rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix multiple security issues. 

- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
- fix CVE-2016-0799 - memory issues in BIO_*printf functions
This commit is contained in:
Tomas Mraz 2016-03-02 11:00:13 +01:00
parent 85a2d8a93c
commit 0fa091c0ff
6 changed files with 1806 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
openssl-1.0.1e-cve-2015-3197.patch Normal file
View File

@ -0,0 +1,42 @@
diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers openssl-1.0.1e/ssl/s2_srvr.c
--- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers 2016-01-14 17:38:50.000000000 +0100
+++ openssl-1.0.1e/ssl/s2_srvr.c 2016-02-16 16:18:59.790225008 +0100
@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
}
cp=ssl2_get_cipher_by_char(p);
- if (cp == NULL)
+ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
@@ -692,9 +692,13 @@ static int get_client_hello(SSL *s)
prio = cs;
allow = cl;
}
+
+ /* Generate list of SSLv2 ciphers shared between client and server */
for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
{
- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
+ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
+ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
+ sk_SSL_CIPHER_find(allow,cp) < 0)
{
(void)sk_SSL_CIPHER_delete(prio,z);
z--;
@@ -705,6 +709,14 @@ static int get_client_hello(SSL *s)
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = prio;
}
+
+ /* Make sure we have at least one cipher in common */
+ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
+ {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
+ return -1;
+ }
/* s->session->ciphers should now have a list of
* ciphers that are on both the client and server.
* This list is ordered by the order the client sent

74
openssl-1.0.1e-cve-2016-0797.patch Normal file
View File

@ -0,0 +1,74 @@
diff -up openssl-1.0.1e/crypto/bn/bn.h.bn-hex openssl-1.0.1e/crypto/bn/bn.h
--- openssl-1.0.1e/crypto/bn/bn.h.bn-hex 2016-02-24 14:23:33.020233047 +0100
+++ openssl-1.0.1e/crypto/bn/bn.h 2016-02-24 14:23:06.078615397 +0100
@@ -129,6 +129,7 @@
#ifndef OPENSSL_NO_FP_API
#include <stdio.h> /* FILE */
#endif
+#include <limits.h>
#include <openssl/ossl_typ.h>
#include <openssl/crypto.h>
@@ -640,7 +641,8 @@ const BIGNUM *BN_get0_nist_prime_521(voi
/* library internal functions */
-#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
+#define bn_expand(a,bits) (bits > (INT_MAX - BN_BITS2 + 1)?\
+ NULL:(((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
BIGNUM *bn_expand2(BIGNUM *a, int words);
diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex openssl-1.0.1e/crypto/bn/bn_print.c
--- openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex 2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/crypto/bn/bn_print.c 2016-02-24 14:15:21.215948376 +0100
@@ -58,6 +58,7 @@
#include <stdio.h>
#include <ctype.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/buffer.h>
#include "bn_lcl.h"
@@ -180,8 +181,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a
if (*a == '-') { neg=1; a++; }
- for (i=0; isxdigit((unsigned char) a[i]); i++)
+ for (i=0; i <= (INT_MAX/4) && isxdigit((unsigned char) a[i]); i++)
;
+ if (i > INT_MAX/4)
+ goto err;
num=i+neg;
if (bn == NULL) return(num);
@@ -197,7 +200,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a
BN_zero(ret);
}
- /* i is the number of hex digests; */
+ /* i is the number of hex digits */
if (bn_expand(ret,i*4) == NULL) goto err;
j=i; /* least significant 'hex' */
@@ -246,8 +249,10 @@ int BN_dec2bn(BIGNUM **bn, const char *a
if ((a == NULL) || (*a == '\0')) return(0);
if (*a == '-') { neg=1; a++; }
- for (i=0; isdigit((unsigned char) a[i]); i++)
+ for (i=0; i <= (INT_MAX/4) && isdigit((unsigned char) a[i]); i++)
;
+ if (i > INT_MAX/4)
+ goto err;
num=i+neg;
if (bn == NULL) return(num);
@@ -264,7 +269,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a
BN_zero(ret);
}
- /* i is the number of digests, a bit of an over expand; */
+ /* i is the number of digits, a bit of an over expand */
if (bn_expand(ret,i*4) == NULL) goto err;
j=BN_DEC_NUM-(i%BN_DEC_NUM);

