Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Control: tags -1 + pending On Sun, 2016-09-04 at 18:01 +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Tue, 2016-08-23 at 21:47 +0200, Kurt Roeckx wrote: > > The current debdiff we'd like to upload is: > > diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog > > --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200 > > +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.0 +0200 > > @@ -1,3 +1,14 @@ > > +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium > > + > > + [ Kurt Roeckx ] > > + * Fix length check for CRLs. (Closes: #826552) > > + > > + [ Sebastian Andrzej Siewior ] > > + * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov. > > +(Closes: #833156). > > Please go ahead. Uploaded and flagged for acceptance. Regards, Adam
Processed: Re: Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Processing control commands: > tags -1 + pending Bug #827054 [release.debian.org] jessie-pu: package openssl/1.0.1t-1+deb8u3 Added tag(s) pending. -- 827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Control: tags -1 + confirmed On Tue, 2016-08-23 at 21:47 +0200, Kurt Roeckx wrote: > The current debdiff we'd like to upload is: > diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog > --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200 > +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.0 +0200 > @@ -1,3 +1,14 @@ > +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium > + > + [ Kurt Roeckx ] > + * Fix length check for CRLs. (Closes: #826552) > + > + [ Sebastian Andrzej Siewior ] > + * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov. > +(Closes: #833156). Please go ahead. Regards, Adam
Processed: Re: Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Processing control commands: > tags -1 + confirmed Bug #827054 [release.debian.org] jessie-pu: package openssl/1.0.1t-1+deb8u3 Added tag(s) confirmed. -- 827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
On Tue, Aug 23, 2016 at 09:47:22PM +0200, Kurt Roeckx wrote: > The current debdiff we'd like to upload is: > diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog > --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200 > +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.0 +0200 > @@ -1,3 +1,14 @@ > +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium > + > + [ Kurt Roeckx ] > + * Fix length check for CRLs. (Closes: #826552) > + > + [ Sebastian Andrzej Siewior ] > + * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov. > +(Closes: #833156). > + > + -- Kurt RoeckxSat, 11 Jun 2016 19:18:11 +0200 > + > openssl (1.0.1t-1+deb8u2) jessie; urgency=medium Ping? Kurt
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
The current debdiff we'd like to upload is: diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200 +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.0 +0200 @@ -1,3 +1,14 @@ +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium + + [ Kurt Roeckx ] + * Fix length check for CRLs. (Closes: #826552) + + [ Sebastian Andrzej Siewior ] + * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov. +(Closes: #833156). + + -- Kurt RoeckxSat, 11 Jun 2016 19:18:11 +0200 + openssl (1.0.1t-1+deb8u2) jessie; urgency=medium * add Update-S-MIME-certificates.patch to update expired certificates to diff -Nru openssl-1.0.1t/debian/patches/debian-targets.patch openssl-1.0.1t/debian/patches/debian-targets.patch --- openssl-1.0.1t/debian/patches/debian-targets.patch 2016-05-01 23:53:42.0 +0200 +++ openssl-1.0.1t/debian/patches/debian-targets.patch 2016-06-11 19:18:11.0 +0200 @@ -56,7 +56,7 @@ +"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ppc64el","gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-s390","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch --- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 1970-01-01 01:00:00.0 +0100 +++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 2016-06-11 19:16:05.0 +0200 @@ -0,0 +1,40 @@ +From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Wed, 4 May 2016 16:09:06 +0100 +Subject: [PATCH] Fix name length limit check. + +The name length limit check in x509_name_ex_d2i() includes +the containing structure as well as the actual X509_NAME. This will +cause large CRLs to be rejected. + +Fix by limiting the length passed to ASN1_item_ex_d2i() which will +then return an error if the passed X509_NAME exceeds the length. + +RT#4531 + +Reviewed-by: Rich Salz +(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff) +--- + crypto/asn1/x_name.c | 6 ++ + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c +index a858c29..26378fd 100644 +--- a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c +@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, + int i, j, ret; + STACK_OF(X509_NAME_ENTRY) *entries; + X509_NAME_ENTRY *entry; +-if (len > X509_NAME_MAX) { +-ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); +-return 0; +-} ++if (len > X509_NAME_MAX) ++len = X509_NAME_MAX; + q = p; + + /* Get internal representation of Name */ +-- +2.8.1 + diff -Nru openssl-1.0.1t/debian/patches/series openssl-1.0.1t/debian/patches/series --- openssl-1.0.1t/debian/patches/series2016-05-15 21:16:55.0 +0200 +++ openssl-1.0.1t/debian/patches/series2016-06-11 19:18:11.0 +0200 @@ -20,3 +20,4 @@ openssl_fix_for_x32.patch ppc64el.patch Update-S-MIME-certificates.patch +Fix-name-length-limit-check.patch
