- new upstream patch release, fixes CVE-2010-0742 (#598738) and

CVE-2010-1633 (#598732)
2010-06-04 14:21:35 +00:00 · 2010-06-04 14:21:35 +00:00 · 1df3ab4d32
parent 354ff9f60c
commit 1df3ab4d32
9 changed files with 446 additions and 578 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-openssl-1.0.0-usa.tar.bz2
+openssl-1.0.0a-usa.tar.bz2
--- a/openssl-1.0.0-dtls1-backports.patch
+++ b/openssl-1.0.0-dtls1-backports.patch
@ -1,53 +0,0 @@
-diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c
--- openssl-1.0.0/ssl/d1_lib.c.dtls1	2009-12-08 12:38:17.000000000 +0100
-+++ openssl-1.0.0/ssl/d1_lib.c	2010-04-09 16:29:49.000000000 +0200
-@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s
- 		timeleft->tv_usec += 1000000;
- 		}
- 
-+	/* If remaining time is less than 15 ms, set it to 0
-+	 * to prevent issues because of small devergences with
-+	 * socket timeouts.
-+	 */
-+	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
-+		{
-+		memset(timeleft, 0, sizeof(struct timeval));
-+		}
-+	
-+
- 	return timeleft;
- 	}
- 
-diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c
--- openssl-1.0.0/ssl/d1_pkt.c.dtls1	2009-10-04 18:52:35.000000000 +0200
-+++ openssl-1.0.0/ssl/d1_pkt.c	2010-04-09 16:30:49.000000000 +0200
-@@ -667,14 +667,14 @@ again:
- 	if (rr->length == 0) goto again;
- 
- 	/* If this record is from the next epoch (either HM or ALERT),
-	 * buffer it since it cannot be processed at this time. Records
-	 * from the next epoch are marked as received even though they
-	 * are not processed, so as to prevent any potential resource
-	 * DoS attack */
-+	 * and a handshake is currently in progress, buffer it since it
-+	 * cannot be processed at this time. */
- 	if (is_next_epoch)
- 		{
-		dtls1_record_bitmap_update(s, bitmap);
-		dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-+		if (SSL_in_init(s) || s->in_handshake)
-+			{
-+			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-+			}
- 		rr->length = 0;
- 		s->packet_length = 0;
- 		goto again;
-@@ -809,7 +809,7 @@ start:
- 		 * buffer the application data for later processing rather
- 		 * than dropping the connection.
- 		 */
-		dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
-+		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
- 		rr->length = 0;
- 		goto start;
- 		}
--- a/openssl-1.0.0-init-sha256.patch
+++ b/openssl-1.0.0-init-sha256.patch
@ -1,79 +0,0 @@
-diff -up openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 openssl-1.0.0/doc/ssl/SSL_library_init.pod
--- openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256	2006-03-12 01:37:55.000000000 +0100
-+++ openssl-1.0.0/doc/ssl/SSL_library_init.pod	2010-04-09 16:33:11.000000000 +0200
-@@ -15,7 +15,7 @@ SSL_library_init, OpenSSL_add_ssl_algori
- 
- =head1 DESCRIPTION
- 
-SSL_library_init() registers the available ciphers and digests.
-+SSL_library_init() registers the available SSL/TLS ciphers and digests.
- 
- OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms
- for SSL_library_init().
-@@ -27,24 +27,28 @@ SSL_library_init() is not reentrant. 
- 
- =head1 WARNING
- 
-SSL_library_init() only registers ciphers. Another important initialization
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
-be performed separately.
-+SSL_library_init() adds ciphers and digests used directly and indirectly by
-+SSL/TLS.
- 
- =head1 EXAMPLES
- 
- A typical TLS/SSL application will start with the library initialization,
-will provide readable error messages and will seed the PRNG.
-+and provide readable error messages.
- 
-  SSL_load_error_strings();                /* readable error messages */
-  SSL_library_init();                      /* initialize library */
- actions_to_seed_PRNG(); 
- 
- =head1 RETURN VALUES
- 
- SSL_library_init() always returns "1", so it is safe to discard the return
- value.
- 
-+=head1 NOTES
-+
-+OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
-+Applications which need to use SHA2 in earlier versions of OpenSSL should call
-+OpenSSL_add_all_algorithms() as well.
-+
- =head1 SEE ALSO
- 
- L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
-diff -up openssl-1.0.0/ssl/ssl_algs.c.sha256 openssl-1.0.0/ssl/ssl_algs.c
--- openssl-1.0.0/ssl/ssl_algs.c.sha256	2010-04-06 12:52:38.000000000 +0200
-+++ openssl-1.0.0/ssl/ssl_algs.c	2010-04-09 16:34:41.000000000 +0200
-@@ -111,6 +111,14 @@ int SSL_library_init(void)
- 	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
- 	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
- #endif
-+#ifndef OPENSSL_NO_SHA256
-+	EVP_add_digest(EVP_sha224());
-+	EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+	EVP_add_digest(EVP_sha384());
-+	EVP_add_digest(EVP_sha512());
-+#endif
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
- 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
- 	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-@@ -148,6 +156,14 @@ int SSL_library_init(void)
- 	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
- 	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
- #endif
-+#ifndef OPENSSL_NO_SHA256
-+	EVP_add_digest(EVP_sha224());
-+	EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+	EVP_add_digest(EVP_sha384());
-+	EVP_add_digest(EVP_sha512());
-+#endif
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
- 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
- 	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
--- a/openssl-1.0.0-version.patch
+++ b/openssl-1.0.0-version.patch
@ -1,13 +0,0 @@
-diff -up openssl-1.0.0/crypto/opensslv.h.version openssl-1.0.0/crypto/opensslv.h
--- openssl-1.0.0/crypto/opensslv.h.version	2010-03-30 10:59:26.000000000 +0200
-+++ openssl-1.0.0/crypto/opensslv.h	2010-03-30 11:00:52.000000000 +0200
-@@ -25,7 +25,8 @@
-  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
-  *  major minor fix final patch/beta)
-  */
-#define OPENSSL_VERSION_NUMBER	0x1000000fL
-+/* we have to keep the version number to not break the abi */
-+#define OPENSSL_VERSION_NUMBER	0x10000003L
- #ifdef OPENSSL_FIPS
- #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0-fips 29 Mar 2010"
- #else
--- a/openssl-1.0.0a-fips.patch
+++ b/openssl-1.0.0a-fips.patch
--- a/openssl-1.0.0-beta3-fipsmode.patch
+++ b/openssl-1.0.0-beta3-fipsmode.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta3/crypto/engine/eng_all.c
--- openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/engine/eng_all.c	2009-08-11 17:37:16.000000000 +0200
+diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
+--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
+++ openssl-1.0.0a/crypto/engine/eng_all.c	2010-06-04 13:32:13.000000000 +0200
@@ -58,9 +58,23 @@
 