70
openssl-1.0.1h-disable-sslv2v3.patch
View File

@ -11,3 +11,73 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
return(ret);
err:
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
diff -up openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 openssl-1.0.1e/doc/apps/ciphers.pod
--- openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 2016-01-14 17:38:50.000000000 +0100
+++ openssl-1.0.1e/doc/apps/ciphers.pod 2016-02-24 11:17:36.297955053 +0100
@@ -572,11 +572,11 @@ Note: these ciphers can also be used in
=head2 Deprecated SSL v2.0 cipher suites.
SSL_CK_RC4_128_WITH_MD5 RC4-MD5
- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented.
+ SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5
+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented.
SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
+ SSL_CK_DES_64_CBC_WITH_MD5 Not implemented.
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
=head1 NOTES
diff -up openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 openssl-1.0.1e/ssl/s2_lib.c
--- openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 2016-02-24 11:23:24.012237164 +0100
+++ openssl-1.0.1e/ssl/s2_lib.c 2016-02-24 11:19:34.623773423 +0100
@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
128,
},
+#if 0
/* RC4_128_EXPORT40_WITH_MD5 */
{
1,
@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
40,
128,
},
+#endif
/* RC2_128_CBC_WITH_MD5 */
{
@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
128,
},
+#if 0
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
{
1,
@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
40,
128,
},
+#endif
#ifndef OPENSSL_NO_IDEA
/* IDEA_128_CBC_WITH_MD5 */
@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
},
#endif
+#if 0
/* DES_64_CBC_WITH_MD5 */
{
1,
@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
56,
56,
},
+#endif
/* DES_192_EDE3_CBC_WITH_MD5 */
{

