- fix CVE-2008-0891 - server name extension crash (#448492)

- fix CVE-2008-1672 - server key exchange message omit crash (#448495)

openssl-0.9.8g-cve-2008-0891.patch

@@ -0,0 +1,17 @@
+*) Fix double free in TLS server name extensions which could lead to a remote
+crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton]
+Index: ssl/t1_lib.c
+===================================================================
+RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v
+retrieving revision 1.13.2.8
+diff -u -r1.13.2.8 ssl/t1_lib.c
+--- ssl/t1_lib.c 18 Oct 2007 11:39:11 -0000
++++ ssl/t1_lib.c 18 Mar 2008 12:06:58 -0000
+@@ -381,6 +381,7 @@
+ 						s->session->tlsext_hostname[len]='\0';
+ 						if (strlen(s->session->tlsext_hostname) != len) {
+ 							OPENSSL_free(s->session->tlsext_hostname);
++							s->session->tlsext_hostname = NULL;
+ 							*al = TLS1_AD_UNRECOGNIZED_NAME;
+ 							return 0;
+ 						}

openssl-0.9.8g-cve-2008-1671.patch

@@ -0,0 +1,24 @@
+*) Fix flaw if 'Server Key exchange message' is omitted from a TLS
+Handshake which could lead to a cilent crash as found using the
+Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox]
+Index: ssl/s3_clnt.c
+===================================================================
+RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v
+retrieving revision 1.88.2.12
+diff -u -r1.88.2.12 ssl/s3_clnt.c
+--- ssl/s3_clnt.c 3 Nov 2007 13:07:39 -0000
++++ ssl/s3_clnt.c 22 May 2008 09:19:30 -0000
+@@ -2061,6 +2061,13 @@
+ 			{
+ 			DH *dh_srvr,*dh_clnt;
+ 
++                        if (s->session->sess_cert == NULL) 
++                                {
++                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++                                goto err;
++                                }
++
+ 			if (s->session->sess_cert->peer_dh_tmp != NULL)
+ 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
+ 			else

openssl.spec

@@ -22,7 +22,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8g
-Release: 8%{?dist}
+Release: 9%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@@ -59,6 +59,8 @@ Patch39: openssl-0.9.8g-ipv6-apps.patch
 # Backported fixes including security fixes
 Patch50: openssl-0.9.8g-speed-bug.patch
 Patch51: openssl-0.9.8g-bn-mul-bug.patch
+Patch52: openssl-0.9.8g-cve-2008-0891.patch
+Patch53: openssl-0.9.8g-cve-2008-1671.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -124,6 +126,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch39 -p1 -b .ipv6-apps
 %patch50 -p1 -b .speed-bug
 %patch51 -p1 -b .bn-mul-bug
+%patch52 -p0 -b .srvname-crash
+%patch53 -p0 -b .srv-kex-crash
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -378,6 +382,10 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
 %postun -p /sbin/ldconfig
 
 %changelog
+* Wed May 28 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-9
+- fix CVE-2008-0891 - server name extension crash (#448492)
+- fix CVE-2008-1672 - server key exchange message omit crash (#448495)
+
 * Tue May 27 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-8
 - super-H arch support
 - drop workaround for bug 199604 as it should be fixed in gcc-4.3