[openssl.org #2199] patch: mark assembler as non-exec-stack

Hi, Type: patch We use the following patch on openSUSE to make sure that openssl uses non-executable stack by marking the assembler code as not requiring x-stack. Ciao, Marcus --- crypto/perlasm/x86unix.pl +++ crypto/perlasm/x86unix.pl @@ -586,6 +586,7 @@ push(@out,$const); $const=; }

[openssl.org #2200] patch: fixed a crash with openssl req

Our QA found a scenario where openssl req is crashing, this is tracked in https://bugzilla.novell.com/show_bug.cgi?id=430141 It seems a non-asn1 converted string is passed into ASN1_TYPE_set1. We applied the patch attached. Ciao, Marcus Index: openssl-0.9.8h/crypto/x509/x509_att.c

[openssl.org #2526] bad sequence in OCSP_parse_url

OCSP_parse_url has a bad sequence of initializing the parameter returns and buf strdupping + error handling. If the first error handling triggers, it will access the 3 argument pointers uninitialized memory. (the goto mem_err; patch will free **pport et.al.) found by Coverity scanner. Ciao,

[openssl.org #2527] doublefree in apps/asn1parse.c

Hi, NCONF_free(cnf) is again called later when errors are handled, which would lead to double free of cnf. Spotted by Coverity checker. Ciao, Marcus --- apps/asn1pars.c.xx 2011-05-18 14:40:29.0 +0200 +++ apps/asn1pars.c 2011-05-18 14:40:43.0 +0200 @@ -408,6 +408,7 @@

[openssl.org #2528] setup_engine curious return value

HI, apps/engine.c, function setup_engine() It has return e; on success, but the code has: /* Free our structural reference. */ ENGINE_free(e); } return e; ENGINE_free(e) makes e invalid, so returning it is very dangerous. The return

[openssl.org #2529] potential bug in ssl/bio_ssl.c::ssl_ctrl BIO_C_SET_SSL

Hi, Coverity thinks that in this sequence b-ptr is used after free and I have to agree: case BIO_C_SET_SSL: if (ssl != NULL) ssl_free(b);// MARCUS: frees also b-ptr b-shutdown=(int)num; ssl=(SSL *)ptr;

[openssl.org #2530] crypto/dsa/dsa_gen.c::dsa_builtin_paramgen has potential uninitialized seed

Hi, (I am not fully sure I understand it right.) Coverity thinks dsa_builtin_paramgen() can use portions of seed uninitialized and I can agree. If seed_len is 0 but qsize, the memcpy(seed,seed_in,seed_len) does not trigger, but seed is used, being a uninitialized stack variable. This would

[openssl.org #2531] small memory leak in t1_lib

Hi, probably not triggers in real life conditions. also spotted by Coverity, untested. --- ssl/t1_lib.c.xx 2011-05-18 15:50:08.0 + +++ ssl/t1_lib.c2011-05-18 15:50:22.0 + @@ -1714,8 +1714,10 @@ return -1; }

[openssl.org #3336] 1.0.1g breaks IronPORT SMTP appliance (padding extension)

Hi, SUSE has received a bugreport from a user, that the padding extension change breaks IronPort SMTP appliances. There might a RT on this already, not sure. https://bugzilla.novell.com/show_bug.cgi?id=875639

Re: [openssl.org #3402] spurios change in perl NET_SSLeay module

On Thu, Jun 12, 2014 at 07:11:24PM +0200, Stephen Henson via RT wrote: On Thu Jun 12 18:16:55 2014, meiss...@suse.de wrote: Hi, The Net-SSLeay perl module failed its testsuite after 1.0.1g - 1.0.1h update. The code looks like this: ... create more X509 certificate stuff ...

[openssl-dev] [openssl.org #3927] regression in 1.0.2c spotted by Net-SSLeay

Hi, I am debugging a testsuite error in the perl Net-SSLeay module, which got introduced between 1.0.2a and 1.0.2c. The test code looks like this: ... private key in $pk ... ok(my $alg2 = Net::SSLeay::EVP_get_cipherbyname(DES-EDE3-OFB), EVP_get_cipherbyname); like(my $key_pem4 =

[openssl-dev] [openssl.org #4132] test/dsatest.c wrong argument to BIO_printf

Hi, apply this patch ... commit c01f7e9e233e5e5dabd1ec01eb17198b0798e092 Author: Marcus Meissner Date: Tue Nov 10 16:24:51 2015 +0100 fixed wrong argument to BIO_printf diff --git a/test/dsatest.c b/test/dsatest.c index 1f4b837..fe25352 100644 --- a/test/dsatest.c

[openssl-dev] [openssl.org #4140] GITHUB PULL REQUEST: do not load engines twice

Hi, https://github.com/openssl/openssl/pull/466 If you try to run OPENSSL_config twice, it will fail on loading engines. (We encountered this case with ruby and libzypp both running OPENSSL_config in the same process.) Ciao, Marcus -- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409

[openssl-dev] [openssl.org #4121] avoid configuring openssl twice

Hi, In a mix of various libraries using openssl it can happen that OPENSSL_config is called multiple times. Usually this works, but e.g. if you have engines configured, the second load of engines will not work. OPENSSL_config checks openssl_configured on begin, but does not set it when done.