diff options
author | Michael Mason <ms13sp@gmail.com> | 2009-12-09 14:15:33 +0000 |
---|---|---|
committer | Michael Mason <ms13sp@gmail.com> | 2009-12-09 14:15:33 +0000 |
commit | c213145f8a2525de36931514ebc4663c59e4b797 (patch) | |
tree | 0f1a505cbf960f8deb44b76ace204532cae6520b /main | |
parent | f735b93e48d350c1372a68413d62805a4ad02f05 (diff) | |
parent | 58c4a2ed5b63919fd9a7d78a14bd2b93eca96b05 (diff) | |
download | aports-c213145f8a2525de36931514ebc4663c59e4b797.tar.bz2 aports-c213145f8a2525de36931514ebc4663c59e4b797.tar.xz |
Merge branch 'master' of git://git.alpinelinux.org/aports
Diffstat (limited to 'main')
-rw-r--r-- | main/openssl/APKBUILD | 14 | ||||
-rw-r--r-- | main/openssl/openssl-0.9.8l-CVE-2009-1377.patch | 53 | ||||
-rw-r--r-- | main/openssl/openssl-0.9.8l-CVE-2009-1378.patch | 24 | ||||
-rw-r--r-- | main/openssl/openssl-0.9.8l-CVE-2009-1379.patch | 22 | ||||
-rw-r--r-- | main/openssl/openssl-0.9.8l-CVE-2009-1387.patch | 59 | ||||
-rw-r--r-- | main/openssl/openssl-0.9.8l-CVE-2009-2409.patch | 71 |
6 files changed, 241 insertions, 2 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index a4b22a9d3..fddbf2119 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openssl pkgver=0.9.8l -pkgrel=0 +pkgrel=1 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url=http://openssl.org depends= @@ -15,6 +15,11 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz openssl-bb-basename.patch openssl-0.9.8k-quote-cc.patch openssl-0.9.8k-padlock-sha.patch + openssl-0.9.8l-CVE-2009-1377.patch + openssl-0.9.8l-CVE-2009-1378.patch + openssl-0.9.8l-CVE-2009-1379.patch + openssl-0.9.8l-CVE-2009-1387.patch + openssl-0.9.8l-CVE-2009-2409.patch " build() { @@ -45,4 +50,9 @@ md5sums="05a0ece1372392a2cf310ebb96333025 openssl-0.9.8l.tar.gz 04a6a88c2ee4badd4f8649792b73eaf3 openssl-0.9.8g-fix_manpages-1.patch c6a9857a5dbd30cead0404aa7dd73977 openssl-bb-basename.patch c838eb8488896cfeb7de957a0cbe04ae openssl-0.9.8k-quote-cc.patch -86b7f1bf50e1f3ba407ec62001a51a0d openssl-0.9.8k-padlock-sha.patch" +86b7f1bf50e1f3ba407ec62001a51a0d openssl-0.9.8k-padlock-sha.patch +36694a8dd1c7164f1021f6f24ef20ab9 openssl-0.9.8l-CVE-2009-1377.patch +80b8c77288a6fde633f8ac3a33e21d31 openssl-0.9.8l-CVE-2009-1378.patch +da60b14279e076a19e783f07d8a60d24 openssl-0.9.8l-CVE-2009-1379.patch +926b151cb1e32dc6e9b1c9a25f218a31 openssl-0.9.8l-CVE-2009-1387.patch +595f5bda14198b3aa83a854b1d4fcfb0 openssl-0.9.8l-CVE-2009-2409.patch" diff --git a/main/openssl/openssl-0.9.8l-CVE-2009-1377.patch b/main/openssl/openssl-0.9.8l-CVE-2009-1377.patch new file mode 100644 index 000000000..a3a51f0fd --- /dev/null +++ b/main/openssl/openssl-0.9.8l-CVE-2009-1377.patch @@ -0,0 +1,53 @@ +http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest + +Index: openssl/crypto/pqueue/pqueue.c +RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v +rcsdiff -q -kk '-r1.2.2.4' '-r1.2.2.5' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v' 2>/dev/null +--- a/crypto/pqueue/pqueue.c 2005/06/28 12:53:33 1.2.2.4 ++++ b/crypto/pqueue/pqueue.c 2009/05/16 16:18:44 1.2.2.5 +@@ -234,3 +234,17 @@ + + return ret; + } ++ ++int ++pqueue_size(pqueue_s *pq) ++{ ++ pitem *item = pq->items; ++ int count = 0; ++ ++ while(item != NULL) ++ { ++ count++; ++ item = item->next; ++ } ++ return count; ++} +Index: openssl/crypto/pqueue/pqueue.h +RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v +rcsdiff -q -kk '-r1.2.2.1' '-r1.2.2.2' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v' 2>/dev/null +--- a/crypto/pqueue/pqueue.h 