Multiple security issues fixed
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak - fix CVE-2015-3196 - race condition when handling PSK identity hint - filter out unwanted link options from the .pc files (#1257836)
This commit is contained in:
Tomas Mraz
parent
1c2ab61fa1
commit
85a2d8a93c
|
|
@ -0,0 +1,12 @@
|
|||
diff -up openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check openssl-1.0.1e/crypto/rsa/rsa_ameth.c
|
||||
--- openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check 2013-02-11 16:26:04.000000000 +0100
|
||||
+++ openssl-1.0.1e/crypto/rsa/rsa_ameth.c 2015-12-04 09:03:18.300660817 +0100
|
||||
@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co
|
||||
{
|
||||
ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
|
||||
if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
|
||||
- && param->type == V_ASN1_SEQUENCE)
|
||||
+ && param && param->type == V_ASN1_SEQUENCE)
|
||||
{
|
||||
p = param->value.sequence->data;
|
||||
plen = param->value.sequence->length;
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak openssl-1.0.1e/crypto/asn1/tasn_dec.c
|
||||
--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak 2015-12-04 09:01:53.000000000 +0100
|
||||
+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-12-04 09:09:30.629793475 +0100
|
||||
@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
||||
int otag;
|
||||
int ret = 0;
|
||||
ASN1_VALUE **pchptr, *ptmpval;
|
||||
+ int combine = aclass & ASN1_TFLG_COMBINE;
|
||||
+ aclass &= ~ASN1_TFLG_COMBINE;
|
||||
if (!pval)
|
||||
return 0;
|
||||
if (aux && aux->asn1_cb)
|
||||
@@ -539,7 +541,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
||||
auxerr:
|
||||
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
|
||||
err:
|
||||
- ASN1_item_ex_free(pval, it);
|
||||
+ if (combine == 0)
|
||||
+ ASN1_item_ex_free(pval, it);
|
||||
if (errtt)
|
||||
ERR_add_error_data(4, "Field=", errtt->field_name,
|
||||
", Type=", it->sname);
|
||||
@@ -767,7 +770,7 @@ static int asn1_template_noexp_d2i(ASN1_
|
||||
{
|
||||
/* Nothing special */
|
||||
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
|
||||
- -1, 0, opt, ctx);
|
||||
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
|
||||
if (!ret)
|
||||
{
|
||||
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
diff -up openssl-1.0.1k/ssl/s3_clnt.c.psk-identity openssl-1.0.1k/ssl/s3_clnt.c
|
||||
--- openssl-1.0.1k/ssl/s3_clnt.c.psk-identity 2015-12-04 16:25:45.606213013 +0100
|
||||
+++ openssl-1.0.1k/ssl/s3_clnt.c 2015-12-04 16:29:58.083945750 +0100
|
||||
@@ -1360,8 +1360,6 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
if (alg_k & SSL_kPSK)
|
||||
{
|
||||
- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
|
||||
-
|
||||
param_len = 2;
|
||||
if (param_len > n)
|
||||
{
|
||||
@@ -1390,16 +1388,8 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
}
|
||||
param_len += i;
|
||||
|
||||
- /* If received PSK identity hint contains NULL
|
||||
- * characters, the hint is truncated from the first
|
||||
- * NULL. p may not be ending with NULL, so create a
|
||||
- * NULL-terminated string. */
|
||||
- memcpy(tmp_id_hint, p, i);
|
||||
- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
|
||||
- if (s->ctx->psk_identity_hint != NULL)
|
||||
- OPENSSL_free(s->ctx->psk_identity_hint);
|
||||
- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
|
||||
- if (s->ctx->psk_identity_hint == NULL)
|
||||
+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
|
||||
+ if (s->session->psk_identity_hint == NULL)
|
||||
{
|
||||
al=SSL_AD_HANDSHAKE_FAILURE;
|
||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
|
||||
@@ -3008,7 +2998,7 @@ int ssl3_send_client_key_exchange(SSL *s
|
||||
}
|
||||
|
||||
memset(identity, 0, sizeof(identity));
|
||||
- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
|
||||
+ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
|
||||
identity, sizeof(identity) - 1,
|
||||
psk_or_pre_ms, sizeof(psk_or_pre_ms));
|
||||
if (psk_len > PSK_MAX_PSK_LEN)
|
||||
diff -up openssl-1.0.1k/ssl/s3_srvr.c.psk-identity openssl-1.0.1k/ssl/s3_srvr.c
|
||||
--- openssl-1.0.1k/ssl/s3_srvr.c.psk-identity 2015-01-08 15:02:09.000000000 +0100
|
||||
+++ openssl-1.0.1k/ssl/s3_srvr.c 2015-12-04 16:25:45.606213013 +0100
|
||||
@@ -2816,7 +2816,7 @@ int ssl3_get_client_key_exchange(SSL *s)
|
||||
|
||||
if (s->session->psk_identity != NULL)
|
||||
OPENSSL_free(s->session->psk_identity);
|
||||
- s->session->psk_identity = BUF_strdup((char *)p);
|
||||
+ s->session->psk_identity = BUF_strndup((char *)p, i);
|
||||
if (s->session->psk_identity == NULL)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
|
||||
19
openssl.spec
19
openssl.spec
|
|
@ -23,7 +23,7 @@
|
|||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1k
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
|
@ -103,6 +103,9 @@ Patch109: openssl-1.0.1e-cve-2015-1789.patch
|
|||
Patch110: openssl-1.0.1e-cve-2015-1790.patch
|
||||
Patch111: openssl-1.0.1k-cve-2015-1791.patch
|
||||
Patch112: openssl-1.0.1e-cve-2015-1792.patch
|
||||
Patch113: openssl-1.0.1e-cve-2015-3194.patch
|
||||
Patch114: openssl-1.0.1e-cve-2015-3195.patch
|
||||
Patch115: openssl-1.0.1k-cve-2015-3196.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
|
|
@ -239,6 +242,9 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||
%patch110 -p1 -b .missing-content
|
||||
%patch111 -p1 -b .ticket-race
|
||||
%patch112 -p1 -b .unknown-hash
|
||||
%patch113 -p1 -b .pss-check
|
||||
%patch114 -p1 -b .combine-leak
|
||||
%patch115 -p1 -b .psk-identity
|
||||
|
||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||
|
||||
|
|
@ -315,6 +321,11 @@ make rehash
|
|||
# Overwrite FIPS README
|
||||
cp -f %{SOURCE11} .
|
||||
|
||||
# Clean up the .pc files
|
||||
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
|
||||
done
|
||||
|
||||
%check
|
||||
# Verify that what was compiled actually works.
|
||||
|
||||
|
|
@ -506,6 +517,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Fri Dec 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-13
|
||||
- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
|
||||
- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
|
||||
- fix CVE-2015-3196 - race condition when handling PSK identity hint
|
||||
- filter out unwanted link options from the .pc files (#1257836)
|
||||
|
||||
* Thu Aug 13 2015 Tom Callaway <spot@fedoraproject.org> 1.0.1k-12
|
||||
- enable secp256k1 (bz1021898)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue