[packages/openssl] Up to 3.0.2; SECURITY (remote DOS - infinite loop in client/server - CVE-2022-0778).

Tue Mar 15 20:35:30 CET 2022

commit 45597d6827270ce319c03865b3c867f11a665648
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Mar 15 20:32:25 2022 +0100

    Up to 3.0.2; SECURITY (remote DOS - infinite loop in client/server - CVE-2022-0778).

 bug-15465.patch | 47 -----------------------------------------------
 openssl.spec    |  8 +++-----
 2 files changed, 3 insertions(+), 52 deletions(-)
---

diff --git a/openssl.spec b/openssl.spec
index d2efa16..8183060 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -13,12 +13,12 @@ Summary(pt_BR.UTF-8):	Uma biblioteca C que fornece vários algoritmos e protocol
 Summary(ru.UTF-8):	Библиотеки и утилиты для соединений через Secure Sockets Layer
 Summary(uk.UTF-8):	Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
 Name:		openssl
-Version:	3.0.1
-Release:	2
+Version:	3.0.2
+Release:	1
 License:	Apache v2.0
 Group:		Libraries
 Source0:	https://www.openssl.org/source/%{name}-%{version}.tar.gz
-# Source0-md5:	7d07e849d77d276891edd579a8832bb3
+# Source0-md5:	7f9d43bb7a1e742722cf6d6f40531462
 Source2:	%{name}.1.pl
 Source3:	%{name}-ssl-certificate.sh
 Source4:	%{name}-c_rehash.sh
@@ -27,7 +27,6 @@ Patch1:		%{name}-ca-certificates.patch
 Patch2:		%{name}-find.patch
 Patch3:		pic.patch
 Patch4:		engines-dir.patch
-Patch5:		bug-15465.patch
 URL:		http://www.openssl.org/
 %ifarch %{arm} ppc mips sparc sparcv9
 BuildRequires:	libatomic-devel
@@ -212,7 +211,6 @@ RC4, RSA и SSL. Включает статические библиотеки д
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-%patch5 -p1
 
 # fails with enable-sctp as of 1.1.1
 %{__rm} test/recipes/80-test_ssl_new.t
diff --git a/bug-15465.patch b/bug-15465.patch
deleted file mode 100644
index de318e6..0000000
--- a/bug-15465.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 517a7737dccb9837b4d9d751e64ae7b60948ef2e Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas at openssl.org>
-Date: Wed, 2 Feb 2022 17:47:26 +0100
-Subject: [PATCH] Replace size check with more meaningful pubkey check
-
-It does not make sense to check the size because this
-function can be used in other contexts than in TLS-1.3 and
-the value might not be padded to the size of p.
-
-However it makes sense to do the partial pubkey check because
-there is no valid reason having the pubkey value outside the
-1 < pubkey < p-1 bounds.
-
-Fixes #15465
----
- crypto/dh/dh_key.c | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 6b8cd550f25f..c78ed618bf83 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
-     int err_reason = DH_R_BN_ERROR;
-     BIGNUM *pubkey = NULL;
-     const BIGNUM *p;
--    size_t p_size;
-+    int ret;
- 
-     if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
-         goto err;
-     DH_get0_pqg(dh, &p, NULL, NULL);
--    if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
-+    if (p == NULL || BN_num_bytes(p) == 0) {
-         err_reason = DH_R_NO_PARAMETERS_SET;
-         goto err;
-     }
--    /*
--     * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
--     * public key is of size not equal to size of p
--     */
--    if (BN_is_zero(pubkey) || p_size != len) {
-+    /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
-+    if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
-         err_reason = DH_R_INVALID_PUBKEY;
-         goto err;
-     }
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/openssl.git/commitdiff/45597d6827270ce319c03865b3c867f11a665648

