Wed Jun 10 13:57:08 2009 UTC ()
Patches for CVE-2009-1377, CVE-2009-1378 & CVE-2009-1379 from
http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.9&v2=1.4.2.10
http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15
http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.c&v1=1.2.2.4&v2=1.2.2.5
http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.h&v1=1.2.2.1&v2=1.2.2.2
http://cvs.openssl.org/filediff?f=openssl/ssl/d1_pkt.c&v1=1.4.2.17&v2=1.4.2.18
(tez)
diff -r1.139 -r1.140 pkgsrc/security/openssl/Makefile
diff -r1.67 -r1.68 pkgsrc/security/openssl/distinfo
diff -r0 -r1.1 pkgsrc/security/openssl/patches/patch-ax
diff -r0 -r1.1 pkgsrc/security/openssl/patches/patch-ay
diff -r0 -r1.1 pkgsrc/security/openssl/patches/patch-az
diff -r0 -r1.1 pkgsrc/security/openssl/patches/patch-ba
--- pkgsrc/security/openssl/Makefile 2009/05/21 21:37:28 1.139
+++ pkgsrc/security/openssl/Makefile 2009/06/10 13:57:08 1.140
| @@ -1,18 +1,19 @@ | | | @@ -1,18 +1,19 @@ |
| 1 | # $NetBSD: Makefile,v 1.139 2009/05/21 21:37:28 zafer Exp $ | | 1 | # $NetBSD: Makefile,v 1.140 2009/06/10 13:57:08 tez Exp $ |
| 2 | | | 2 | |
| 3 | OPENSSL_SNAPSHOT?= # empty | | 3 | OPENSSL_SNAPSHOT?= # empty |
| 4 | OPENSSL_STABLE?= # empty | | 4 | OPENSSL_STABLE?= # empty |
| 5 | OPENSSL_VERS?= 0.9.8k | | 5 | OPENSSL_VERS?= 0.9.8k |
| | | 6 | PKGREVISION= 1 |
| 6 | | | 7 | |
| 7 | .if empty(OPENSSL_SNAPSHOT) | | 8 | .if empty(OPENSSL_SNAPSHOT) |
| 8 | DISTNAME= openssl-${OPENSSL_VERS} | | 9 | DISTNAME= openssl-${OPENSSL_VERS} |
| 9 | MASTER_SITES= ftp://ftp.openssl.org/source/ \ | | 10 | MASTER_SITES= ftp://ftp.openssl.org/source/ \ |
| 10 | ftp://sunsite.cnlab-switch.ch/mirror/openssl/source/ \ | | 11 | ftp://sunsite.cnlab-switch.ch/mirror/openssl/source/ \ |
| 11 | ftp://sunsite.uio.no/pub/security/openssl/source/ | | 12 | ftp://sunsite.uio.no/pub/security/openssl/source/ |
| 12 | .else | | 13 | .else |
| 13 | . if !empty(OPENSSL_STABLE:M[yY][eE][sS]) | | 14 | . if !empty(OPENSSL_STABLE:M[yY][eE][sS]) |
| 14 | DISTNAME= openssl-${OPENSSL_VERS:C/[a-z]$//}-stable-SNAP-${OPENSSL_SNAPSHOT} | | 15 | DISTNAME= openssl-${OPENSSL_VERS:C/[a-z]$//}-stable-SNAP-${OPENSSL_SNAPSHOT} |
| 15 | PKGNAME= openssl-${OPENSSL_VERS}beta${OPENSSL_SNAPSHOT} | | 16 | PKGNAME= openssl-${OPENSSL_VERS}beta${OPENSSL_SNAPSHOT} |
| 16 | MASTER_SITES= ftp://ftp.openssl.org/snapshot/ | | 17 | MASTER_SITES= ftp://ftp.openssl.org/snapshot/ |
| 17 | . else | | 18 | . else |
| 18 | DISTNAME= openssl-SNAP-${OPENSSL_SNAPSHOT} | | 19 | DISTNAME= openssl-SNAP-${OPENSSL_SNAPSHOT} |
--- pkgsrc/security/openssl/distinfo 2009/04/16 09:50:37 1.67
+++ pkgsrc/security/openssl/distinfo 2009/06/10 13:57:08 1.68
| @@ -1,13 +1,17 @@ | | | @@ -1,13 +1,17 @@ |
| 1 | $NetBSD: distinfo,v 1.67 2009/04/16 09:50:37 tnn Exp $ | | 1 | $NetBSD: distinfo,v 1.68 2009/06/10 13:57:08 tez Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (openssl-0.9.8k.tar.gz) = 3ba079f91d3c1ec90a36dcd1d43857165035703f | | 3 | SHA1 (openssl-0.9.8k.tar.gz) = 3ba079f91d3c1ec90a36dcd1d43857165035703f |
| 4 | RMD160 (openssl-0.9.8k.tar.gz) = 496df7a5d33457b0d8e3b930a8e5cf068923182c | | 4 | RMD160 (openssl-0.9.8k.tar.gz) = 496df7a5d33457b0d8e3b930a8e5cf068923182c |
| 5 | Size (openssl-0.9.8k.tar.gz) = 3852259 bytes | | 5 | Size (openssl-0.9.8k.tar.gz) = 3852259 bytes |
| 6 | SHA1 (patch-aa) = b28ec662bf0586e31d59cab45e3a28b91b10dac1 | | 6 | SHA1 (patch-aa) = b28ec662bf0586e31d59cab45e3a28b91b10dac1 |
| 7 | SHA1 (patch-ac) = 7d03d0effcde4237216e9da4f38a318b0d1ae67d | | 7 | SHA1 (patch-ac) = 7d03d0effcde4237216e9da4f38a318b0d1ae67d |
| 8 | SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3 | | 8 | SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3 |
| 9 | SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480 | | 9 | SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480 |
| 10 | SHA1 (patch-af) = 1eda5a96835b65d325c77ce5d39f1e524815a3c7 | | 10 | SHA1 (patch-af) = 1eda5a96835b65d325c77ce5d39f1e524815a3c7 |
| 11 | SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 | | 11 | SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 |
| 12 | SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 | | 12 | SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 |
| 13 | SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 | | 13 | SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 |
| | | 14 | SHA1 (patch-ax) = ef0c657de2aa42baa365b9857583d1c55d0e7d1b |
| | | 15 | SHA1 (patch-ay) = 6d5de155e5508cd2237387626c8e1ff7ee603f8e |
| | | 16 | SHA1 (patch-az) = aa7ef7192d56979ba09aa1dab8a2cdf9868f9c4a |
| | | 17 | SHA1 (patch-ba) = b8ab55c0c6ab4b995cae18517609720f0803e11f |
$NetBSD: patch-ax,v 1.1 2009/06/10 13:57:08 tez Exp $
Part of CVE-2009-1377 fix.
--- crypto/pqueue/pqueue.c.orig 2009-06-08 18:55:59.826213100 -0500
+++ crypto/pqueue/pqueue.c
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
return ret;
}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+ pitem *item = pq->items;
+ int count = 0;
+
+ while(item != NULL)
+ {
+ count++;
+ item = item->next;
+ }
+ return count;
+}
$NetBSD: patch-ay,v 1.1 2009/06/10 13:57:08 tez Exp $
Part of CVE-2009-1377 fix.
--- crypto/pqueue/pqueue.h.orig 2009-06-08 18:57:00.672546600 -0500
+++ crypto/pqueue/pqueue.h
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
pitem *pqueue_next(piterator *iter);
void pqueue_print(pqueue pq);
+int pqueue_size(pqueue pq);
#endif /* ! HEADER_PQUEUE_H */
$NetBSD: patch-az,v 1.1 2009/06/10 13:57:08 tez Exp $
CVE-2009-1378 and CVE-2009-1379 fixes.
--- ssl/d1_both.c.orig 2009-06-08 18:59:50.629293200 -0500
+++ ssl/d1_both.c
@@ -519,6 +519,8 @@ dtls1_retrieve_buffered_fragment(SSL *s,
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
{
+ unsigned long frag_len = frag->msg_header.frag_len;
+
pqueue_pop(s->d1->buffered_messages);
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -536,7 +538,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
if (al==0)
{
*ok = 1;
- return frag->msg_header.frag_len;
+ return frag_len;
}
ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -561,7 +563,16 @@ dtls1_process_out_of_seq_message(SSL *s,
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
goto err;
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
+ /* Try to find item in queue, to prevent duplicate entries */
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ item = pqueue_find(s->d1->buffered_messages, seq64);
+ pq_64bit_free(&seq64);
+
+ /* Discard the message if sequence number was already there, is
+ * too far in the future or the fragment is already in the queue */
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
{
unsigned char devnull [256];
$NetBSD: patch-ba,v 1.1 2009/06/10 13:57:08 tez Exp $
Part of CVE-2009-1377 fix.
--- ssl/d1_pkt.c.orig 2009-06-08 18:58:13.784215600 -0500
+++ ssl/d1_pkt.c
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
DTLS1_RECORD_DATA *rdata;
pitem *item;
+ /* Limit the size of the queue to prevent DOS attacks */
+ if (pqueue_size(queue->q) >= 100)
+ return 0;
+
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
item = pitem_new(priority, rdata);
if (rdata == NULL || item == NULL)