1 |
vapier 09/11/05 20:08:48 |
2 |
|
3 |
Added: openssl-0.9.8l-CVE-2009-1377.patch |
4 |
openssl-0.9.8l-CVE-2009-1378.patch |
5 |
openssl-0.9.8l-CVE-2009-1379.patch |
6 |
Log: |
7 |
Add some patches from upstream #270305. |
8 |
(Portage version: 2.2_rc46/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1377.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1377.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1377.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: openssl-0.9.8l-CVE-2009-1377.patch |
17 |
=================================================================== |
18 |
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest |
19 |
|
20 |
Index: openssl/crypto/pqueue/pqueue.c |
21 |
RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v |
22 |
rcsdiff -q -kk '-r1.2.2.4' '-r1.2.2.5' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v' 2>/dev/null |
23 |
--- crypto/pqueue/pqueue.c 2005/06/28 12:53:33 1.2.2.4 |
24 |
+++ crypto/pqueue/pqueue.c 2009/05/16 16:18:44 1.2.2.5 |
25 |
@@ -234,3 +234,17 @@ |
26 |
|
27 |
return ret; |
28 |
} |
29 |
+ |
30 |
+int |
31 |
+pqueue_size(pqueue_s *pq) |
32 |
+{ |
33 |
+ pitem *item = pq->items; |
34 |
+ int count = 0; |
35 |
+ |
36 |
+ while(item != NULL) |
37 |
+ { |
38 |
+ count++; |
39 |
+ item = item->next; |
40 |
+ } |
41 |
+ return count; |
42 |
+} |
43 |
Index: openssl/crypto/pqueue/pqueue.h |
44 |
RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v |
45 |
rcsdiff -q -kk '-r1.2.2.1' '-r1.2.2.2' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v' 2>/dev/null |
46 |
--- crypto/pqueue/pqueue.h 2005/05/30 22:34:27 1.2.2.1 |
47 |
+++ crypto/pqueue/pqueue.h 2009/05/16 16:18:44 1.2.2.2 |
48 |
@@ -91,5 +91,6 @@ |
49 |
pitem *pqueue_next(piterator *iter); |
50 |
|
51 |
void pqueue_print(pqueue pq); |
52 |
+int pqueue_size(pqueue pq); |
53 |
|
54 |
#endif /* ! HEADER_PQUEUE_H */ |
55 |
Index: openssl/ssl/d1_pkt.c |
56 |
RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v |
57 |
rcsdiff -q -kk '-r1.4.2.17' '-r1.4.2.18' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null |
58 |
--- ssl/d1_pkt.c 2009/05/16 15:51:59 1.4.2.17 |
59 |
+++ ssl/d1_pkt.c 2009/05/16 16:18:45 1.4.2.18 |
60 |
@@ -167,6 +167,10 @@ |
61 |
DTLS1_RECORD_DATA *rdata; |
62 |
pitem *item; |
63 |
|
64 |
+ /* Limit the size of the queue to prevent DOS attacks */ |
65 |
+ if (pqueue_size(queue->q) >= 100) |
66 |
+ return 0; |
67 |
+ |
68 |
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); |
69 |
item = pitem_new(priority, rdata); |
70 |
if (rdata == NULL || item == NULL) |
71 |
|
72 |
|
73 |
|
74 |
1.1 dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1378.patch |
75 |
|
76 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1378.patch?rev=1.1&view=markup |
77 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1378.patch?rev=1.1&content-type=text/plain |
78 |
|
79 |
Index: openssl-0.9.8l-CVE-2009-1378.patch |
80 |
=================================================================== |
81 |
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest |
82 |
|
83 |
Index: ssl/d1_both.c |
84 |
=================================================================== |
85 |
--- ssl/d1_both.c.orig |
86 |
+++ ssl/d1_both.c |
87 |
@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, |
88 |
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) |
89 |
goto err; |
90 |
|
91 |
- if (msg_hdr->seq <= s->d1->handshake_read_seq) |
92 |
+ /* Try to find item in queue, to prevent duplicate entries */ |
93 |
+ pq_64bit_init(&seq64); |
94 |
+ pq_64bit_assign_word(&seq64, msg_hdr->seq); |
95 |
+ item = pqueue_find(s->d1->buffered_messages, seq64); |
96 |
+ pq_64bit_free(&seq64); |
97 |
+ |
98 |
+ /* Discard the message if sequence number was already there, is |
99 |
+ * too far in the future or the fragment is already in the queue */ |
100 |
+ if (msg_hdr->seq <= s->d1->handshake_read_seq || |
101 |
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) |
102 |
{ |
103 |
unsigned char devnull [256]; |
104 |
|
105 |
|
106 |
|
107 |
|
108 |
1.1 dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1379.patch |
109 |
|
110 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1379.patch?rev=1.1&view=markup |
111 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-1379.patch?rev=1.1&content-type=text/plain |
112 |
|
113 |
Index: openssl-0.9.8l-CVE-2009-1379.patch |
114 |
=================================================================== |
115 |
Index: openssl/ssl/d1_both.c |
116 |
RCS File: /v/openssl/cvs/openssl/ssl/d1_both.c,v |
117 |
rcsdiff -q -kk '-r1.14.2.6' '-r1.14.2.7' -u '/v/openssl/cvs/openssl/ssl/d1_both.c,v' 2>/dev/null |
118 |
--- d1_both.c 2009/04/22 12:17:02 1.14.2.6 |
119 |
+++ d1_both.c 2009/05/13 11:51:30 1.14.2.7 |
120 |
@@ -519,6 +519,7 @@ |
121 |
|
122 |
if ( s->d1->handshake_read_seq == frag->msg_header.seq) |
123 |
{ |
124 |
+ unsigned long frag_len = frag->msg_header.frag_len; |
125 |
pqueue_pop(s->d1->buffered_messages); |
126 |
|
127 |
al=dtls1_preprocess_fragment(s,&frag->msg_header,max); |
128 |
@@ -536,7 +537,7 @@ |
129 |
if (al==0) |
130 |
{ |
131 |
*ok = 1; |
132 |
- return frag->msg_header.frag_len; |
133 |
+ return frag_len; |
134 |
} |
135 |
|
136 |
ssl3_send_alert(s,SSL3_AL_FATAL,al); |