Author: arekm Date: Tue Jul 28 15:45:00 2009 GMT Module: packages Tag: HEAD ---- Log message: - rel 2; fixes CVE-2009-1377 CVE-2009-1378 CVE-2009-1379; enable tlsext and rfc3779
---- Files affected: packages/openssl: openssl.spec (1.204 -> 1.205) , openssl-CVE-2009-1377-1378-1379.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/openssl/openssl.spec diff -u packages/openssl/openssl.spec:1.204 packages/openssl/openssl.spec:1.205 --- packages/openssl/openssl.spec:1.204 Tue Jul 28 16:08:06 2009 +++ packages/openssl/openssl.spec Tue Jul 28 17:44:54 2009 @@ -16,7 +16,7 @@ Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl Version: 0.9.8k -Release: 1 +Release: 2 License: Apache-like Group: Libraries Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz @@ -33,13 +33,8 @@ Patch6: %{name}-asflag.patch Patch7: %{name}-ca-certificates.patch Patch8: %{name}-fips_install.patch +Patch9: %{name}-CVE-2009-1377-1378-1379.patch URL: http://www.openssl.org/ -# problem with =< 1.0.0beta2 -# Fixes should be in sourcecode -BuildRequires: security(CVE-2009-1377) -BuildRequires: security(CVE-2009-1378) -BuildRequires: security(CVE-2009-1379) -## BuildRequires: bc BuildRequires: perl-devel >= 1:5.6.1 BuildRequires: rpm-perlprov >= 4.1-13 @@ -208,6 +203,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p0 +%patch9 -p1 %{__perl} -pi -e 's#%{_prefix}/local/bin/perl#%{__perl}#g' \ `grep -l -r "%{_prefix}/local/bin/perl" *` @@ -228,7 +224,13 @@ %endif --lib=%{_lib} \ shared threads \ - enable-mdc2 enable-rc5 enable-tlsext \ + enable-tlsext \ + enable-seed \ + enable-rfc3779 \ + enable-cms \ + enable-idea \ + enable-mdc2 \ + enable-rc5 \ %ifarch %{ix86} %ifarch i386 386 linux-elf @@ -453,6 +455,9 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.205 2009/07/28 15:44:54 arekm +- rel 2; fixes CVE-2009-1377 CVE-2009-1378 CVE-2009-1379; enable tlsext and rfc3779 + Revision 1.204 2009/07/28 14:08:06 arekm - enable tlsext ================================================================ Index: packages/openssl/openssl-CVE-2009-1377-1378-1379.patch diff -u /dev/null packages/openssl/openssl-CVE-2009-1377-1378-1379.patch:1.1 --- /dev/null Tue Jul 28 17:45:00 2009 +++ packages/openssl/openssl-CVE-2009-1377-1378-1379.patch Tue Jul 28 17:44:54 2009 @@ -0,0 +1,83 @@ +diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c +--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200 ++++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200 +@@ -234,3 +234,17 @@ pqueue_next(pitem **item) + + return ret; + } ++ ++int ++pqueue_size(pqueue_s *pq) ++{ ++ pitem *item = pq->items; ++ int count = 0; ++ ++ while(item != NULL) ++ { ++ count++; ++ item = item->next; ++ } ++ return count; ++} +diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h +--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200 ++++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200 +@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); + pitem *pqueue_next(piterator *iter); + + void pqueue_print(pqueue pq); ++int pqueue_size(pqueue pq); + + #endif /* ! HEADER_PQUEUE_H */ +diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c +--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200 ++++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200 +@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, + + if ( s->d1->handshake_read_seq == frag->msg_header.seq) + { ++ unsigned long frag_len = frag->msg_header.frag_len; + pqueue_pop(s->d1->buffered_messages); + + al=dtls1_preprocess_fragment(s,&frag->msg_header,max); +@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, + if (al==0) + { + *ok = 1; +- return frag->msg_header.frag_len; ++ return frag_len; + } + + ssl3_send_alert(s,SSL3_AL_FATAL,al); +@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s, + if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) + goto err; + +- if (msg_hdr->seq <= s->d1->handshake_read_seq) ++ /* Try to find item in queue, to prevent duplicate entries */ ++ pq_64bit_init(&seq64); ++ pq_64bit_assign_word(&seq64, msg_hdr->seq); ++ item = pqueue_find(s->d1->buffered_messages, seq64); ++ pq_64bit_free(&seq64); ++ ++ /* Discard the message if sequence number was already there, is ++ * too far in the future or the fragment is already in the queue */ ++ if (msg_hdr->seq <= s->d1->handshake_read_seq || ++ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) + { + unsigned char devnull [256]; + +diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c +--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200 ++++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200 +@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu + DTLS1_RECORD_DATA *rdata; + pitem *item; + ++ /* Limit the size of the queue to prevent DOS attacks */ ++ if (pqueue_size(queue->q) >= 100) ++ return 0; ++ + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); + item = pitem_new(priority, rdata); + if (rdata == NULL || item == NULL) ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/openssl/openssl.spec?r1=1.204&r2=1.205&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
