rpms/openssl/F-10 openssl-0.9.8k-dtls-dos.patch, NONE, 1.1 openssl.spec, 1.115, 1.116
Tomáš Mráz
tmraz at fedoraproject.org
Thu May 21 16:56:09 UTC 2009
- Previous message: rpms/openssl/F-11 openssl-0.9.8k-dtls-dos.patch, NONE, 1.1 openssl.spec, 1.129, 1.130
- Next message: rpms/openssl/F-9 openssl-0.9.8g-bad-mime.patch, NONE, 1.1 openssl-0.9.8g-dtls-compat.patch, NONE, 1.1 openssl-0.9.8k-dtls-dos.patch, NONE, 1.1 openssl.spec, 1.107, 1.108
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5041
Modified Files:
openssl.spec
Added Files:
openssl-0.9.8k-dtls-dos.patch
Log Message:
* Thu May 21 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8g-14
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
(DTLS DoS problems) (#501253, #501254, #501572)
openssl-0.9.8k-dtls-dos.patch:
--- NEW FILE openssl-0.9.8k-dtls-dos.patch ---
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
+++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
return ret;
}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+ pitem *item = pq->items;
+ int count = 0;
+
+ while(item != NULL)
+ {
+ count++;
+ item = item->next;
+ }
+ return count;
+}
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200
+++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
pitem *pqueue_next(piterator *iter);
void pqueue_print(pqueue pq);
+int pqueue_size(pqueue pq);
#endif /* ! HEADER_PQUEUE_H */
diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200
+++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
{
+ unsigned long frag_len = frag->msg_header.frag_len;
pqueue_pop(s->d1->buffered_messages);
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
if (al==0)
{
*ok = 1;
- return frag->msg_header.frag_len;
+ return frag_len;
}
ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
goto err;
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
+ /* Try to find item in queue, to prevent duplicate entries */
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ item = pqueue_find(s->d1->buffered_messages, seq64);
+ pq_64bit_free(&seq64);
+
+ /* Discard the message if sequence number was already there, is
+ * too far in the future or the fragment is already in the queue */
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
{
unsigned char devnull [256];
diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200
+++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
DTLS1_RECORD_DATA *rdata;
pitem *item;
+ /* Limit the size of the queue to prevent DOS attacks */
+ if (pqueue_size(queue->q) >= 100)
+ return 0;
+
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
item = pitem_new(priority, rdata);
if (rdata == NULL || item == NULL)
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/F-10/openssl.spec,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -p -r1.115 -r1.116
--- openssl.spec 21 Apr 2009 13:19:10 -0000 1.115
+++ openssl.spec 21 May 2009 16:55:39 -0000 1.116
@@ -22,7 +22,7 @@
Summary: The OpenSSL toolkit
Name: openssl
Version: 0.9.8g
-Release: 13%{?dist}
+Release: 14%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2
@@ -62,6 +62,7 @@ Patch54: openssl-0.9.8g-cve-2008-5077.pa
Patch55: openssl-0.9.8g-no-ign-eof.patch
Patch56: openssl-0.9.8g-bad-mime.patch
Patch57: openssl-0.9.8g-dtls-compat.patch
+Patch58: openssl-0.9.8k-dtls-dos.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -134,6 +135,7 @@ from other formats to the formats used b
%patch55 -p1 -b .no-ign-eof
%patch56 -p1 -b .bad-mime
%patch57 -p1 -b .dtls-compat
+%patch58 -p1 -b .dtls-dos
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -377,6 +379,10 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openss
%postun -p /sbin/ldconfig
%changelog
+* Thu May 21 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8g-14
+- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
+ (DTLS DoS problems) (#501253, #501254, #501572)
+
* Tue Apr 21 2009 Tomas Mraz <tmraz at redhat.com> 0.9.8g-13
- support compatibility DTLS mode for CISCO AnyConnect (#464629)
- fix crash when parsing malformed mime headers in the smime app
- Previous message: rpms/openssl/F-11 openssl-0.9.8k-dtls-dos.patch, NONE, 1.1 openssl.spec, 1.129, 1.130
- Next message: rpms/openssl/F-9 openssl-0.9.8g-bad-mime.patch, NONE, 1.1 openssl-0.9.8g-dtls-compat.patch, NONE, 1.1 openssl-0.9.8k-dtls-dos.patch, NONE, 1.1 openssl.spec, 1.107, 1.108
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list