From c7c8818b7203c5ff58dd5f7d03f7e47cb681348d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Jun 2014 15:40:22 +0300
Subject: main/openssl: security upgrade to 1.0.1h (multiple CVE)

Newly fixed CVEs:
CVE-2014-0224 SSL/TLS MITM vulnerability
CVE-2014-0221 DTLS recursion flaw
CVE-2014-0195 DTLS invalid fragment vulnerability

Previously fixed in Alpine by cherry picks:
CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
---
 main/openssl/APKBUILD                              | 30 +++++--------
 main/openssl/CVE-2014-0198.patch                   | 37 ---------------
 main/openssl/fix-manpages.patch                    | 52 ----------------------
 .../fix-use-after-free-without-freelist.patch      | 13 ------
 4 files changed, 11 insertions(+), 121 deletions(-)
 delete mode 100644 main/openssl/CVE-2014-0198.patch
 delete mode 100644 main/openssl/fix-use-after-free-without-freelist.patch

diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 90eb0ce03f..a632e1179b 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=openssl
-pkgver=1.0.1g
-pkgrel=3
+pkgver=1.0.1h
+pkgrel=0
 pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
 url="http://openssl.org"
 depends=
@@ -15,7 +15,6 @@ license="openssl"
 subpackages="$pkgname-dev $pkgname-doc libcrypto1.0:libcrypto libssl1.0:libssl"
 
 source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
-	CVE-2014-0198.patch
 	fix-manpages.patch
 	openssl-bb-basename.patch
 	0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
@@ -29,7 +28,6 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 	c_rehash.c
 	openssl-1.0.1-parallel-build.patch
 	abi-compat-no-freelists.patch
-	fix-use-after-free-without-freelist.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -122,9 +120,8 @@ libssl() {
 	done
 }
 
