[openssl/f16] new upstream release fixing CVE-2012-2110 - memory corruption
Tomáš Mráz
tmraz at fedoraproject.org
Fri Apr 20 14:40:23 UTC 2012
commit 60bbb8a79a7af940e480a5f8a7800c189ace4c02
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Apr 20 16:34:25 2012 +0200
new upstream release fixing CVE-2012-2110 - memory corruption
when loading asn1 from BIO
.gitignore | 1 +
openssl-1.0.0-beta4-algo-doc.patch | 113 --------------------
...h-version.patch => openssl-1.0.0i-version.patch | 6 +-
openssl-1.0.1a-algo-doc.patch | 77 +++++++++++++
openssl.spec | 10 ++-
sources | 2 +-
6 files changed, 89 insertions(+), 120 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 12d27b8..3f846cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.0f-usa.tar.bz2
/openssl-1.0.0g-usa.tar.xz
/openssl-1.0.0h-usa.tar.xz
+/openssl-1.0.0i-usa.tar.xz
diff --git a/openssl-1.0.0h-version.patch b/openssl-1.0.0i-version.patch
similarity index 81%
rename from openssl-1.0.0h-version.patch
rename to openssl-1.0.0i-version.patch
index 6dbfb1d..84c4185 100644
--- a/openssl-1.0.0h-version.patch
+++ b/openssl-1.0.0i-version.patch
@@ -5,17 +5,17 @@ diff -up openssl-1.0.0h/crypto/opensslv.h.version openssl-1.0.0h/crypto/opensslv
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
--#define OPENSSL_VERSION_NUMBER 0x1000008fL
+-#define OPENSSL_VERSION_NUMBER 0x1000009fL
+#define OPENSSL_VERSION_NUMBER 0x10000003
#ifdef OPENSSL_FIPS
- #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0h-fips 12 Mar 2012"
+ #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0i-fips 19 Apr 2012"
#else
@@ -83,7 +83,7 @@
* should only keep the versions that are binary compatible with the current.
*/
#define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "1.0.0"
-+#define SHLIB_VERSION_NUMBER "1.0.0g"
++#define SHLIB_VERSION_NUMBER "1.0.0i"
#endif /* HEADER_OPENSSLV_H */
diff --git a/openssl-1.0.1a-algo-doc.patch b/openssl-1.0.1a-algo-doc.patch
new file mode 100644
index 0000000..c4aaa89
--- /dev/null
+++ b/openssl-1.0.1a-algo-doc.patch
@@ -0,0 +1,77 @@
+diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
++++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
+@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
+
+ EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
+ B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
+-function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
++function. B<type> will typically be supplied by a function such as EVP_sha1().
+ If B<impl> is NULL then the default implementation of digest B<type> is used.
+
+ EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
+ EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
+ size in bytes.
+
+-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
++EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
++EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
+ EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+ corresponding EVP_MD structures.
+
+diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
++++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
+@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
++ const EVP_CIPHER *EVP_des_ede3(void);
++ const EVP_CIPHER *EVP_des_ede3_ecb(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
++ const EVP_CIPHER *EVP_des_ede3_ofb(void);
++ const EVP_CIPHER *EVP_des_ede3_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_ecb(void);
++ const EVP_CIPHER *EVP_aes_128_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_cfb1(void);
++ const EVP_CIPHER *EVP_aes_128_cfb8(void);
++ const EVP_CIPHER *EVP_aes_128_cfb128(void);
++ const EVP_CIPHER *EVP_aes_128_ofb(void);
++ const EVP_CIPHER *EVP_aes_192_ecb(void);
++ const EVP_CIPHER *EVP_aes_192_cbc(void);
++ const EVP_CIPHER *EVP_aes_192_cfb1(void);
++ const EVP_CIPHER *EVP_aes_192_cfb8(void);
++ const EVP_CIPHER *EVP_aes_192_cfb128(void);
++ const EVP_CIPHER *EVP_aes_192_ofb(void);
++ const EVP_CIPHER *EVP_aes_256_ecb(void);
++ const EVP_CIPHER *EVP_aes_256_cbc(void);
++ const EVP_CIPHER *EVP_aes_256_cfb1(void);
++ const EVP_CIPHER *EVP_aes_256_cfb8(void);
++ const EVP_CIPHER *EVP_aes_256_cfb128(void);
++ const EVP_CIPHER *EVP_aes_256_ofb(void);
++
+ =head1 DESCRIPTION
+
+ The EVP cipher routines are a high level interface to certain
+@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
+
+ DESX algorithm in CBC mode.
+
++=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
++
++AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
++
++AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
++
++AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
+ =item EVP_rc4(void)
+
+ RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
diff --git a/openssl.spec b/openssl.spec
index ef88166..67a9d0e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -20,7 +20,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.0.0h
+Version: 1.0.0i
Release: 1%{?dist}
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -57,9 +57,9 @@ Patch43: openssl-1.0.0a-fipsmode.patch
Patch44: openssl-1.0.0-beta3-fipsrng.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
-Patch49: openssl-1.0.0-beta4-algo-doc.patch
+Patch49: openssl-1.0.1a-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
-Patch51: openssl-1.0.0h-version.patch
+Patch51: openssl-1.0.0i-version.patch
Patch52: openssl-1.0.0b-aesni.patch
Patch53: openssl-1.0.0-name-hash.patch
Patch54: openssl-1.0.0c-speed-fips.patch
@@ -423,6 +423,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
+* Fri Apr 20 2012 Tomas Mraz <tmraz at redhat.com> 1.0.0i-1
+- new upstream release fixing CVE-2012-2110 - memory corruption
+ when loading asn1 from BIO
+
* Fri Mar 23 2012 Tomas Mraz <tmraz at redhat.com> 1.0.0h-1
- new upstream release fixing CVE-2012-0884 - Bleichenbacher attack
against PKCS#7 and CMS (#802725) and CVE-2012-1165 mime_param_cmp
diff --git a/sources b/sources
index 4da4ff2..49b904a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-909886cae52acc459225ff056f0bec1f openssl-1.0.0h-usa.tar.xz
+e6281b9c8afea0b55ae73b92238f1d22 openssl-1.0.0i-usa.tar.xz
More information about the scm-commits
mailing list