2005/05/30 22:34:27 1.2.2.1 ++++ b/crypto/pqueue/pqueue.h 2009/05/16 16:18:44 1.2.2.2 +@@ -91,5 +91,6 @@ + pitem *pqueue_next(piterator *iter); + + void pqueue_print(pqueue pq); ++int pqueue_size(pqueue pq); + + #endif /* ! HEADER_PQUEUE_H */ +Index: openssl/ssl/d1_pkt.c +RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v +rcsdiff -q -kk '-r1.4.2.17' '-r1.4.2.18' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null +--- a/ssl/d1_pkt.c 2009/05/16 15:51:59 1.4.2.17 ++++ b/ssl/d1_pkt.c 2009/05/16 16:18:45 1.4.2.18 +@@ -167,6 +167,10 @@ + DTLS1_RECORD_DATA *rdata; + pitem *item; + ++ /* Limit the size of the queue to prevent DOS attacks */ ++ if (pqueue_size(queue->q) >= 100) ++ return 0; ++ + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); + item = pitem_new(priority, rdata); + if (rdata == NULL || item == NULL) diff --git a/main/openssl/openssl-0.9.8l-CVE-2009-1378.patch b/main/openssl/openssl-0.9.8l-CVE-2009-1378.patch new file mode 100644 index 000000000..9ec8a9f3a --- /dev/null +++ b/main/openssl/openssl-0.9.8l-CVE-2009-1378.patch @@ -0,0 +1,24 @@ +http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest + +Index: ssl/d1_both.c +=================================================================== +--- a/ssl/d1_both.c.orig ++++ b/ssl/d1_both.c +@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, + if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) + goto err; + +- if (msg_hdr->seq <= s->d1->handshake_read_seq) ++ /* Try to find item in queue, to prevent duplicate entries */ ++ pq_64bit_init(&seq64); ++ pq_64bit_assign_word(&seq64, msg_hdr->seq); ++ item = pqueue_find(s->d1->buffered_messages, seq64); ++ pq_64bit_free(&seq64); ++ ++ /* Discard the message if sequence number was already there, is ++ * too far in the future or the fragment is already in the queue */ ++ if (msg_hdr->seq <= s->d1->handshake_read_seq || ++ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) + { + unsigned char devnull [256]; + diff --git a/main/openssl/openssl-0.9.8l-CVE-2009-1379.patch b/main/openssl/openssl-0.9.8l-CVE-2009-1379.patch new file mode 100644 index 000000000..b70772c97 --- /dev/null +++ b/main/openssl/openssl-0.9.8l-CVE-2009-1379.patch @@ -0,0 +1,22 @@ +Index: openssl/ssl/d1_both.c +RCS File: /v/openssl/cvs/openssl/ssl/d1_both.c,v +rcsdiff -q -kk '-r1.14.2.6' '-r1.14.2.7' -u '/v/openssl/cvs/openssl/ssl/d1_both.c,v' 2>/dev/null +--- a/ssl/d1_both.c 2009/04/22 12:17:02 1.14.2.6 ++++ b/ssl/d1_both.c 2009/05/13 11:51:30 1.14.2.7 +@@ -519,6 +519,7 @@ + + if ( s->d1->handshake_read_seq == frag->msg_header.seq) + { ++ unsigned long frag_len = frag->msg_header.frag_len; + pqueue_pop(s->d1->buffered_messages); + + al=dtls1_preprocess_fragment(s,&frag->msg_header,max); +@@ -536,7 +537,7 @@ + if (al==0) + { + *ok = 1; +- return frag->msg_header.frag_len; ++ return frag_len; + } + + ssl3_send_alert(s,SSL3_AL_FATAL,al); diff --git a/main/openssl/openssl-0.9.8l-CVE-2009-1387.patch b/main/openssl/openssl-0.9.8l-CVE-2009-1387.patch new file mode 100644 index 000000000..c8ff15e50 --- /dev/null +++ b/main/openssl/openssl-0.9.8l-CVE-2009-1387.patch @@ -0,0 +1,59 @@ +http://bugs.gentoo.org/270305 + +fix from upstream + +Index: ssl/d1_both.c +=================================================================== +RCS file: /usr/local/src/openssl/CVSROOT/openssl/ssl/d1_both.c,v +retrieving revision 1.4.2.7 +retrieving revision 1.4.2.8 +diff -u -p -r1.4.2.7 -r1.4.2.8 +--- a/ssl/d1_both.c 17 Oct 2007 21:17:49 -0000 1.4.2.7 ++++ b/ssl/d1_both.c 2 Apr 2009 22:12:13 -0000 1.4.2.8 +@@ -575,30 +575,31 @@ dtls1_process_out_of_seq_message(SSL *s, + } + } + +- frag = dtls1_hm_fragment_new(frag_len); +- if ( frag == NULL) +- goto err; ++ if (frag_len) ++ { ++ frag = dtls1_hm_fragment_new(frag_len); ++ if ( frag == NULL) ++ goto err; + +- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); ++ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + +- if (frag_len) +- { +- /* read the body of the fragment (header has already been read */ ++ /* read the body of the fragment (header has already been read) */ + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + frag->fragment,frag_len,0); + if (i<=0 || (unsigned long)i!=frag_len) + goto err; +- } + +- pq_64bit_init(&seq64); +- pq_64bit_assign_word(&seq64, msg_hdr->seq); ++ pq_64bit_init(&seq64); ++ pq_64bit_assign_word(&seq64, msg_hdr->seq); + +- item = pitem_new(seq64, frag); +- pq_64bit_free(&seq64); +- if ( item == NULL) +- goto err; ++ item = pitem_new(seq64, frag); ++ pq_64bit_free(&seq64); ++ if ( item == NULL) ++ goto err; ++ ++ pqueue_insert(s->d1->buffered_messages, item); ++ } + +- pqueue_insert(s->d1->buffered_messages, item); + return DTLS1_HM_FRAGMENT_RETRY; + + err: diff --git a/main/openssl/openssl-0.9.8l-CVE-2009-2409.patch b/main/openssl/openssl-0.9.8l-CVE-2009-2409.patch new file mode 100644 index 000000000..6e485c3b7 --- /dev/null +++ b/main/openssl/openssl-0.9.8l-CVE-2009-2409.patch @@ -0,0 +1,71 @@ +http://bugs.gentoo.org/280591 + +fix from upstream + +http://cvs.openssl.org/chngview?cn=18260 + +Index: openssl/crypto/x509/x509_vfy.c +RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v +rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null +--- a/crypto/x509/x509_vfy.c 2008/07/13 14:33:15 1.77.2.8 ++++ b/crypto/x509/x509_vfy.c 2009/06/15 14:52:38 1.77.2.9 +@@ -986,7 +986,11 @@ + while (n >= 0) + { + ctx->error_depth=n; +- if (!xs->valid) ++ ++ /* Skip signature check for self signed certificates. It ++ * doesn't add any security and just wastes time. ++ */ ++ if (!xs->valid && xs != xi) + { + if ((pkey=X509_get_pubkey(xi)) == NULL) + { +@@ -996,13 +1000,6 @@ + if (!ok) goto end; + } + else if (X509_verify(xs,pkey) <= 0) +- /* XXX For the final trusted self-signed cert, +- * this is a waste of time. That check should +- * optional so that e.g. 'openssl x509' can be +- * used to detect invalid self-signatures, but +- * we don't verify again and again in SSL +- * handshakes and the like once the cert has +- * been declared trusted. */ + { + ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert=xs; + +http://cvs.openssl.org/chngview?cn=18317 + +Index: openssl/crypto/evp/c_alld.c +RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v +rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null +--- a/crypto/evp/c_alld.c 2005/04/30 21:51:40 1.7 ++++ b/crypto/evp/c_alld.c 2009/07/08 08:33:26 1.7.2.1 +@@ -64,9 +64,6 @@ + + void OpenSSL_add_all_digests(void) + { +-#ifndef OPENSSL_NO_MD2 +- EVP_add_digest(EVP_md2()); +-#endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); + #endif +Index: openssl/ssl/ssl_algs.c +RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v +rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null +--- a/ssl/ssl_algs.c 2007/04/23 23:50:21 1.12.2.3 ++++ b/ssl/ssl_algs.c 2009/07/08 08:33:27 1.12.2.4 +@@ -92,9 +92,6 @@ + EVP_add_cipher(EVP_seed_cbc()); + #endif + +-#ifndef OPENSSL_NO_MD2 +- EVP_add_digest(EVP_md2()); +-#endif + #ifndef OPENSSL_NO_MD5 + EVP_add_digest(EVP_md5()); + EVP_add_digest_alias(SN_md5,"ssl2-md5"); |