diff --git a/openssl-0.9.8b-cve-2006-4339.patch b/openssl-0.9.8b-cve-2006-4339.patch new file mode 100644 index 0000000..82cfbbc --- /dev/null +++ b/openssl-0.9.8b-cve-2006-4339.patch @@ -0,0 +1,77 @@ +*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher +(CVE-2006-4339) [Ben Laurie; Google Security Team] +openssl/crypto/rsa/rsa.h 1.55.2.4 -> 1.55.2.5 + +--- openssl/crypto/rsa/rsa.h 2006/01/09 16:05:18 1.55.2.4 ++++ openssl/crypto/rsa/rsa.h 2006/09/05 08:25:42 1.55.2.5 +@@ -412,6 +412,7 @@ + #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + #define RSA_R_OAEP_DECODING_ERROR 121 + #define RSA_R_PADDING_CHECK_FAILED 114 ++#define RSA_R_PKCS1_PADDING_TOO_SHORT 105 + #define RSA_R_P_NOT_PRIME 128 + #define RSA_R_Q_NOT_PRIME 129 + #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 + +openssl/crypto/rsa/rsa_eay.c 1.46.2.4 -> 1.46.2.5 + +--- openssl/crypto/rsa/rsa_eay.c 2006/06/14 08:51:40 1.46.2.4 ++++ openssl/crypto/rsa/rsa_eay.c 2006/09/05 08:25:42 1.46.2.5 +@@ -640,6 +640,15 @@ + { + case RSA_PKCS1_PADDING: + r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); ++ /* Generally signatures should be at least 2/3 padding, though ++ this isn't possible for really short keys and some standard ++ signature schemes, so don't check if the unpadded data is ++ small. */ ++ if(r > 42 && 3*8*r >= BN_num_bits(rsa->n)) ++ { ++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT); ++ goto err; ++ } + break; + case RSA_X931_PADDING: + r=RSA_padding_check_X931(to,num,buf,i,num); + +openssl/crypto/rsa/rsa_err.c 1.17.2.3 -> 1.17.2.4 + +--- openssl/crypto/rsa/rsa_err.c 2006/01/09 16:05:18 1.17.2.3 ++++ openssl/crypto/rsa/rsa_err.c 2006/09/05 08:25:42 1.17.2.4 +@@ -142,6 +142,7 @@ + {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, + {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, + {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, ++{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, + {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, + {ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, + {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, + +openssl/crypto/rsa/rsa_sign.c 1.21 -> 1.21.2.1 + +--- openssl/crypto/rsa/rsa_sign.c 2005/04/26 22:07:17 1.21 ++++ openssl/crypto/rsa/rsa_sign.c 2006/09/05 08:25:42 1.21.2.1 +@@ -185,6 +185,23 @@ + sig=d2i_X509_SIG(NULL,&p,(long)i); + + if (sig == NULL) goto err; ++ ++ /* Excess data can be used to create forgeries */ ++ if(p != s+i) ++ { ++ RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); ++ goto err; ++ } ++ ++ /* Parameters to the signature algorithm can also be used to ++ create forgeries */ ++ if(sig->algor->parameter ++ && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) ++ { ++ RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); ++ goto err; ++ } ++ + sigtype=OBJ_obj2nid(sig->algor->algorithm); + + diff --git a/openssl.spec b/openssl.spec index 7f18c8e..dc38e28 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: The OpenSSL toolkit Name: openssl Version: 0.9.8b -Release: 5 +Release: 6 Source: openssl-%{version}-usa.tar.bz2 Source1: hobble-openssl Source2: Makefile.certificate @@ -55,6 +55,7 @@ Patch52: openssl-0.9.8b-pkcs12-fix.patch Patch53: openssl-0.9.8b-bn-threadsafety.patch Patch54: openssl-0.9.8b-aes-cachecol.patch Patch55: openssl-0.9.8b-pkcs7-leak.patch +Patch56: openssl-0.9.8b-cve-2006-4339.patch License: BSDish Group: System Environment/Libraries @@ -119,6 +120,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch53 -p1 -b .bn-threadsafety %patch54 -p1 -b .cachecol %patch55 -p1 -b .pkcs7-leak +%patch56 -p1 -b .short-padding # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -353,6 +355,9 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint %postun -p /sbin/ldconfig %changelog +* Tue Sep 9 2006 Tomas Mraz 0.9.8b-6 +- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180) + * Wed Aug 2 2006 Tomas Mraz - 0.9.8b-5 - set buffering to none on stdio/stdout FILE when bufsize is set (#200580) patch by IBM