last_socket_error() != EWOULDBLOCK))
@@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
                        fcntl(b->num, F_SETFL, O_NONBLOCK);
                        }
 
-               n = recvmsg(b->num, &msg, MSG_PEEK);
+               n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
 
                if (is_dry)
                        {
@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
 
                sockflags = fcntl(b->num, F_GETFL, 0);
                fcntl(b->num, F_SETFL, O_NONBLOCK);
-               n = recvmsg(b->num, &msg, MSG_PEEK);
+               n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
                fcntl(b->num, F_SETFL, sockflags);
 
                /* if notification, process and try again */
@@ -1709,7 +1709,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
                        msg.msg_control = NULL;
                        msg.msg_controllen = 0;
                        msg.msg_flags = 0;
-                       n = recvmsg(b->num, &msg, 0);
+                       n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
                        if (data->handle_notifications != NULL)
                                data->handle_notifications(b, 
data->notification_context, (void*) &snp);
--- crypto/bio/bss_file.c.orig
+++ crypto/bio/bss_file.c
@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename,
        {
        BIO  *ret;
        FILE *file=NULL;
+    size_t modelen = strlen (mode);
+    char newmode[modelen + 2];
+
+    memcpy (mempcpy (newmode, mode, modelen), "e", 2);
 
 #if defined(_WIN32) && defined(CP_UTF8)
        int sz, len_0 = (int)strlen(filename)+1;
@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
                file = fopen(filename,mode);
                }
 #else
-       file=fopen(filename,mode);      
+       file=fopen(filename,newmode);   
 #endif
        if (file == NULL)
                {
@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
        long ret=1;
        FILE *fp=(FILE *)b->ptr;
        FILE **fpp;
-       char p[4];
+       char p[5];
 
        switch (cmd)
                {
@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b
                else
                        strcat(p,"t");
 #endif
+               strcat(p, "e");
+
                fp=fopen(ptr,p);
                if (fp == NULL)
                        {
--- crypto/rand/rand_unix.c.orig
+++ crypto/rand/rand_unix.c
@@ -262,7 +262,7 @@ int RAND_poll(void)
        for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
                        (n < ENTROPY_NEEDED); i++)
                {
-               if ((fd = open(randomfiles[i], O_RDONLY
+               if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
 #ifdef O_NONBLOCK
                        |O_NONBLOCK
 #endif
--- crypto/rand/randfile.c.orig
+++ crypto/rand/randfile.c
@@ -134,7 +134,7 @@ int RAND_load_file(const char *file, lon
 #ifdef OPENSSL_SYS_VMS
        in=vms_fopen(file,"rb",VMS_OPEN_ATTRS);
 #else
-       in=fopen(file,"rb");
+       in=fopen(file,"rbe");
 #endif
        if (in == NULL) goto err;
 #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
@@ -207,7 +207,7 @@ int RAND_write_file(const char *file)
 #endif
        /* chmod(..., 0600) is too late to protect the file,
         * permissions should be restrictive from the start */
-       int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600);
+       int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600);
        if (fd != -1)
                out = fdopen(fd, "wb");
        }
@@ -238,7 +238,7 @@ int RAND_write_file(const char *file)
                out = vms_fopen(file,"wb",VMS_OPEN_ATTRS);
 #else
        if (out == NULL)
-               out = fopen(file,"wb");
+               out = fopen(file,"wbe");
 #endif
        if (out == NULL) goto err;
 
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to