From 2c01b19843ae21bfcb7fe006f252b6c241bdb107 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Wed, 28 May 2008 15:52:21 +0000 Subject: [PATCH] - fix CVE-2008-0891 - server name extension crash (#448492) - fix CVE-2008-1672 - server key exchange message omit crash (#448495) --- openssl-0.9.8g-cve-2008-0891.patch | 17 +++++++++++++++++ openssl-0.9.8g-cve-2008-1671.patch | 24 ++++++++++++++++++++++++ openssl.spec | 10 +++++++++- 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 openssl-0.9.8g-cve-2008-0891.patch create mode 100644 openssl-0.9.8g-cve-2008-1671.patch diff --git a/openssl-0.9.8g-cve-2008-0891.patch b/openssl-0.9.8g-cve-2008-0891.patch new file mode 100644 index 0000000..eb9d1fd --- /dev/null +++ b/openssl-0.9.8g-cve-2008-0891.patch @@ -0,0 +1,17 @@ +*) Fix double free in TLS server name extensions which could lead to a remote +crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton] +Index: ssl/t1_lib.c +=================================================================== +RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v +retrieving revision 1.13.2.8 +diff -u -r1.13.2.8 ssl/t1_lib.c +--- ssl/t1_lib.c 18 Oct 2007 11:39:11 -0000 ++++ ssl/t1_lib.c 18 Mar 2008 12:06:58 -0000 +@@ -381,6 +381,7 @@ + s->session->tlsext_hostname[len]='\0'; + if (strlen(s->session->tlsext_hostname) != len) { + OPENSSL_free(s->session->tlsext_hostname); ++ s->session->tlsext_hostname = NULL; + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } diff --git a/openssl-0.9.8g-cve-2008-1671.patch b/openssl-0.9.8g-cve-2008-1671.patch new file mode 100644 index 0000000..616271b --- /dev/null +++ b/openssl-0.9.8g-cve-2008-1671.patch @@ -0,0 +1,24 @@ +*) Fix flaw if 'Server Key exchange message' is omitted from a TLS +Handshake which could lead to a cilent crash as found using the +Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox] +Index: ssl/s3_clnt.c +=================================================================== +RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v +retrieving revision 1.88.2.12 +diff -u -r1.88.2.12 ssl/s3_clnt.c +--- ssl/s3_clnt.c 3 Nov 2007 13:07:39 -0000 ++++ ssl/s3_clnt.c 22 May 2008 09:19:30 -0000 +@@ -2061,6 +2061,13 @@ + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else diff --git a/openssl.spec b/openssl.spec index 5157aa7..2b783f8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: The OpenSSL toolkit Name: openssl Version: 0.9.8g -Release: 8%{?dist} +Release: 9%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -59,6 +59,8 @@ Patch39: openssl-0.9.8g-ipv6-apps.patch # Backported fixes including security fixes Patch50: openssl-0.9.8g-speed-bug.patch Patch51: openssl-0.9.8g-bn-mul-bug.patch +Patch52: openssl-0.9.8g-cve-2008-0891.patch +Patch53: openssl-0.9.8g-cve-2008-1671.patch License: OpenSSL Group: System Environment/Libraries @@ -124,6 +126,8 @@ from other formats to the formats used by the OpenSSL toolkit. %patch39 -p1 -b .ipv6-apps %patch50 -p1 -b .speed-bug %patch51 -p1 -b .bn-mul-bug +%patch52 -p0 -b .srvname-crash +%patch53 -p0 -b .srv-kex-crash # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -378,6 +382,10 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint %postun -p /sbin/ldconfig %changelog +* Wed May 28 2008 Tomas Mraz 0.9.8g-9 +- fix CVE-2008-0891 - server name extension crash (#448492) +- fix CVE-2008-1672 - server key exchange message omit crash (#448495) + * Tue May 27 2008 Tomas Mraz 0.9.8g-8 - super-H arch support - drop workaround for bug 199604 as it should be fixed in gcc-4.3