rpms/openssl/devel openssl-1.0.0-beta4-cve-2009-4355.patch, NONE, 1.1 openssl.spec, 1.154, 1.155
Tomáš Mráz
tmraz at fedoraproject.org
Thu Jan 14 08:52:42 UTC 2010
- Previous message: rpms/coreutils/F-11 coreutils-7.2-ls-infloop.patch, 1.1, 1.2 coreutils-DIR_COLORS, 1.7, 1.8 coreutils-DIR_COLORS.256color, 1.6, 1.7 coreutils-DIR_COLORS.lightbgcolor, 1.2, 1.3 coreutils.spec, 1.262, 1.263
- Next message: rpms/openssl/devel openssl-1.0.0-beta4-tlsver.patch,NONE,1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16541
Modified Files:
openssl.spec
Added Files:
openssl-1.0.0-beta4-cve-2009-4355.patch
Log Message:
* Thu Jan 14 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.19.beta4
- fix CVE-2009-4355 - leak in applications incorrectly calling
CRYPTO_free_all_ex_data() before application exit (#546707)
- upstream fix for future TLS protocol version handling
openssl-1.0.0-beta4-cve-2009-4355.patch:
c_zlib.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- NEW FILE openssl-1.0.0-beta4-cve-2009-4355.patch ---
Modify compression code so it frees up structures without using the
ex_data callbacks. This works around a problem where some applications
call CRYPTO_free_all_ex_data() before application exit (e.g. when
restarting) then use compression (e.g. SSL with compression) later.
This results in significant per-connection memory leaks and
has caused some security issues including CVE-2008-1678 and
CVE-2009-4355.
[Steve Henson]
diff -up openssl-1.0.0-beta4/crypto/comp/c_zlib.c.compleak openssl-1.0.0-beta4/crypto/comp/c_zlib.c
--- openssl-1.0.0-beta4/crypto/comp/c_zlib.c.compleak 2008-12-13 18:19:40.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/comp/c_zlib.c 2010-01-13 22:06:20.000000000 +0100
@@ -136,15 +136,6 @@ struct zlib_state
static int zlib_stateful_ex_idx = -1;
-static void zlib_stateful_free_ex_data(void *obj, void *item,
- CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
- {
- struct zlib_state *state = (struct zlib_state *)item;
- inflateEnd(&state->istream);
- deflateEnd(&state->ostream);
- OPENSSL_free(state);
- }
-
static int zlib_stateful_init(COMP_CTX *ctx)
{
int err;
@@ -188,6 +179,12 @@ static int zlib_stateful_init(COMP_CTX *
static void zlib_stateful_finish(COMP_CTX *ctx)
{
+ struct zlib_state *state =
+ (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+ zlib_stateful_ex_idx);
+ inflateEnd(&state->istream);
+ deflateEnd(&state->ostream);
+ OPENSSL_free(state);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
}
@@ -402,7 +399,7 @@ COMP_METHOD *COMP_zlib(void)
if (zlib_stateful_ex_idx == -1)
zlib_stateful_ex_idx =
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
- 0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
+ 0,NULL,NULL,NULL,NULL);
CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
if (zlib_stateful_ex_idx == -1)
goto err;
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.154
retrieving revision 1.155
diff -u -p -r1.154 -r1.155
--- openssl.spec 13 Jan 2010 09:21:02 -0000 1.154
+++ openssl.spec 14 Jan 2010 08:52:42 -0000 1.155
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.18.%{beta}%{?dist}
+Release: 0.19.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -73,6 +73,8 @@ Patch66: openssl-1.0.0-beta4-backports2.
Patch67: openssl-1.0.0-beta4-reneg-scsv.patch
Patch68: openssl-1.0.0-beta4-tls-comp.patch
Patch69: openssl-1.0.0-beta4-aesni.patch
+Patch70: openssl-1.0.0-beta4-tlsver.patch
+Patch71: openssl-1.0.0-beta4-cve-2009-4355.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -162,6 +164,8 @@ from other formats to the formats used b
%patch67 -p1 -b .scsv
%patch68 -p1 -b .tls-comp
%patch69 -p1 -b .aesni
+%patch70 -p1 -b .tlsver
+%patch71 -p1 -b .compleak
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -410,6 +414,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
%postun -p /sbin/ldconfig
%changelog
+* Thu Jan 14 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.19.beta4
+- fix CVE-2009-4355 - leak in applications incorrectly calling
+ CRYPTO_free_all_ex_data() before application exit (#546707)
+- upstream fix for future TLS protocol version handling
+
* Wed Jan 13 2010 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.18.beta4
- add support for Intel AES-NI
@@ -543,7 +552,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
- temporarily provide symlink to old soname to make it possible to rebuild
the dependent packages in rawhide
- add eap-fast support (#428181)
-- add possibility to disable zlib by setting
+- add possibility to disable zlib by setting
- add fips mode support for testing purposes
- do not null dereference on some invalid smime files
- add buildrequires pkgconfig (#479493)
@@ -750,7 +759,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
- upgrade to new upstream version (no soname bump needed)
- disable thread test - it was testing the backport of the
RSA blinding - no longer needed
-- added support for changing serial number to
+- added support for changing serial number to
Makefile.certificate (#151188)
- make ca-bundle.crt a config file (#118903)
- Previous message: rpms/coreutils/F-11 coreutils-7.2-ls-infloop.patch, 1.1, 1.2 coreutils-DIR_COLORS, 1.7, 1.8 coreutils-DIR_COLORS.256color, 1.6, 1.7 coreutils-DIR_COLORS.lightbgcolor, 1.2, 1.3 coreutils.spec, 1.262, 1.263
- Next message: rpms/openssl/devel openssl-1.0.0-beta4-tlsver.patch,NONE,1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list