- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)

- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191) - add alpha sub-archs (#296031)
2007-10-12 12:17:08 +00:00 · 2007-10-12 12:17:08 +00:00 · 873b8d554b
commit 873b8d554b
parent 65e6d90529
4 changed files with 1479 additions and 3 deletions
--- a/openssl-0.9.8b-cve-2007-3108.patch
+++ b/openssl-0.9.8b-cve-2007-3108.patch
@ -336,7 +336,7 @@ diff -up openssl-0.9.8b/crypto/bn/bn_mont.c.no-branch openssl-0.9.8b/crypto/bn/b
 
 	r->neg=a->neg^n->neg;
 	np=n->d;
-@@ -228,37 +228,56 @@ int BN_from_montgomery(BIGNUM *ret, cons
+@@ -228,37 +228,58 @@ int BN_from_montgomery(BIGNUM *ret, cons
 		}
 	bn_correct_top(r);
 	
@ -413,10 +413,12 @@ diff -up openssl-0.9.8b/crypto/bn/bn_mont.c.no-branch openssl-0.9.8b/crypto/bn/b
 -#endif
 +	for (ri+=4; i<ri; i++)
 +		rp[i]=nrp[i], ap[i]=0;
+	bn_correct_top(r);
+	bn_correct_top(ret);
 #else /* !MONT_WORD */ 
 	BIGNUM *t1,*t2;
 
-@@ -276,12 +295,12 @@ int BN_from_montgomery(BIGNUM *ret, cons
+@@ -276,12 +297,12 @@ int BN_from_montgomery(BIGNUM *ret, cons
 	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
 	if (!BN_add(t2,a,t1)) goto err;
 	if (!BN_rshift(ret,t2,mont->ri)) goto err;
--- a/openssl-0.9.8b-cve-2007-4995.patch
+++ b/openssl-0.9.8b-cve-2007-4995.patch
--- a/openssl-0.9.8b-cve-2007-5135.patch
+++ b/openssl-0.9.8b-cve-2007-5135.patch
@ -0,0 +1,45 @@
+Possible one byte buffer overflow in SSL_get_shared_ciphers.
+CVE-2007-5135
+diff -up openssl-0.9.8b/ssl/ssl_lib.c.orig openssl-0.9.8b/ssl/ssl_lib.c
+--- openssl-0.9.8b/ssl/ssl_lib.c.orig	2007-10-08 10:20:42.000000000 +0200
+++ openssl-0.9.8b/ssl/ssl_lib.c	2007-10-08 17:32:29.000000000 +0200
+@@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const cha
+ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
+ 	{
+ 	char *p;
+-	const char *cp;
+ 	STACK_OF(SSL_CIPHER) *sk;
+ 	SSL_CIPHER *c;
+ 	int i;
+@@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *
+ 	sk=s->session->ciphers;
+ 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+ 		{
+-		/* Decrement for either the ':' or a '\0' */
+-		len--;
+		int n;
+
+ 		c=sk_SSL_CIPHER_value(sk,i);
+-		for (cp=c->name; *cp; )
+		n=strlen(c->name);
+		if (n+1 > len)
+ 			{
+-			if (len-- <= 0)
+-				{
+-				*p='\0';
+-				return(buf);
+-				}
+-			else
+-				*(p++)= *(cp++);
+			if (p != buf)
+				--p;
+			*p='\0';
+			return buf;
+ 			}
+		strcpy(p,c->name);
+		p+=n;
+ 		*(p++)=':';
+		len-=n+1;
+ 		}
+ 	p[-1]='\0';
+ 	return(buf);
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8b
-Release: 15%{?dist}
+Release: 16%{?dist}
 Source: openssl-%{version}-usa.tar.bz2
 Source1: hobble-openssl
 Source2: Makefile.certificate