-md5sums="de62b43dfcd858e66a74bee1c834e959  openssl-1.0.1g.tar.gz
-bede51cf4d58b63baee73191ac292f6d  CVE-2014-0198.patch
-115c481cd59b3dba631364e8fb1778f5  fix-manpages.patch
+md5sums="8d6d684a9430d5cc98a62a5d8fbda8cf  openssl-1.0.1h.tar.gz
+c804de28dcf4cc64275e7df8828750c8  fix-manpages.patch
 c6a9857a5dbd30cead0404aa7dd73977  openssl-bb-basename.patch
 ddb5fc155145d5b852425adaec32234d  0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 4a7b9e20beb33a5e262ab64c2b8e5b48  0002-engines-e_padlock-backport-cvs-head-changes.patch
@@ -136,11 +133,9 @@ d1f3aaad7c36590f21355682983cd14e  openssl-1.0.1-version-eglibc.patch
 efec1bce615256961b1756e575ee1d0a  fix-default-apps-capath.patch
 05ad806219cef6fa5692ac727af7fab6  c_rehash.c
 60ca340e32944e4825747e3681ccd553  openssl-1.0.1-parallel-build.patch
-b7f2421187ae2b4c7e424cda2022d41d  abi-compat-no-freelists.patch
-148545f22ee15fc737b35768be4aa0cf  fix-use-after-free-without-freelist.patch"
-sha256sums="53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028  openssl-1.0.1g.tar.gz
-845973d589d087b720f7a328b2298e87307fd9218830c9b1b3e31ad7a1278d73  CVE-2014-0198.patch
-fe844e21b2c42da2d8e9c89350211d70c0829f45532b89b7e492bfde589ee7ed  fix-manpages.patch
+b7f2421187ae2b4c7e424cda2022d41d  abi-compat-no-freelists.patch"
+sha256sums="9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093  openssl-1.0.1h.tar.gz
+e3a33c676f8fbe113a780c6b33b28dbf79eb410aac4b989af2dd7a4f64cddea8  fix-manpages.patch
 82863c2fed659a7186c7f3905a1853b8bd8060350ad101ce159fa7e7d2ba27e8  openssl-bb-basename.patch
 18dd81fefb39b3328a444774ed10871ed50348ca171d2da9f826f916127b2dae  0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 39c31c2e33cded09543a2d1fd2e3238e9d11c672ba71a14d13095baad3ec9696  0002-engines-e_padlock-backport-cvs-head-changes.patch
@@ -152,11 +147,9 @@ cbb2493ec9157e78035e9cc02be17655996ee9cd0a71b79507fc19f3862f452b  0003-engines-e
 1e11d6b8cdcdd6957c69d33ab670c5918fc96c12fdb9b76b4287cb8f69c3545d  fix-default-apps-capath.patch
 7b0947fd09ad1e8d9cea360b883090025b40193d0fc8a631f2e3bb42db28d76b  c_rehash.c
 bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221  openssl-1.0.1-parallel-build.patch
-41c7c1e5bea7f7e0ccc59203a48f097948627d72fcf87f943fcfe8c14b4069a2  abi-compat-no-freelists.patch
-5dd2b8c2d86b6859e8dd34f27924bb251ba0f64856c49edff351c18941483a52  fix-use-after-free-without-freelist.patch"
-sha512sums="66ebbad3c8ad98a07b486d39d0c3ae62b00133f8f2877cf8b97c461e7c7f40b29cf9c3cae82cf73a92dcf1daa63d33aa76c910fbcbe60158589fc7cb48f41e6d  openssl-1.0.1g.tar.gz
-fbd399f406fd6decdfa14a9457e969a939f49c71fc9b9b33d8ff40705a49732a10fa6aa0a5a015106ee9b3ee95aee9db1bf06839f1487961200f7f95fa954d93  CVE-2014-0198.patch
-880411d56da49946d24328445728367e0bf13b0fd47954971514bee8cd5613a038ad8aeaf68da2c92f4634deb022febd7b3e37f9bbfc5d2c9c8b3b5ffd971407  fix-manpages.patch
+41c7c1e5bea7f7e0ccc59203a48f097948627d72fcf87f943fcfe8c14b4069a2  abi-compat-no-freelists.patch"
+sha512sums="687d12ae13e364b15622f68933894050d577a4f8647bd68c7e9e86eb9d9f49cd2ebb0da3c5d3ded0a8746cf7b87e23b167b536116aa9a0402d7e7cc2ee401a92  openssl-1.0.1h.tar.gz
+b8f18d0bddb943346e383904bfe8463f3b5bd3e10d53f5210ae26ad285893f17ebd7a84cf55bb4219a85dc15e61afc08dfbd91a4e6ed9a14f3168618775c1a0d  fix-manpages.patch
 6c4f4b0c1b606b3e5a8175618c4398923392f9c25ad8d3f5b65b0424fe51e104c4f456d2da590d9f572382225ab320278e88db1585790092450cad60a02819a5  openssl-bb-basename.patch
 ea282b09d4692a29e5a554e19b0798fa921717d4892decc68cba92cad11e85e4064d8ac78d98f6fa8bb45c65fdd1a5d1a6f6755e53102d520e9d8b807c3a7822  0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 96cdd28d1ad5efd3f5836b4c57c9c6ea8e790fbf919e32a8c4acd3883a3531b8d295053a4aa20e6165600153b141ce7b0a3d1d736fdfc325d59862b845aa4d98  0002-engines-e_padlock-backport-cvs-head-changes.patch
@@ -168,5 +161,4 @@ b019320869d215014ad46e0b29aa239e31243571c4d45256b3ce6449a67fdc106a381c1cf3abd55d
 f2e737146a473d55b99f27457718ca299a02a0c74009026a30c3d1347c575bc264962b5708995e02ef7d68521b8366ccea7320523efb87b1ab2632d73fec5658  fix-default-apps-capath.patch
 17b5ecda9c51a4a6b7a2b5fea65abc90091ae9c8d43527546148769d8fcfd87450075830b874fcff21b9ad0c31366213b4bfb8665e09cbd2559a8f3688b9aebd  c_rehash.c
 7255b3315133e415631b2ecadc8f5c50a705b9db507c46efded0190363ce9eb31ffbfe01c500669c060878e5202f858b1d2475c64948426fbf70820b4c798ba1  openssl-1.0.1-parallel-build.patch
-38156d183ebf80de0a39c046b1dddaf99ae64286214f3ee9de51d28212933b5f16c23908aef0aa3d71188306b064969b99da2a0a75693b6bba1bc32884c78b31  abi-compat-no-freelists.patch
-515197784d7423f4875f9a0b3102fa4a2d63fcec52d52dbc9a36eba9f40b19f2814dc90a2c021b4a573bdf789e691f8f90dc95706d7bc1136d0f4c3b2cb91b09  fix-use-after-free-without-freelist.patch"
+38156d183ebf80de0a39c046b1dddaf99ae64286214f3ee9de51d28212933b5f16c23908aef0aa3d71188306b064969b99da2a0a75693b6bba1bc32884c78b31  abi-compat-no-freelists.patch"
diff --git a/main/openssl/CVE-2014-0198.patch b/main/openssl/CVE-2014-0198.patch
deleted file mode 100644
index c473719551..0000000000
--- a/main/openssl/CVE-2014-0198.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From b107586c0c3447ea22dba8698ebbcd81bb29d48c Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 12 May 2014 00:38:37 +0100
-Subject: [PATCH] Fixed NULL pointer dereference. See PR#3321
-
----
- ssl/s3_pkt.c |    7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 40eb0dd..d961d12 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- 	SSL3_BUFFER *wb=&(s->s3->wbuf);
- 	SSL_SESSION *sess;
- 
-- 	if (wb->buf == NULL)
--		if (!ssl3_setup_write_buffer(s))
--			return -1;
- 
- 	/* first check if there is a SSL3_BUFFER still being written
- 	 * out.  This will happen with non blocking IO */
-@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- 		/* if it went, fall through and send more stuff */
- 		}
- 
-+ 	if (wb->buf == NULL)
-+		if (!ssl3_setup_write_buffer(s))
-+			return -1;
-+
- 	if (len == 0 && !create_empty_fragment)
- 		return 0;
- 
--- 
-1.7.9.5
-
diff --git a/main/openssl/fix-manpages.patch b/main/openssl/fix-manpages.patch
index 7c6ac9902f..92b092fff2 100644
--- a/main/openssl/fix-manpages.patch
+++ b/main/openssl/fix-manpages.patch
@@ -169,32 +169,6 @@ index 81f93c2..690aa85 100644
  L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
  
