packages: openssl/openssl.spec, openssl/openssl-CVE-2009-1377-1378-1379.pat...

arekm arekm at pld-linux.org
Tue Jul 28 17:45:00 CEST 2009


Author: arekm                        Date: Tue Jul 28 15:45:00 2009 GMT
Module: packages                      Tag: HEAD
---- Log message:
- rel 2; fixes CVE-2009-1377 CVE-2009-1378 CVE-2009-1379; enable tlsext and rfc3779

---- Files affected:
packages/openssl:
   openssl.spec (1.204 -> 1.205) , openssl-CVE-2009-1377-1378-1379.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/openssl/openssl.spec
diff -u packages/openssl/openssl.spec:1.204 packages/openssl/openssl.spec:1.205
--- packages/openssl/openssl.spec:1.204	Tue Jul 28 16:08:06 2009
+++ packages/openssl/openssl.spec	Tue Jul 28 17:44:54 2009
@@ -16,7 +16,7 @@
 Summary(uk.UTF-8):	Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
 Name:		openssl
 Version:	0.9.8k
-Release:	1
+Release:	2
 License:	Apache-like
 Group:		Libraries
 Source0:	ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
@@ -33,13 +33,8 @@
 Patch6:		%{name}-asflag.patch
 Patch7:		%{name}-ca-certificates.patch
 Patch8:		%{name}-fips_install.patch
+Patch9:		%{name}-CVE-2009-1377-1378-1379.patch
 URL:		http://www.openssl.org/
-# problem with =< 1.0.0beta2
-# Fixes should be in sourcecode
-BuildRequires:	security(CVE-2009-1377)
-BuildRequires:	security(CVE-2009-1378)
-BuildRequires:	security(CVE-2009-1379)
-##
 BuildRequires:	bc
 BuildRequires:	perl-devel >= 1:5.6.1
 BuildRequires:	rpm-perlprov >= 4.1-13
@@ -208,6 +203,7 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p0
+%patch9 -p1
 
 %{__perl} -pi -e 's#%{_prefix}/local/bin/perl#%{__perl}#g' \
 	`grep -l -r "%{_prefix}/local/bin/perl" *`
@@ -228,7 +224,13 @@
 %endif
 	--lib=%{_lib} \
 	shared threads \
-	enable-mdc2 enable-rc5 enable-tlsext \
+	enable-tlsext \
+	enable-seed \
+	enable-rfc3779 \
+	enable-cms \
+	enable-idea \
+	enable-mdc2 \
+	enable-rc5 \
 %ifarch %{ix86}
 %ifarch i386
 	386 linux-elf
@@ -453,6 +455,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.205  2009/07/28 15:44:54  arekm
+- rel 2; fixes CVE-2009-1377 CVE-2009-1378 CVE-2009-1379; enable tlsext and rfc3779
+
 Revision 1.204  2009/07/28 14:08:06  arekm
 - enable tlsext
 

================================================================
Index: packages/openssl/openssl-CVE-2009-1377-1378-1379.patch
diff -u /dev/null packages/openssl/openssl-CVE-2009-1377-1378-1379.patch:1.1
--- /dev/null	Tue Jul 28 17:45:00 2009
+++ packages/openssl/openssl-CVE-2009-1377-1378-1379.patch	Tue Jul 28 17:44:54 2009
@@ -0,0 +1,83 @@
+diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
+--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos	2005-06-28 14:53:33.000000000 +0200
++++ openssl-0.9.8k/crypto/pqueue/pqueue.c	2009-05-21 18:26:29.000000000 +0200
+@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
+ 
+ 	return ret;
+ 	}
++
++int
++pqueue_size(pqueue_s *pq)
++{
++	pitem *item = pq->items;
++	int count = 0;
++	
++	while(item != NULL)
++	{
++		count++;
++		item = item->next;
++	}
++	return count;
++}
+diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
+--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos	2009-04-21 11:43:58.000000000 +0200
++++ openssl-0.9.8k/crypto/pqueue/pqueue.h	2009-05-21 18:26:29.000000000 +0200
+@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
+ pitem *pqueue_next(piterator *iter);
+ 
+ void   pqueue_print(pqueue pq);
++int    pqueue_size(pqueue pq);
+ 
+ #endif /* ! HEADER_PQUEUE_H */
+diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
+--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos	2007-10-17 23:17:49.000000000 +0200
++++ openssl-0.9.8k/ssl/d1_both.c	2009-05-21 18:26:29.000000000 +0200
+@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
+ 
+ 	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
+ 		{
++		unsigned long frag_len = frag->msg_header.frag_len;
+ 		pqueue_pop(s->d1->buffered_messages);
+ 
+ 		al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
+@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
+ 		if (al==0)
+ 			{
+ 			*ok = 1;
+-			return frag->msg_header.frag_len;
++			return frag_len;
+ 			}
+ 
+ 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
+ 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ 		goto err;
+ 
+-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
++	/* Try to find item in queue, to prevent duplicate entries */
++	pq_64bit_init(&seq64);
++	pq_64bit_assign_word(&seq64, msg_hdr->seq);
++	item = pqueue_find(s->d1->buffered_messages, seq64);
++	pq_64bit_free(&seq64);
++	
++	/* Discard the message if sequence number was already there, is
++	 * too far in the future or the fragment is already in the queue */
++	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ 		{
+ 		unsigned char devnull [256];
+ 
+diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
+--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos	2009-04-21 11:44:02.000000000 +0200
++++ openssl-0.9.8k/ssl/d1_pkt.c	2009-05-21 18:26:29.000000000 +0200
+@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
+     DTLS1_RECORD_DATA *rdata;
+ 	pitem *item;
+ 
++	/* Limit the size of the queue to prevent DOS attacks */
++	if (pqueue_size(queue->q) >= 100)
++		return 0;
++		
+ 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ 	item = pitem_new(priority, rdata);
+ 	if (rdata == NULL || item == NULL)
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/openssl/openssl.spec?r1=1.204&r2=1.205&f=u



More information about the pld-cvs-commit mailing list