diff options
author | Timo Teräs <timo.teras@iki.fi> | 2015-03-27 15:26:41 +0200 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2015-03-27 16:30:45 +0200 |
commit | 5891af54e70fd91c02e6f8ab9b2059662b0ecfd4 (patch) | |
tree | 027a30ea07a77155c709904664cf91257546cb1a /main/openssl | |
parent | 1e6108c320c4099cc100e8970ca6d5b9ed3d5d74 (diff) | |
download | aports-5891af54e70fd91c02e6f8ab9b2059662b0ecfd4.tar.bz2 aports-5891af54e70fd91c02e6f8ab9b2059662b0ecfd4.tar.xz |
main/openssl: fix rpath and turn off ssl compression by default
System wide mitigation for CVE-2012-4929. While most affected
programs turn off compression themselves, this is safer default.
Diffstat (limited to 'main/openssl')
-rw-r--r-- | main/openssl/0009-no-rpath.patch | 11 | ||||
-rw-r--r-- | main/openssl/0010-ssl-env-zlib.patch | 38 | ||||
-rw-r--r-- | main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch (renamed from main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) | 0 | ||||
-rw-r--r-- | main/openssl/1002-backport-changes-from-upstream-padlock-module.patch (renamed from main/openssl/0010-backport-changes-from-upstream-padlock-module.patch) | 0 | ||||
-rw-r--r-- | main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch (renamed from main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) | 0 | ||||
-rw-r--r-- | main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch (renamed from main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch) | 0 | ||||
-rw-r--r-- | main/openssl/APKBUILD | 47 |
7 files changed, 76 insertions, 20 deletions
diff --git a/main/openssl/0009-no-rpath.patch b/main/openssl/0009-no-rpath.patch new file mode 100644 index 0000000000..56df75b791 --- /dev/null +++ b/main/openssl/0009-no-rpath.patch @@ -0,0 +1,11 @@ +--- a/Makefile.shared 2005-06-23 22:47:54.000000000 +0200 ++++ b/Makefile.shared 2005-11-16 22:35:37.000000000 +0100 +@@ -153,7 +153,7 @@ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/main/openssl/0010-ssl-env-zlib.patch b/main/openssl/0010-ssl-env-zlib.patch new file mode 100644 index 0000000000..9eae15d727 --- /dev/null +++ b/main/openssl/0010-ssl-env-zlib.patch @@ -0,0 +1,38 @@ +diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod +--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-01-15 16:43:14.000000000 -0200 ++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-03-27 15:18:47.280054883 -0200 +@@ -47,6 +47,13 @@ + been standardized, the compression API will most likely be changed. Using + it in the current state is not recommended. + ++It is also not recommended to use compression if data transfered contain ++untrusted parts that can be manipulated by an attacker as he could then ++get information about the encrypted data. See the CRIME attack. For ++that reason the default loading of the zlib compression method is ++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB> ++is present during the library initialization. ++ + =head1 RETURN VALUES + + SSL_COMP_add_compression_method() may return the following values: +diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c +--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-03-19 15:30:36.000000000 -0200 ++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-03-27 15:23:05.960057092 -0200 +@@ -141,6 +141,8 @@ + */ + + #include <stdio.h> ++#include <stdlib.h> ++#include <sys/auxv.h> + #include <openssl/objects.h> + #ifndef OPENSSL_NO_COMP + # include <openssl/comp.h> +@@ -481,7 +483,7 @@ + + MemCheck_off(); + ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp); +- if (ssl_comp_methods != NULL) { ++ if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) { + comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) { + comp->method = COMP_zlib(); diff --git a/main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch b/main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch index ef46faa848..ef46faa848 100644 --- a/main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch +++ b/main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch diff --git a/main/openssl/0010-backport-changes-from-upstream-padlock-module.patch b/main/openssl/1002-backport-changes-from-upstream-padlock-module.patch index f63bbcd1ce..f63bbcd1ce 100644 --- a/main/openssl/0010-backport-changes-from-upstream-padlock-module.patch +++ b/main/openssl/1002-backport-changes-from-upstream-padlock-module.patch diff --git a/main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch b/main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch index 5a2cdd633a..5a2cdd633a 100644 --- a/main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch +++ b/main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch diff --git a/main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch b/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch index d0cdfb3b3a..d0cdfb3b3a 100644 --- a/main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch +++ b/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 788a6bda7a..e71a1aead2 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl pkgver=1.0.2a -pkgrel=0 +pkgrel=1 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="http://openssl.org" depends= @@ -23,10 +23,12 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch 0007-reimplement-c_rehash-in-C.patch 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch - 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch - 0010-backport-changes-from-upstream-padlock-module.patch - 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch - 0012-crypto-engine-autoload-padlock-dynamic-engine.patch + 0009-no-rpath.patch + 0010-ssl-env-zlib.patch + 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch + 1002-backport-changes-from-upstream-padlock-module.patch + 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch + 1004-crypto-engine-autoload-padlock-dynamic-engine.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -70,10 +72,9 @@ build() { perl ./Configure $_target --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ - shared zlib enable-montasm enable-md2 \ + shared zlib enable-montasm enable-md2 $_optflags \ -DOPENSSL_NO_BUF_FREELISTS \ - -Wa,--noexecstack \ - $_optflags \ + $CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack \ || return 1 make && make build-shared || return 1 @@ -125,10 +126,12 @@ md5sums="a06c547dac9044161a477211049f60ef openssl-1.0.2a.tar.gz 5a5753f52b9f54f769f1ad915d0119bd 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch 106b2c7590d49a28c782cf3f5d623543 0007-reimplement-c_rehash-in-C.patch 7a2f9c883ecdfca3087062df4a68150a 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch -25091afb907de2b504f8bad6bf70002c 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -aa16c89b283faf0fe546e3f897279c44 0010-backport-changes-from-upstream-padlock-module.patch -57cca845e22c178c3b317010be56edf0 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch -2ac874d1249f5f68d8c7cd58d157d29a 0012-crypto-engine-autoload-padlock-dynamic-engine.patch" +28e89dd715fc4ed85e747bd7306f2970 0009-no-rpath.patch +742ee13d88b13414248f329a09f9a92d 0010-ssl-env-zlib.patch +25091afb907de2b504f8bad6bf70002c 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch +aa16c89b283faf0fe546e3f897279c44 1002-backport-changes-from-upstream-padlock-module.patch +57cca845e22c178c3b317010be56edf0 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch +2ac874d1249f5f68d8c7cd58d157d29a 1004-crypto-engine-autoload-padlock-dynamic-engine.patch" sha256sums="15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a openssl-1.0.2a.tar.gz 4383de0433cb11696346660ae736f120511a7cd0d6ff14543080e0bb93e45ebb 0001-fix-manpages.patch b449fb998b5f60a3a1779ac2f432b2c7f08ae52fc6dfa98bca37d735f863d400 0002-busybox-basename.patch @@ -138,10 +141,12 @@ d438a36b2b0adf342ebef4b5e9793bcdae3b3027061100f660749c322acbe93d 0004-fix-defau 9baecc8024bd5004ef045c6c53537f7453029c1e273874ce639834145564ca6d 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch c934b5d1a2cb58b5235da2dfee423f0f66bb83e1d479f511b444751899637c37 0007-reimplement-c_rehash-in-C.patch 1030f885dc76f352854a7a95d73e68cfd1479c5f9ee198d6afef6b0755ee1c81 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch -2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 0010-backport-changes-from-upstream-padlock-module.patch -c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch -2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c 0012-crypto-engine-autoload-padlock-dynamic-engine.patch" +6b7ac5c9db430d9d3e8aaf87e0e95aa8a0ef460517d6563cca24014d4d890fbc 0009-no-rpath.patch +fa2e3101ca7c6daed7ea063860d586424be7590b1cec4302bc2beee1a3c6039f 0010-ssl-env-zlib.patch +2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch +aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 1002-backport-changes-from-upstream-padlock-module.patch +c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch +2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c 1004-crypto-engine-autoload-padlock-dynamic-engine.patch" sha512sums="02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 openssl-1.0.2a.tar.gz b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb988539c181a0d21991bb05a5443580053e75bc8c047b7db17 0001-fix-manpages.patch 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch @@ -151,7 +156,9 @@ b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb9 820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch fc4e383ec85c6543e4e82520904122a5a5601c68042ece1e95a0cae95e02d89174f06f78ba2f8aacae8df16052df6ec628b568519a41706428a3fa07984cc8e3 0007-reimplement-c_rehash-in-C.patch 17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch -8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 0010-backport-changes-from-upstream-padlock-module.patch -6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch -b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3 0012-crypto-engine-autoload-padlock-dynamic-engine.patch" +5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1 0009-no-rpath.patch +5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch +8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch +a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch +6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch +b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3 1004-crypto-engine-autoload-padlock-dynamic-engine.patch" |