 #include "cryptlib.h"
@ -25,9 +25,9 @@ diff -up openssl-1.0.0-beta3/crypto/engine/eng_all.c.fipsmode openssl-1.0.0-beta
 #if 0
 	/* There's no longer any need for an "openssl" ENGINE unless, one day,
 	 * it is the *only* way for standard builtin implementations to be be
-diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_allc.c
--- openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode	2007-04-24 01:48:28.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/c_allc.c	2009-08-11 17:42:34.000000000 +0200
+diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
+--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode	2009-12-25 15:12:24.000000000 +0100
+++ openssl-1.0.0a/crypto/evp/c_allc.c	2010-06-04 13:32:13.000000000 +0200
@@ -65,6 +65,11 @@
 void OpenSSL_add_all_ciphers(void)
 	{
@ -40,7 +40,7 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/cr
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cfb());
 	EVP_add_cipher(EVP_des_cfb1());
-@@ -219,4 +224,61 @@ void OpenSSL_add_all_ciphers(void)
+@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
 	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
 #endif
@ -102,9 +102,9 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_allc.c.fipsmode openssl-1.0.0-beta3/cr
 +		}
 +#endif
 	}
-diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/crypto/evp/c_alld.c
--- openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/evp/c_alld.c	2009-08-11 17:54:08.000000000 +0200
+diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
+--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
+++ openssl-1.0.0a/crypto/evp/c_alld.c	2010-06-04 13:32:13.000000000 +0200
@@ -64,6 +64,11 @@
 