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
I guess I should just keep the SSLv2 symbols. I assume you don't have a problem with the other change? Kurt
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
On Mon, Jun 13, 2016 at 10:19:29AM +0200, Julien Cristau wrote: > On Mon, Jun 13, 2016 at 00:50:05 +0200, Kurt Roeckx wrote: > > > I should probably add that I don't intend to fix this in > > testing/unstable. There are probably reverse dependencies that > > saw those symbols are available and then started using them again, > > and so it would break things. But I'm going to change to the 1.1 > > Doesn't the same reasoning apply to stable? There currently shouldn't be reverse dependencies that saw the defines so it could pick up the symbols, but the longer it stays like this the more likely some upload will see it and use it. > Why was this not caught when updating the libssl1.0.2.symbols file for > the new release? The .symbols files just looks like: libcrypto.so.1.0.2 libssl1.0.2 #MINVER# *@OPENSSL_1.0.2d 1.0.2d *@OPENSSL_1.0.2g 1.0.2g libssl.so.1.0.2 libssl1.0.2 #MINVER# *@OPENSSL_1.0.2d 1.0.2d *@OPENSSL_1.0.2g 1.0.2g And the symbols already "existed", they were just not exported. > > soname soon anyway, and it'll get fixed at that point. Also, the > > symbols are available but if you try to use them it's not going to > > do anything useful. > > > > > But I'd like to remove them in stable again, since nothing there > > should use on it now, and it broke something. > > > Can you be more specific than "broke something"? https://github.com/openssl/openssl/issues/1190 But I guess that will solve itself. Kurt
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
On Mon, Jun 13, 2016 at 00:50:05 +0200, Kurt Roeckx wrote: > I should probably add that I don't intend to fix this in > testing/unstable. There are probably reverse dependencies that > saw those symbols are available and then started using them again, > and so it would break things. But I'm going to change to the 1.1 Doesn't the same reasoning apply to stable? Why was this not caught when updating the libssl1.0.2.symbols file for the new release? > soname soon anyway, and it'll get fixed at that point. Also, the > symbols are available but if you try to use them it's not going to > do anything useful. > > But I'd like to remove them in stable again, since nothing there > should use on it now, and it broke something. > Can you be more specific than "broke something"? Cheers, Julien
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
On Sat, Jun 11, 2016 at 11:35:24PM +0200, Kurt Roeckx wrote: > On Sat, Jun 11, 2016 at 09:57:29PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Sat, 2016-06-11 at 19:38 +0200, Kurt Roeckx wrote: > > > The SSLv2 methods actually didn't exist in jessie, but some > > > defaults where changed and the SSLv2 methods now in jessie just > > > return NULL. This removes the symbols again. Exposing the > > > symbols in the headers actually seems to have broken something, > > > so this removes them again. It was actually never the intention > > > to introduce those symbols again. > > [...] > > > -CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl > > > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > > > enable-tlsext no-ssl2 no-ssl3 > > > +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl > > > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > > > enable-tlsext no-ssl2 no-ssl2-method no-ssl3 > > > > Does this also affect the 1.0.2 tree? The 1.0.2h package in unstable has > > no-ssl2, no-ssl3, no-ssl3-method but not no-ssl2-method. > > You're right, it has the same problem. I completly forgot that, and > I even commited that myself. > > The reason for splitting no-ssl2 into no-ssl2 and no-ssl2-method > is that we turned no-ssl2 on by default and people were suprised > that SSLv2_* methods actually got removed and it of course broke > various distributions that didn't builld with no-ssl2. So we > changed the default to make those funtions return NULL instead by > default, and then remove them with no-ssl2-method. I should probably add that I don't intend to fix this in testing/unstable. There are probably reverse dependencies that saw those symbols are available and then started using them again, and so it would break things. But I'm going to change to the 1.1 soname soon anyway, and it'll get fixed at that point. Also, the symbols are available but if you try to use them it's not going to do anything useful. But I'd like to remove them in stable again, since nothing there should use on it now, and it broke something. Kurt
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
On Sat, Jun 11, 2016 at 09:57:29PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sat, 2016-06-11 at 19:38 +0200, Kurt Roeckx wrote: > > The SSLv2 methods actually didn't exist in jessie, but some > > defaults where changed and the SSLv2 methods now in jessie just > > return NULL. This removes the symbols again. Exposing the > > symbols in the headers actually seems to have broken something, > > so this removes them again. It was actually never the intention > > to introduce those symbols again. > [...] > > -CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl > > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > > enable-tlsext no-ssl2 no-ssl3 > > +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl > > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > > enable-tlsext no-ssl2 no-ssl2-method no-ssl3 > > Does this also affect the 1.0.2 tree? The 1.0.2h package in unstable has > no-ssl2, no-ssl3, no-ssl3-method but not no-ssl2-method. You're right, it has the same problem. I completly forgot that, and I even commited that myself. The reason for splitting no-ssl2 into no-ssl2 and no-ssl2-method is that we turned no-ssl2 on by default and people were suprised that SSLv2_* methods actually got removed and it of course broke various distributions that didn't builld with no-ssl2. So we changed the default to make those funtions return NULL instead by default, and then remove them with no-ssl2-method. Kurt
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Control: tags -1 + moreinfo On Sat, 2016-06-11 at 19:38 +0200, Kurt Roeckx wrote: > The SSLv2 methods actually didn't exist in jessie, but some > defaults where changed and the SSLv2 methods now in jessie just > return NULL. This removes the symbols again. Exposing the > symbols in the headers actually seems to have broken something, > so this removes them again. It was actually never the intention > to introduce those symbols again. [...] > -CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > enable-tlsext no-ssl2 no-ssl3 > +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl > --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib > enable-tlsext no-ssl2 no-ssl2-method no-ssl3 Does this also affect the 1.0.2 tree? The 1.0.2h package in unstable has no-ssl2, no-ssl3, no-ssl3-method but not no-ssl2-method. Regards, Adam
Processed: Re: Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Processing control commands: > tags -1 + moreinfo Bug #827054 [release.debian.org] jessie-pu: package openssl/1.0.1t-1+deb8u3 Added tag(s) moreinfo. -- 827054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827054 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#827054: jessie-pu: package openssl/1.0.1t-1+deb8u3
Package: release.debian.org Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to update the version in stable for openssl. See the debdiff below. The SSLv2 methods actually didn't exist in jessie, but some defaults where changed and the SSLv2 methods now in jessie just return NULL. This removes the symbols again. Exposing the symbols in the headers actually seems to have broken something, so this removes them again. It was actually never the intention to introduce those symbols again. The other fix is a regression. There are also some open CVEs in upstream git, but I'll wait with those until there is actually a new release. Kurt diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.0 +0200 +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:20:02.0 +0200 @@ -1,3 +1,11 @@ +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium + + * Disable SSLv2 methods again, changes upstream has split no-ssl2 into +no-ssl2 and no-ssl2-method + * Fix length check for CRLs. (Closes: #826552) + + -- Kurt RoeckxSat, 11 Jun 2016 19:18:11 +0200 + openssl (1.0.1t-1+deb8u2) jessie; urgency=medium * add Update-S-MIME-certificates.patch to update expired certificates to diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch --- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 1970-01-01 01:00:00.0 +0100 +++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 2016-06-11 19:16:05.0 +0200 @@ -0,0 +1,40 @@ +From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Wed, 4 May 2016 16:09:06 +0100 +Subject: [PATCH] Fix name length limit check. + +The name length limit check in x509_name_ex_d2i() includes +the containing structure as well as the actual X509_NAME. This will +cause large CRLs to be rejected. + +Fix by limiting the length passed to ASN1_item_ex_d2i() which will +then return an error if the passed X509_NAME exceeds the length. + +RT#4531 + +Reviewed-by: Rich Salz +(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff) +--- + crypto/asn1/x_name.c | 6 ++ + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c +index a858c29..26378fd 100644 +--- a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c +@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, + int i, j, ret; + STACK_OF(X509_NAME_ENTRY) *entries; + X509_NAME_ENTRY *entry; +-if (len > X509_NAME_MAX) { +-ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); +-return 0; +-} ++if (len > X509_NAME_MAX) ++len = X509_NAME_MAX; + q = p; + + /* Get internal representation of Name */ +-- +2.8.1 + diff -Nru openssl-1.0.1t/debian/patches/series openssl-1.0.1t/debian/patches/series --- openssl-1.0.1t/debian/patches/series2016-05-15 21:16:55.0 +0200 +++ openssl-1.0.1t/debian/patches/series2016-06-11 19:19:06.0 +0200 @@ -20,3 +20,4 @@ openssl_fix_for_x32.patch ppc64el.patch Update-S-MIME-certificates.patch +Fix-name-length-limit-check.patch diff -Nru openssl-1.0.1t/debian/rules openssl-1.0.1t/debian/rules --- openssl-1.0.1t/debian/rules 2016-05-06 14:16:42.0 +0200 +++ openssl-1.0.1t/debian/rules 2016-06-11 19:18:36.0 +0200 @@ -26,7 +26,7 @@ export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)- endif -CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl2-method no-ssl3 OPT_alpha = ev4 ev5 OPT_i386 = i586 i686/cmov ARCHOPTS = OPT_$(DEB_HOST_ARCH)