  =head1 HISTORY
-diff --git a/doc/crypto/CONF_modules_free.pod b/doc/crypto/CONF_modules_free.pod
-index 87bc7b7..347020c 100644
---- a/doc/crypto/CONF_modules_free.pod
-+++ b/doc/crypto/CONF_modules_free.pod
-@@ -37,7 +37,7 @@ None of the functions return a value.
- =head1 SEE ALSO
- 
- L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
--L<CONF_modules_load_file(3), CONF_modules_load_file(3)>
-+L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>
- 
- =head1 HISTORY
- 
-diff --git a/doc/crypto/CONF_modules_load_file.pod b/doc/crypto/CONF_modules_load_file.pod
-index 9965d69..6dd9b1d 100644
---- a/doc/crypto/CONF_modules_load_file.pod
-+++ b/doc/crypto/CONF_modules_load_file.pod
-@@ -51,7 +51,7 @@ return value of the failing module (this will always be zero or negative).
- =head1 SEE ALSO
- 
- L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
--L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)>
-+L<CONF_free(3)|CONF_free(3)>, L<openssl_err(3)|openssl_err(3)>
- 
- =head1 HISTORY
- 
 diff --git a/doc/crypto/DH_generate_key.pod b/doc/crypto/DH_generate_key.pod
 index 81f09fd..0d9f1e5 100644
 --- a/doc/crypto/DH_generate_key.pod
@@ -455,19 +429,6 @@ index 9097f09..2a8d225 100644
  L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
  L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
  L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-diff --git a/doc/crypto/OPENSSL_config.pod b/doc/crypto/OPENSSL_config.pod
-index e7bba2a..888de88 100644
---- a/doc/crypto/OPENSSL_config.pod
-+++ b/doc/crypto/OPENSSL_config.pod
-@@ -73,7 +73,7 @@ Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
- =head1 SEE ALSO
- 
- L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
--L<CONF_modules_free(3),CONF_modules_free(3)>
-+L<CONF_modules_free(3)|CONF_modules_free(3)>
- 
- =head1 HISTORY
- 
 diff --git a/doc/crypto/RAND_add.pod b/doc/crypto/RAND_add.pod
 index 67c66f3..a6fc28a 100644
 --- a/doc/crypto/RAND_add.pod
@@ -598,19 +559,6 @@ index e70380b..121f3df 100644
  L<RSA_verify(3)|RSA_verify(3)>
  
  =head1 HISTORY
-diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod
-index 41902c0..4716e7e 100644
---- a/doc/crypto/X509_NAME_ENTRY_get_object.pod
-+++ b/doc/crypto/X509_NAME_ENTRY_get_object.pod
-@@ -65,7 +65,7 @@ set first so the relevant field information can be looked up internally.
- =head1 SEE ALSO
- 
- L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
--L<OBJ_nid2obj(3),OBJ_nid2obj(3)>
-+L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
- 
- =head1 HISTORY
- 
 diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod
 index cd2f8e5..a6f8c58 100644
 --- a/doc/crypto/bn.pod
diff --git a/main/openssl/fix-use-after-free-without-freelist.patch b/main/openssl/fix-use-after-free-without-freelist.patch
deleted file mode 100644
index 4734c75092..0000000000
--- a/main/openssl/fix-use-after-free-without-freelist.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-http://rt.openssl.org/Ticket/Attachment/37748/20587/
-
---- openssl-1.0.1g/ssl/s3_pkt.c.orig	2014-04-11 08:10:03.115295077 -0300
-+++ openssl-1.0.1g/ssl/s3_pkt.c	2014-04-11 08:10:38.788435152 -0300
-@@ -1055,7 +1055,7 @@
- 				{
- 				s->rstate=SSL_ST_READ_HEADER;
- 				rr->off=0;
--				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+				if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
- 					ssl3_release_read_buffer(s);
- 				}
- 			}
-- 
cgit v1.2.3