diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2014-04-09 11:46:48 +0000 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2014-04-09 12:22:52 +0000 |
| commit | ffb07fe039a3036b257ef49628bdc26bdbcc2615 (patch) | |
| tree | f6282cc4ad113f95c94197d307dedc439ec40231 | |
| parent | a5331f1a7940d6c59c117ae82b23eb69f2792a75 (diff) | |
| download | aports-ffb07fe039a3036b257ef49628bdc26bdbcc2615.tar.bz2 aports-ffb07fe039a3036b257ef49628bdc26bdbcc2615.tar.xz | |
main/openssl: disable free(2) caching in ssl code
This code is dubious at best and also responsible for the heartbleed vulnerability
being exposed in the first place. With the heartbleed test on a broken version, this
results in a daemon crash instead of private key exposure. We add dummy padding to
preserve ABI compatibility with older packages.
| -rw-r--r-- | main/openssl/APKBUILD | 13 | ||||
| -rw-r--r-- | main/openssl/abi-compat-no-freelists.patch | 13 |
2 files changed, 22 insertions, 4 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 0c586673a9..b9199fa04e 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl pkgver=1.0.1g -pkgrel=0 +pkgrel=1 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="http://openssl.org" depends= @@ -27,6 +27,7 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz fix-default-apps-capath.patch c_rehash.c openssl-1.0.1-parallel-build.patch + abi-compat-no-freelists.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -83,6 +84,7 @@ build() { --libdir=lib \ --openssldir=/etc/ssl \ shared zlib enable-montasm enable-md2 \ + -DOPENSSL_NO_BUF_FREELISTS \ -Wa,--noexecstack \ || return 1 @@ -130,7 +132,8 @@ d1f3aaad7c36590f21355682983cd14e openssl-1.0.1-version-eglibc.patch 2681796363085d01db8a81c249cd2d7b openssl-use-termios.patch efec1bce615256961b1756e575ee1d0a fix-default-apps-capath.patch 05ad806219cef6fa5692ac727af7fab6 c_rehash.c -60ca340e32944e4825747e3681ccd553 openssl-1.0.1-parallel-build.patch" +60ca340e32944e4825747e3681ccd553 openssl-1.0.1-parallel-build.patch +b7f2421187ae2b4c7e424cda2022d41d abi-compat-no-freelists.patch" sha256sums="53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028 openssl-1.0.1g.tar.gz fe844e21b2c42da2d8e9c89350211d70c0829f45532b89b7e492bfde589ee7ed fix-manpages.patch 82863c2fed659a7186c7f3905a1853b8bd8060350ad101ce159fa7e7d2ba27e8 openssl-bb-basename.patch @@ -143,7 +146,8 @@ cbb2493ec9157e78035e9cc02be17655996ee9cd0a71b79507fc19f3862f452b 0003-engines-e 05266a671143cf17367dee8d409ad6d0857201392c99731d7ebb8f8cdcdc32f7 openssl-use-termios.patch 1e11d6b8cdcdd6957c69d33ab670c5918fc96c12fdb9b76b4287cb8f69c3545d fix-default-apps-capath.patch 7b0947fd09ad1e8d9cea360b883090025b40193d0fc8a631f2e3bb42db28d76b c_rehash.c -bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221 openssl-1.0.1-parallel-build.patch" +bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221 openssl-1.0.1-parallel-build.patch +41c7c1e5bea7f7e0ccc59203a48f097948627d72fcf87f943fcfe8c14b4069a2 abi-compat-no-freelists.patch" sha512sums="66ebbad3c8ad98a07b486d39d0c3ae62b00133f8f2877cf8b97c461e7c7f40b29cf9c3cae82cf73a92dcf1daa63d33aa76c910fbcbe60158589fc7cb48f41e6d openssl-1.0.1g.tar.gz 880411d56da49946d24328445728367e0bf13b0fd47954971514bee8cd5613a038ad8aeaf68da2c92f4634deb022febd7b3e37f9bbfc5d2c9c8b3b5ffd971407 fix-manpages.patch 6c4f4b0c1b606b3e5a8175618c4398923392f9c25ad8d3f5b65b0424fe51e104c4f456d2da590d9f572382225ab320278e88db1585790092450cad60a02819a5 openssl-bb-basename.patch @@ -156,4 +160,5 @@ b019320869d215014ad46e0b29aa239e31243571c4d45256b3ce6449a67fdc106a381c1cf3abd55d 22261ad902ad4826db889fa0e6196b57d6cb389c1707f5827ba48a4630097e590979257f16f4a36fe611199fa33ba32d5f412c8b93beb84001865c2501b288da openssl-use-termios.patch f2e737146a473d55b99f27457718ca299a02a0c74009026a30c3d1347c575bc264962b5708995e02ef7d68521b8366ccea7320523efb87b1ab2632d73fec5658 fix-default-apps-capath.patch 17b5ecda9c51a4a6b7a2b5fea65abc90091ae9c8d43527546148769d8fcfd87450075830b874fcff21b9ad0c31366213b4bfb8665e09cbd2559a8f3688b9aebd c_rehash.c -7255b3315133e415631b2ecadc8f5c50a705b9db507c46efded0190363ce9eb31ffbfe01c500669c060878e5202f858b1d2475c64948426fbf70820b4c798ba1 openssl-1.0.1-parallel-build.patch" +7255b3315133e415631b2ecadc8f5c50a705b9db507c46efded0190363ce9eb31ffbfe01c500669c060878e5202f858b1d2475c64948426fbf70820b4c798ba1 openssl-1.0.1-parallel-build.patch +38156d183ebf80de0a39c046b1dddaf99ae64286214f3ee9de51d28212933b5f16c23908aef0aa3d71188306b064969b99da2a0a75693b6bba1bc32884c78b31 abi-compat-no-freelists.patch" diff --git a/main/openssl/abi-compat-no-freelists.patch b/main/openssl/abi-compat-no-freelists.patch new file mode 100644 index 0000000000..0ead14c0e7 --- /dev/null +++ b/main/openssl/abi-compat-no-freelists.patch @@ -0,0 +1,13 @@ +--- openssl-1.0.1g.orig/ssl/ssl.h ++++ openssl-1.0.1g/ssl/ssl.h +@@ -959,6 +959,10 @@ + unsigned int freelist_max_len; + struct ssl3_buf_freelist_st *wbuf_freelist; + struct ssl3_buf_freelist_st *rbuf_freelist; ++#else ++ unsigned int freelist_dummy0; ++ void *freelist_dummy1; ++ void *freelist_dummy2; + #endif + #ifndef OPENSSL_NO_SRP + SRP_CTX srp_ctx; /* ctx for SRP authentication */ |