[Frugalware-git] frugalware-current: openssl-1.0.1-5-x86_64 * fix fblint errors

[James Buren]

Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=f8af957b1a52c3ad8eaeb87bdcbe2bbe21412660

commit f8af957b1a52c3ad8eaeb87bdcbe2bbe21412660
Author: James Buren r...@frugalware.org
Date:   Sat Mar 22 05:34:36 2014 -0500

openssl-1.0.1-5-x86_64
* fix fblint errors

diff --git a/source/base/openssl/FrugalBuild b/source/base/openssl/FrugalBuild
index b70d848..3579ac3 100644
--- a/source/base/openssl/FrugalBuild
+++ b/source/base/openssl/FrugalBuild
@@ -18,8 +18,8 @@ source=($url$pkgname-$pkgver$pkgextraver.tar.gz \
signatures=($source.asc '' '')

# FSA fix ***
-source=(${source[@]} CVE-2013-4353.patch CVE-2013-6449.patch 
CVE-2013-6450.patch)
-signatures=(${signatures[@]} '' '' '')
+source=(${source[@]} CVE-2013-4353.patch CVE-2013-6449.patch 
CVE-2013-6450.patch)
+signatures=(${signatures[@]} '' '' '')
# ***

build()
___
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

[Frugalware-git] frugalware-current: openssl-1.0.1-5-x86_64

[kikadf]

Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=383aabd1ca28d9e080eaf41589da83fd9c801249

commit 383aabd1ca28d9e080eaf41589da83fd9c801249
Author: kikadf kikadf...@gmail.com
Date:   Sun Jan 12 10:17:44 2014 +0100

openssl-1.0.1-5-x86_64

* Fix CVE-2013-4353
* Fix CVE-2013-6449
* Fix CVE-2013-6450

diff --git a/source/base/openssl/CVE-2013-4353.patch 
b/source/base/openssl/CVE-2013-4353.patch
new file mode 100644
index 000..139b68f
--- /dev/null
+++ b/source/base/openssl/CVE-2013-4353.patch
@@ -0,0 +1,25 @@
+From: Dr. Stephen Henson st...@openssl.org
+Date: Mon, 6 Jan 2014 14:35:04 +
+Subject: [PATCH] Fix for TLS record tampering bug CVE-2013-4353
+Origin: upstream, commit:197e0ea817ad64820789d86711d55ff50d71f631
+
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index 1e5dcab..53b9390 100644
+--- a/ssl/s3_both.c
 b/ssl/s3_both.c
+@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
+   {
+   const char *sender;
+   int slen;
+-
++  /* If no new cipher setup return immediately: other functions will
++   * set the appropriate error.
++   */
++  if (s-s3-tmp.new_cipher == NULL)
++  return;
+   if (s-state  SSL_ST_CONNECT)
+   {
+   sender=s-method-ssl3_enc-server_finished_label;
+--
+1.8.5.2
+
diff --git a/source/base/openssl/CVE-2013-6449.patch 
b/source/base/openssl/CVE-2013-6449.patch
new file mode 100644
index 000..eba717a
--- /dev/null
+++ b/source/base/openssl/CVE-2013-6449.patch
@@ -0,0 +1,83 @@
+Author: Dr. Stephen Henson st...@openssl.org
+Date:   Thu Dec 19 14:37:39 2013 +
+Subject: Fix CVE-2013-6449
+
+This is a combination of upstream commits:
+0294b2be5f4c11e60620c0018674ff0e17b14238
+ca989269a2876bae79393bd54c3e72d49975fc75
+
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index ead01c8..1e5dcab 100644
+--- a/ssl/s3_both.c
 b/ssl/s3_both.c
+@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char 
*sender, int slen)
+
+   i=s-method-ssl3_enc-final_finish_mac(s,
+   sender,slen,s-s3-tmp.finish_md);
++  if (i == 0)
++  return 0;
+   s-s3-tmp.finish_md_len = i;
+   memcpy(p, s-s3-tmp.finish_md, i);
+   p+=i;
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index 804291e..c4bc4e7 100644
+--- a/ssl/s3_pkt.c
 b/ssl/s3_pkt.c
+@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
+   slen=s-method-ssl3_enc-client_finished_label_len;
+   }
+
+-  s-s3-tmp.peer_finish_md_len = s-method-ssl3_enc-final_finish_mac(s,
++  i = s-method-ssl3_enc-final_finish_mac(s,
+   sender,slen,s-s3-tmp.peer_finish_md);
++  if (i == 0)
++  {
++  SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
++  return 0;
++  }
++  s-s3-tmp.peer_finish_md_len = i;
+
+   return(1);
+   }
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 809ad2e..72015f5 100644
+--- a/ssl/t1_enc.c
 b/ssl/t1_enc.c
+@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
+   if (mask  ssl_get_algorithm2(s))
+   {
+   int hashsize = EVP_MD_size(md);
+-  if (hashsize  0 || hashsize  (int)(sizeof buf - 
(size_t)(q-buf)))
++  EVP_MD_CTX *hdgst = s-s3-handshake_dgst[idx];
++  if (!hdgst || hashsize  0 || hashsize  (int)(sizeof 
buf - (size_t)(q-buf)))
+   {
+   /* internal error: 'buf' is too small for this 
cipersuite! */
+   err = 1;
+   }
+   else
+   {
+-  
EVP_MD_CTX_copy_ex(ctx,s-s3-handshake_dgst[idx]);
+-  EVP_DigestFinal_ex(ctx,q,i);
+-  if (i != (unsigned int)hashsize) /* can't 
really happen */
++  if (!EVP_MD_CTX_copy_ex(ctx, hdgst) ||
++  !EVP_DigestFinal_ex(ctx,q,i) ||
++  (i != (unsigned int)hashsize))
+   err = 1;
+-  q+=i;
++  q+=hashsize;
+   }
+   }
+   }
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index bf832bb..c4ef273 100644
+--- a/ssl/s3_lib.c
 b/ssl/s3_lib.c
+@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
+ long ssl_get_algorithm2(SSL *s)
+   {
+   long alg2 = s-s3-tmp.new_cipher-algorithm2;
+-  if (TLS1_get_version(s) = TLS1_2_VERSION 
++  if (s-method-version == TLS1_2_VERSION 
+   alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+   return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+   return alg2;
diff --git