 void OpenSSL_add_all_digests(void)
@ -117,11 +117,10 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/cr
 #ifndef OPENSSL_NO_MD4
 	EVP_add_digest(EVP_md4());
 #endif
-@@ -110,5 +115,33 @@ void OpenSSL_add_all_digests(void)
- #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
 #ifndef OPENSSL_NO_WHIRLPOOL
 	EVP_add_digest(EVP_whirlpool());
-+#endif
+ #endif
 +#ifdef OPENSSL_FIPS
 +		}
 +	else
@ -149,11 +148,11 @@ diff -up openssl-1.0.0-beta3/crypto/evp/c_alld.c.fipsmode openssl-1.0.0-beta3/cr
 +	EVP_add_digest(EVP_sha512());
 +#endif
 +		}
- #endif
+#endif
 	}
-diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto/o_init.c
--- openssl-1.0.0-beta3/crypto/o_init.c.fipsmode	2009-08-11 17:28:25.000000000 +0200
-+++ openssl-1.0.0-beta3/crypto/o_init.c	2009-08-11 17:39:06.000000000 +0200
+diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
+--- openssl-1.0.0a/crypto/o_init.c.fipsmode	2010-06-04 13:32:13.000000000 +0200
+++ openssl-1.0.0a/crypto/o_init.c	2010-06-04 13:32:13.000000000 +0200
@@ -59,6 +59,43 @@
 #include <e_os.h>
 #include <openssl/err.h>
@ -206,9 +205,9 @@ diff -up openssl-1.0.0-beta3/crypto/o_init.c.fipsmode openssl-1.0.0-beta3/crypto
 		done = 1;
 		}
 #endif
-diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl_algs.c
--- openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
-+++ openssl-1.0.0-beta3/ssl/ssl_algs.c	2009-08-11 18:01:13.000000000 +0200
+diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
+--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode	2010-04-07 15:18:30.000000000 +0200
+++ openssl-1.0.0a/ssl/ssl_algs.c	2010-06-04 13:32:48.000000000 +0200
@@ -64,6 +64,12 @@
 int SSL_library_init(void)
 	{
@ -222,7 +221,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cbc());
 	EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -115,6 +121,40 @@ int SSL_library_init(void)
+@@ -127,6 +133,48 @@ int SSL_library_init(void)
 	EVP_add_digest(EVP_sha());
 	EVP_add_digest(EVP_dss());
 #endif
@ -249,6 +248,14 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
 +	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 +	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 +#endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
 +	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
 +	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
--- a/openssl-1.0.0a-version.patch
+++ b/openssl-1.0.0a-version.patch
@ -0,0 +1,13 @@
+diff -up openssl-1.0.0a/crypto/opensslv.h.version openssl-1.0.0a/crypto/opensslv.h
+--- openssl-1.0.0a/crypto/opensslv.h.version	2010-06-04 13:28:52.000000000 +0200
+++ openssl-1.0.0a/crypto/opensslv.h	2010-06-04 13:29:42.000000000 +0200
+@@ -25,7 +25,8 @@
+  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+  *  major minor fix final patch/beta)
+  */
+-#define OPENSSL_VERSION_NUMBER	0x1000001fL
+/* we have to keep the version number to not break the abi */
+#define OPENSSL_VERSION_NUMBER	0x10000003L
+ #ifdef OPENSSL_FIPS
+ #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0a-fips 1 Jun 2010"
+ #else
--- a/openssl.spec
+++ b/openssl.spec
@ -20,8 +20,8 @@

 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.0
-Release: 4%{?dist}
+Version: 1.0.0a
+Release: 1%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@ -50,20 +50,18 @@ Patch34: openssl-0.9.6-x509.patch
 Patch35: openssl-0.9.8j-version-add-engines.patch
 Patch38: openssl-1.0.0-beta5-cipher-change.patch
 Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
-Patch40: openssl-1.0.0-fips.patch
+Patch40: openssl-1.0.0a-fips.patch
 Patch41: openssl-1.0.0-beta3-fipscheck.patch
-Patch43: openssl-1.0.0-beta3-fipsmode.patch
+Patch43: openssl-1.0.0a-fipsmode.patch
 Patch44: openssl-1.0.0-beta3-fipsrng.patch
 Patch45: openssl-0.9.8j-env-nozlib.patch
 Patch47: openssl-1.0.0-beta5-readme-warning.patch
 Patch49: openssl-1.0.0-beta4-algo-doc.patch
 Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
-Patch51: openssl-1.0.0-version.patch
+Patch51: openssl-1.0.0a-version.patch
 Patch52: openssl-1.0.0-beta4-aesni.patch
 Patch53: openssl-1.0.0-name-hash.patch
 # Backported fixes including security fixes
-Patch60: openssl-1.0.0-dtls1-backports.patch
-Patch61: openssl-1.0.0-init-sha256.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -145,8 +143,6 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch52 -p1 -b .aesni
 %patch53 -p1 -b .name-hash

-%patch60 -p1 -b .dtls1
-%patch61 -p1 -b .sha256
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`

@ -299,16 +295,6 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
 # mulitlib conflicts and unnecessary renames on upgrade
 touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf

-# Fix libdir.
-pushd $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
-for i in *.pc ; do
-	sed 's,^libdir=${exec_prefix}/lib,libdir=${exec_prefix}/%{_lib},g' \
-		$i >$i.tmp && \
-	cat $i.tmp >$i && \
-	rm -f $i.tmp
-done
-popd
-
 # Determine which arch opensslconf.h is going to try to #include.
 basearch=%{_arch}
 %ifarch %{ix86}
@ -397,6 +383,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig

 %changelog
+* Fri Jun  4 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0a-1
+- new upstream patch release, fixes CVE-2010-0742 (#598738)
+  and CVE-2010-1633 (#598732)
+
+* Wed May 19 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-5
+- pkgconfig files now contain the correct libdir (#593723)
+
 * Tue May 18 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-4
 - make CA dir readable - the private keys are in private subdir (#584810)
 - do not move the libcrypto to /lib in the F12 package
--- a/2
+++ b/2
@ -1 +1 @@
-f1d0d73327d74b302f503763bddf1cf8  openssl-1.0.0-usa.tar.bz2
+36a9936e1791566b205daa7cb4bea074  openssl-1.0.0a-usa.tar.bz2