gnu: openssl: Fixes for CVE-2010-5298 and extension checking.

* gnu/packages/patches/openssl-CVE-2010-5298.patch: New file.
* gnu/packages/patches/openssl-extension-checking-fixes.patch: New file.
* gnu/packages/openssl.scm (openssl): Add them.
* gnu-system.am (dist_patch_DATA): Add them.
This commit is contained in:
Mark H Weaver 2014-04-21 10:04:17 -04:00
parent 6ef3644e34
commit 0815f8f9a2
4 changed files with 74 additions and 1 deletions

View File

@ -315,6 +315,8 @@ dist_patch_DATA = \
gnu/packages/patches/mcron-install.patch \
gnu/packages/patches/mit-krb5-init-fix.patch \
gnu/packages/patches/mpc123-initialize-ao.patch \
gnu/packages/patches/openssl-CVE-2010-5298.patch \
gnu/packages/patches/openssl-extension-checking-fixes.patch \
gnu/packages/patches/patchelf-page-size.patch \
gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \
gnu/packages/patches/perl-no-sys-dirs.patch \

View File

@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;
@ -34,7 +35,10 @@
".tar.gz"))
(sha256
(base32
"0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))))
"0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))
(patches
(list (search-patch "openssl-CVE-2010-5298.patch")
(search-patch "openssl-extension-checking-fixes.patch")))))
(build-system gnu-build-system)
(native-inputs `(("perl" ,perl)))
(arguments

View File

@ -0,0 +1,27 @@
From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 13 Apr 2014 15:05:30 +0200
Subject: [PATCH] Don't release the buffer when there still is data in it
RT: 2167, 3265
---
ssl/s3_pkt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index b9e45c7..32e9207 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
+ s->s3->rbuf.left == 0)
ssl3_release_read_buffer(s);
}
}
--
1.9.1

View File

@ -0,0 +1,40 @@
From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 15 Apr 2014 18:48:54 +0100
Subject: [PATCH] Extension checking fixes.
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.
PR#3309.
---
crypto/x509v3/v3_purp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 6c40c7d..5f931db 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
/* Handle proxy certificates */
if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
if (x->ex_flags & EXFLAG_CA
- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
+ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
x->ex_flags |= EXFLAG_INVALID;
}
if (pci->pcPathLengthConstraint) {
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
return 0;
/* Extended Key Usage MUST be critical */
- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
if (i_ext >= 0)
{
X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
--
1.9.1