1164
openssl-1.0.1k-cve-2016-0702.patch Normal file
View File

File diff suppressed because it is too large Load Diff

437
openssl-1.0.1k-cve-2016-0799.patch Normal file
View File

@ -0,0 +1,437 @@
diff -up openssl-1.0.1k/crypto/bio/b_print.c.bio-printf openssl-1.0.1k/crypto/bio/b_print.c
--- openssl-1.0.1k/crypto/bio/b_print.c.bio-printf 2015-01-08 15:00:36.000000000 +0100
+++ openssl-1.0.1k/crypto/bio/b_print.c 2016-03-02 10:56:35.376167813 +0100
@@ -125,14 +125,14 @@
#define LLONG long
#endif
-static void fmtstr (char **, char **, size_t *, size_t *,
+static int fmtstr(char **, char **, size_t *, size_t *,
const char *, int, int, int);
-static void fmtint (char **, char **, size_t *, size_t *,
+static int fmtint(char **, char **, size_t *, size_t *,
LLONG, int, int, int, int);
-static void fmtfp (char **, char **, size_t *, size_t *,
+static int fmtfp(char **, char **, size_t *, size_t *,
LDOUBLE, int, int, int);
-static void doapr_outch (char **, char **, size_t *, size_t *, int);
-static void _dopr(char **sbuffer, char **buffer,
+static int doapr_outch(char **, char **, size_t *, size_t *, int);
+static int _dopr(char **sbuffer, char **buffer,
size_t *maxlen, size_t *retlen, int *truncated,
const char *format, va_list args);
@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char *
#define char_to_int(p) (p - '0')
#define OSSL_MAX(p,q) ((p >= q) ? p : q)
-static void
+static int
_dopr(
char **sbuffer,
char **buffer,
@@ -200,7 +200,8 @@ _dopr(
if (ch == '%')
state = DP_S_FLAGS;
else
- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch);
+ if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
+ return 0;
ch = *format++;
break;
case DP_S_FLAGS:
@@ -306,8 +307,9 @@ _dopr(
value = va_arg(args, int);
break;
}
- fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 10, min, max, flags);
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
+ max, flags))
+ return 0;
break;
case 'X':
flags |= DP_F_UP;
@@ -332,17 +334,19 @@ _dopr(
unsigned int);
break;
}
- fmtint(sbuffer, buffer, &currlen, maxlen, value,
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
- min, max, flags);
+ min, max, flags))
+ return 0;
break;
case 'f':
if (cflags == DP_C_LDOUBLE)
fvalue = va_arg(args, LDOUBLE);
else
fvalue = va_arg(args, double);
- fmtfp(sbuffer, buffer, &currlen, maxlen,
- fvalue, min, max, flags);
+ if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
+ flags))
+ return 0;
break;
case 'E':
flags |= DP_F_UP;
@@ -361,8 +365,9 @@ _dopr(
fvalue = va_arg(args, double);
break;
case 'c':
- doapr_outch(sbuffer, buffer, &currlen, maxlen,
- va_arg(args, int));
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
+ va_arg(args, int)))
+ return 0;
break;
case 's':
strvalue = va_arg(args, char *);
@@ -372,13 +377,15 @@ _dopr(
else
max = *maxlen;
}
- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
- flags, min, max);
+ if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
+ flags, min, max))
+ return 0;
break;
case 'p':
value = (long)va_arg(args, void *);
- fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 16, min, max, flags|DP_F_NUM);
+ if (!fmtint(sbuffer, buffer, &currlen, maxlen,
+ value, 16, min, max, flags | DP_F_NUM))
+ return 0;
break;
case 'n': /* XXX */
if (cflags == DP_C_SHORT) {
@@ -400,7 +407,8 @@ _dopr(
}
break;
case '%':
- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
+ return 0;
break;
case 'w':
/* not supported yet, treat as next char */
@@ -424,12 +432,13 @@ _dopr(
*truncated = (currlen > *maxlen - 1);
if (*truncated)
currlen = *maxlen - 1;
- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
+ return 0;
*retlen = currlen - 1;
- return;
+ return 1;
}
-static void
+static int
fmtstr(
char **sbuffer,
char **buffer,
@@ -440,36 +449,44 @@ fmtstr(
int min,
int max)
{
- int padlen, strln;
+ int padlen;
+ size_t strln;
int cnt = 0;
if (value == 0)
value = "<NULL>";
- for (strln = 0; value[strln]; ++strln)
- ;
+
+ strln = strlen(value);
+ if (strln > INT_MAX)
+ strln = INT_MAX;
+
padlen = min - strln;
- if (padlen < 0)
+ if (min < 0 || padlen < 0)
padlen = 0;
if (flags & DP_F_MINUS)
padlen = -padlen;
while ((padlen > 0) && (cnt < max)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+ return 0;
--padlen;
++cnt;
}
while (*value && (cnt < max)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
+ return 0;
++cnt;
}
while ((padlen < 0) && (cnt < max)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+ return 0;
++padlen;
++cnt;
}
+ return 1;
}
-static void
+static int
fmtint(
char **sbuffer,
char **buffer,
@@ -533,37 +550,44 @@ fmtint(
/* spaces */
while (spadlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+ return 0;
--spadlen;
}
/* sign */
if (signvalue)
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
+ return 0;
/* prefix */
while (*prefix) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
+ return 0;
prefix++;
}
/* zeros */
if (zpadlen > 0) {
while (zpadlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
+ return 0;
--zpadlen;
}
}
/* digits */
- while (place > 0)
- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
+ while (place > 0) {
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
+ return 0;
+ }
/* left justified spaces */
while (spadlen < 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+ return 0;
++spadlen;
}
- return;
+ return 1;
}
static LDOUBLE
@@ -597,7 +621,7 @@ roundv(LDOUBLE value)
return intpart;
}
-static void
+static int
fmtfp(
char **sbuffer,
char **buffer,
@@ -616,7 +640,6 @@ fmtfp(
int fplace = 0;
int padlen = 0;
int zpadlen = 0;
- int caps = 0;
long intpart;
long fracpart;
long max10;
@@ -650,9 +673,7 @@ fmtfp(
/* convert integer part */
do {
- iconvert[iplace++] =
- (caps ? "0123456789ABCDEF"
- : "0123456789abcdef")[intpart % 10];
+ iconvert[iplace++] = "0123456789"[intpart % 10];
intpart = (intpart / 10);
} while (intpart && (iplace < (int)sizeof(iconvert)));
if (iplace == sizeof iconvert)
@@ -661,9 +682,7 @@ fmtfp(
/* convert fractional part */
do {
- fconvert[fplace++] =
- (caps ? "0123456789ABCDEF"
- : "0123456789abcdef")[fracpart % 10];
+ fconvert[fplace++] = "0123456789"[fracpart % 10];
fracpart = (fracpart / 10);
} while (fplace < max);
if (fplace == sizeof fconvert)
@@ -682,47 +701,61 @@ fmtfp(
if ((flags & DP_F_ZERO) && (padlen > 0)) {
if (signvalue) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
+ return 0;
--padlen;
signvalue = 0;
}
while (padlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
+ return 0;
--padlen;
}
}
while (padlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+ return 0;
--padlen;
}
- if (signvalue)
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
+ if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
+ return 0;
- while (iplace > 0)
- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
+ while (iplace > 0) {
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
+ return 0;
+ }
/*
* Decimal point. This should probably use locale to find the correct
* char to print out.
*/
if (max > 0 || (flags & DP_F_NUM)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
+ return 0;
- while (fplace > 0)
- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
+ while (fplace > 0) {
+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
+ fconvert[--fplace]))
+ return 0;
+ }
}
while (zpadlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
+ return 0;
--zpadlen;
}
while (padlen < 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+ return 0;
++padlen;
}
+ return 1;
}
-static void
+#define BUFFER_INC 1024
+
+static int
doapr_outch(
char **sbuffer,
char **buffer,
@@ -733,24 +766,30 @@ doapr_outch(
/* If we haven't at least one buffer, someone has doe a big booboo */
assert(*sbuffer != NULL || buffer != NULL);
- if (buffer) {
- while (*currlen >= *maxlen) {
- if (*buffer == NULL) {
- if (*maxlen == 0)
- *maxlen = 1024;
+ /* |currlen| must always be <= |*maxlen| */
+ assert(*currlen <= *maxlen);
+
+ if (buffer && *currlen == *maxlen) {
+ if (*maxlen > INT_MAX - BUFFER_INC)
+ return 0;
+
+ *maxlen += BUFFER_INC;
+ if (*buffer == NULL) {
*buffer = OPENSSL_malloc(*maxlen);
+ if (*buffer == NULL)
+ return 0;
if (*currlen > 0) {
assert(*sbuffer != NULL);
memcpy(*buffer, *sbuffer, *currlen);
}
*sbuffer = NULL;
- } else {
- *maxlen += 1024;
- *buffer = OPENSSL_realloc(*buffer, *maxlen);
- }
+ } else {
+ char *tmpbuf;
+ tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
+ if (tmpbuf == NULL)
+ return 0;
+ *buffer = tmpbuf;
}
- /* What to do if *buffer is NULL? */
- assert(*sbuffer != NULL || *buffer != NULL);
}
if (*currlen < *maxlen) {
@@ -760,7 +799,7 @@ doapr_outch(
(*buffer)[(*currlen)++] = (char)c;
}
- return;
+ return 1;
}
/***************************************************************************/
@@ -792,11 +831,15 @@ int BIO_vprintf (BIO *bio, const char *f
dynbuf = NULL;
CRYPTO_push_info("doapr()");
- _dopr(&hugebufp, &dynbuf, &hugebufsize,
- &retlen, &ignored, format, args);
+ if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
+ args))
+ {
+ OPENSSL_free(dynbuf);
+ return -1;
+ }
if (dynbuf)
{
- ret=BIO_write(bio, dynbuf, (int)retlen);
+ ret = BIO_write(bio, dynbuf, (int)retlen);
OPENSSL_free(dynbuf);
}
else
@@ -829,7 +872,8 @@ int BIO_vsnprintf(char *buf, size_t n, c
size_t retlen;
int truncated;
- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
+ if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
+ return -1;
if (truncated)
/* In case of truncation, return -1 like traditional snprintf.

20
openssl.spec
View File

@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1k
Release: 13%{?dist}
Release: 14%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -106,6 +106,11 @@ Patch112: openssl-1.0.1e-cve-2015-1792.patch
Patch113: openssl-1.0.1e-cve-2015-3194.patch
Patch114: openssl-1.0.1e-cve-2015-3195.patch
Patch115: openssl-1.0.1k-cve-2015-3196.patch
Patch116: openssl-1.0.1e-cve-2015-3197.patch
Patch117: openssl-1.0.1k-cve-2016-0702.patch
Patch118: openssl-1.0.1e-cve-2016-0705.patch
Patch119: openssl-1.0.1e-cve-2016-0797.patch
Patch120: openssl-1.0.1k-cve-2016-0799.patch
License: OpenSSL
Group: System Environment/Libraries
@ -245,6 +250,11 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch113 -p1 -b .pss-check
%patch114 -p1 -b .combine-leak
%patch115 -p1 -b .psk-identity
%patch116 -p1 -b .ssl2-ciphers
%patch117 -p1 -b .rsa-const
%patch118 -p1 -b .dsa-doublefree
%patch119 -p1 -b .bn-hex
%patch120 -p1 -b .bio-printf
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -517,6 +527,14 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
* Wed Mar 2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-14
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
- fix CVE-2016-0799 - memory issues in BIO_*printf functions
* Fri Dec 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-13
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak