- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191) - add alpha sub-archs (#296031)
This commit is contained in:
parent
65e6d90529
commit
873b8d554b
@ -336,7 +336,7 @@ diff -up openssl-0.9.8b/crypto/bn/bn_mont.c.no-branch openssl-0.9.8b/crypto/bn/b
|
||||
|
||||
r->neg=a->neg^n->neg;
|
||||
np=n->d;
|
||||
@@ -228,37 +228,56 @@ int BN_from_montgomery(BIGNUM *ret, cons
|
||||
@@ -228,37 +228,58 @@ int BN_from_montgomery(BIGNUM *ret, cons
|
||||
}
|
||||
bn_correct_top(r);
|
||||
|
||||
@ -413,10 +413,12 @@ diff -up openssl-0.9.8b/crypto/bn/bn_mont.c.no-branch openssl-0.9.8b/crypto/bn/b
|
||||
-#endif
|
||||
+ for (ri+=4; i<ri; i++)
|
||||
+ rp[i]=nrp[i], ap[i]=0;
|
||||
+ bn_correct_top(r);
|
||||
+ bn_correct_top(ret);
|
||||
#else /* !MONT_WORD */
|
||||
BIGNUM *t1,*t2;
|
||||
|
||||
@@ -276,12 +295,12 @@ int BN_from_montgomery(BIGNUM *ret, cons
|
||||
@@ -276,12 +297,12 @@ int BN_from_montgomery(BIGNUM *ret, cons
|
||||
if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
|
||||
if (!BN_add(t2,a,t1)) goto err;
|
||||
if (!BN_rshift(ret,t2,mont->ri)) goto err;
|
||||
|
1429
openssl-0.9.8b-cve-2007-4995.patch
Normal file
1429
openssl-0.9.8b-cve-2007-4995.patch
Normal file
File diff suppressed because it is too large
Load Diff
45
openssl-0.9.8b-cve-2007-5135.patch
Normal file
45
openssl-0.9.8b-cve-2007-5135.patch
Normal file
@ -0,0 +1,45 @@
|
||||
Possible one byte buffer overflow in SSL_get_shared_ciphers.
|
||||
CVE-2007-5135
|
||||
diff -up openssl-0.9.8b/ssl/ssl_lib.c.orig openssl-0.9.8b/ssl/ssl_lib.c
|
||||
--- openssl-0.9.8b/ssl/ssl_lib.c.orig 2007-10-08 10:20:42.000000000 +0200
|
||||
+++ openssl-0.9.8b/ssl/ssl_lib.c 2007-10-08 17:32:29.000000000 +0200
|
||||
@@ -1201,7 +1201,6 @@ int SSL_set_cipher_list(SSL *s,const cha
|
||||
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
|
||||
{
|
||||
char *p;
|
||||
- const char *cp;
|
||||
STACK_OF(SSL_CIPHER) *sk;
|
||||
SSL_CIPHER *c;
|
||||
int i;
|
||||
@@ -1214,20 +1213,21 @@ char *SSL_get_shared_ciphers(const SSL *
|
||||
sk=s->session->ciphers;
|
||||
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
|
||||
{
|
||||
- /* Decrement for either the ':' or a '\0' */
|
||||
- len--;
|
||||
+ int n;
|
||||
+
|
||||
c=sk_SSL_CIPHER_value(sk,i);
|
||||
- for (cp=c->name; *cp; )
|
||||
+ n=strlen(c->name);
|
||||
+ if (n+1 > len)
|
||||
{
|
||||
- if (len-- <= 0)
|
||||
- {
|
||||
- *p='\0';
|
||||
- return(buf);
|
||||
- }
|
||||
- else
|
||||
- *(p++)= *(cp++);
|
||||
+ if (p != buf)
|
||||
+ --p;
|
||||
+ *p='\0';
|
||||
+ return buf;
|
||||
}
|
||||
+ strcpy(p,c->name);
|
||||
+ p+=n;
|
||||
*(p++)=':';
|
||||
+ len-=n+1;
|
||||
}
|
||||
p[-1]='\0';
|
||||
return(buf);
|
@ -21,7 +21,7 @@
|
||||
Summary: The OpenSSL toolkit
|
||||
Name: openssl
|
||||
Version: 0.9.8b
|
||||
Release: 15%{?dist}
|
||||
Release: 16%{?dist}
|
||||
Source: openssl-%{version}-usa.tar.bz2
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
|
Loading…
Reference in New Issue
Block a user