diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3505.patch b/SOURCES/openssl-1.0.1e-cve-2014-3505.patch new file mode 100644 index 0000000..8716fae --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3505.patch @@ -0,0 +1,52 @@ +From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001 +From: Adam Langley +Date: Fri, 6 Jun 2014 14:19:21 -0700 +Subject: [PATCH] Avoid double free when processing DTLS packets. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The |item| variable, in both of these cases, may contain a pointer to a +|pitem| structure within |s->d1->buffered_messages|. It was being freed +in the error case while still being in |buffered_messages|. When the +error later caused the |SSL*| to be destroyed, the item would be double +freed. + +Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was +inconsistent with the other error paths (but correct). + +Fixes CVE-2014-3505 + +Reviewed-by: Matt Caswell +Reviewed-by: Emilia Käsper +--- + ssl/d1_both.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index c1eb970..cdb83b6 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if (frag != NULL) dtls1_hm_fragment_free(frag); +- if (item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if ( frag != NULL) dtls1_hm_fragment_free(frag); +- if ( item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +-- +1.8.3.1 + diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3506.patch b/SOURCES/openssl-1.0.1e-cve-2014-3506.patch new file mode 100644 index 0000000..05e364f --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3506.patch @@ -0,0 +1,87 @@ +From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 6 Jun 2014 14:25:52 -0700 +Subject: [PATCH] Fix DTLS handshake message size checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In |dtls1_reassemble_fragment|, the value of +|msg_hdr->frag_off+frag_len| was being checked against the maximum +handshake message size, but then |msg_len| bytes were allocated for the +fragment buffer. This means that so long as the fragment was within the +allowed size, the pending handshake message could consume 16MB + 2MB +(for the reassembly bitmap). Approx 10 outstanding handshake messages +are allowed, meaning that an attacker could consume ~180MB per DTLS +connection. + +In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no +check was applied. + +Fixes CVE-2014-3506 + +Wholly based on patch by Adam Langley with one minor amendment. + +Reviewed-by: Emilia Käsper +--- + ssl/d1_both.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 6559dfc..b9e15df 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) + return 0; + } + ++/* dtls1_max_handshake_message_len returns the maximum number of bytes ++ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may ++ * be greater if the maximum certificate list size requires it. */ ++static unsigned long dtls1_max_handshake_message_len(const SSL *s) ++ { ++ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ if (max_len < (unsigned long)s->max_cert_list) ++ return s->max_cert_list; ++ return max_len; ++ } + + static int + dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) +@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + pitem *item = NULL; + int i = -1, is_complete; + unsigned char seq64be[8]; +- unsigned long frag_len = msg_hdr->frag_len, max_len; +- +- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) +- goto err; +- +- /* Determine maximum allowed message size. Depends on (user set) +- * maximum certificate length, but 16k is minimum. +- */ +- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) +- max_len = s->max_cert_list; +- else +- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ unsigned long frag_len = msg_hdr->frag_len; + +- if ((msg_hdr->frag_off+frag_len) > max_len) ++ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || ++ msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + + /* Try to find item in queue */ +@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + if (frag_len && frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + ++ if (frag_len > dtls1_max_handshake_message_len(s)) ++ goto err; ++ + frag = dtls1_hm_fragment_new(frag_len, 0); + if ( frag == NULL) + goto err; +-- +1.8.3.1 + diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3507.patch b/SOURCES/openssl-1.0.1e-cve-2014-3507.patch new file mode 100644 index 0000000..0507315 --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3507.patch @@ -0,0 +1,53 @@ +diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c +--- openssl-1.0.1e/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200 ++++ openssl-1.0.1e/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200 +@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct + msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + ++ if (frag_len == 0) ++ return DTLS1_HM_FRAGMENT_RETRY; ++ + /* Try to find item in queue */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr->seq>>8); +@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct + i = -1; + } + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it and control ++ * would never have reached this branch. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; +@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s, + } + else + { +- if (frag_len && frag_len < msg_hdr->msg_len) ++ if (frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + + if (frag_len > dtls1_max_handshake_message_len(s)) +@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s, + if ( item == NULL) + goto err; + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it. Then, either ++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set ++ * to NULL and it will have been processed with ++ * |dtls1_reassemble_fragment|, above, or the record will have ++ * been discarded. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3508.patch b/SOURCES/openssl-1.0.1e-cve-2014-3508.patch new file mode 100644 index 0000000..31dd08d --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3508.patch @@ -0,0 +1,138 @@ +From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001 +From: Emilia Kasper +Date: Wed, 2 Jul 2014 19:02:33 +0200 +Subject: [PATCH] Fix OID handling: + +- Upon parsing, reject OIDs with invalid base-128 encoding. +- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. + +CVE-2014-3508 + +Reviewed-by: Dr. Stephen Henson +Reviewed-by: Kurt Roeckx +Reviewed-by: Tim Hudson +--- + crypto/asn1/a_object.c | 30 +++++++++++++++++++++--------- + crypto/objects/obj_dat.c | 16 +++++++++------- + 2 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c +index 3978c91..77b2768 100644 +--- a/crypto/asn1/a_object.c ++++ b/crypto/asn1/a_object.c +@@ -283,17 +283,29 @@ err: + ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); + return(NULL); + } ++ + ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + long len) + { + ASN1_OBJECT *ret=NULL; + const unsigned char *p; + unsigned char *data; +- int i; +- /* Sanity check OID encoding: can't have leading 0x80 in +- * subidentifiers, see: X.690 8.19.2 ++ int i, length; ++ ++ /* Sanity check OID encoding. ++ * Need at least one content octet. ++ * MSB must be clear in the last octet. ++ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 + */ +- for (i = 0, p = *pp; i < len; i++, p++) ++ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || ++ p[len - 1] & 0x80) ++ { ++ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); ++ return NULL; ++ } ++ /* Now 0 < len <= INT_MAX, so the cast is safe. */ ++ length = (int)len; ++ for (i = 0; i < length; i++, p++) + { + if (*p == 0x80 && (!i || !(p[-1] & 0x80))) + { +@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + data = (unsigned char *)ret->data; + ret->data = NULL; + /* once detached we can change it */ +- if ((data == NULL) || (ret->length < len)) ++ if ((data == NULL) || (ret->length < length)) + { + ret->length=0; + if (data != NULL) OPENSSL_free(data); +- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); ++ data=(unsigned char *)OPENSSL_malloc(length); + if (data == NULL) + { i=ERR_R_MALLOC_FAILURE; goto err; } + ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; + } +- memcpy(data,p,(int)len); ++ memcpy(data,p,length); + /* reattach data to object, after which it remains const */ + ret->data =data; +- ret->length=(int)len; ++ ret->length=length; + ret->sn=NULL; + ret->ln=NULL; + /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ +- p+=len; ++ p+=length; + + if (a != NULL) (*a)=ret; + *pp=p; +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 8a342ba..0b2f442 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + const unsigned char *p; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; + +- if ((a == NULL) || (a->data == NULL)) { +- buf[0]='\0'; +- return(0); +- } ++ /* Ensure that, at every state, |buf| is NUL-terminated. */ ++ if (buf && buf_len > 0) ++ buf[0] = '\0'; + ++ if ((a == NULL) || (a->data == NULL)) ++ return(0); + + if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) + { +@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i=(int)(l/40); + l-=(long)(i*40); + } +- if (buf && (buf_len > 0)) ++ if (buf && (buf_len > 1)) + { + *buf++ = i + '0'; ++ *buf = '\0'; + buf_len--; + } + n++; +@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i = strlen(bndec); + if (buf) + { +- if (buf_len > 0) ++ if (buf_len > 1) + { + *buf++ = '.'; ++ *buf = '\0'; + buf_len--; + } + BUF_strlcpy(buf,bndec,buf_len); +@@ -807,4 +810,3 @@ err: + OPENSSL_free(buf); + return(ok); + } +- +-- +1.8.3.1 + diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3509.patch b/SOURCES/openssl-1.0.1e-cve-2014-3509.patch new file mode 100644 index 0000000..cee4aad --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3509.patch @@ -0,0 +1,45 @@ +From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001 +From: Gabor Tyukasz +Date: Wed, 23 Jul 2014 23:42:06 +0200 +Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext + +CVE-2014-3509 +Reviewed-by: Tim Hudson +Reviewed-by: Dr. Stephen Henson +--- + ssl/t1_lib.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 8167a51..022a4fb 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in + *al = TLS1_AD_DECODE_ERROR; + return 0; + } +- s->session->tlsext_ecpointformatlist_length = 0; +- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); +- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ if (!s->hit) + { +- *al = TLS1_AD_INTERNAL_ERROR; +- return 0; ++ s->session->tlsext_ecpointformatlist_length = 0; ++ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); ++ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; ++ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + } +- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; +- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + #if 0 + fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); + sdata = s->session->tlsext_ecpointformatlist; +-- +1.8.3.1 + diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3510.patch b/SOURCES/openssl-1.0.1e-cve-2014-3510.patch new file mode 100644 index 0000000..4196536 --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3510.patch @@ -0,0 +1,86 @@ +From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilia=20K=C3=A4sper?= +Date: Thu, 24 Jul 2014 22:15:29 +0200 +Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service + +CVE-2014-3510 + +Reviewed-by: Dr. Stephen Henson +--- + ssl/d1_clnt.c | 23 +++++++++++++++++++++-- + ssl/s3_clnt.c | 7 +++++++ + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c +index 65dbb4a..fd6562c 100644 +--- a/ssl/d1_clnt.c ++++ b/ssl/d1_clnt.c +@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s) + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else +@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s) + int ecdh_clnt_cert = 0; + int field_size = 0; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + /* Did we send out the client's + * ECDH share for use in premaster + * computation as part of client certificate? +@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s) + /* SSL3_ST_CW_CERT_D */ + return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); + } +- +- +diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c +index 2afb892..df05f78 100644 +--- a/ssl/s3_clnt.c ++++ b/ssl/s3_clnt.c +@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +-- +1.8.3.1 + diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3511.patch b/SOURCES/openssl-1.0.1e-cve-2014-3511.patch new file mode 100644 index 0000000..f9cb4ea --- /dev/null +++ b/SOURCES/openssl-1.0.1e-cve-2014-3511.patch @@ -0,0 +1,85 @@ +From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Wed, 23 Jul 2014 22:32:21 +0200 +Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2014-3511 + +Reviewed-by: Emilia Käsper +Reviewed-by: Bodo Möller +--- + ssl/s23_srvr.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c +index 4877849..2901a6b 100644 +--- a/ssl/s23_srvr.c ++++ b/ssl/s23_srvr.c +@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s) + * Client Hello message, this would be difficult, and we'd have + * to read more records to find out. + * No known SSL 3.0 client fragments ClientHello like this, +- * so we simply assume TLS 1.0 to avoid protocol version downgrade +- * attacks. */ ++ * so we simply reject such connections to avoid ++ * protocol version downgrade attacks. */ + if (p[3] == 0 && p[4] < 6) + { +-#if 0 + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); + goto err; +-#else +- v[1] = TLS1_VERSION_MINOR; +-#endif + } + /* if major version number > 3 set minor to a value + * which will use the highest version 3 we support. + * If TLS 2.0 ever appears we will need to revise + * this.... + */ +- else if (p[9] > SSL3_VERSION_MAJOR) ++ if (p[9] > SSL3_VERSION_MAJOR) + v[1]=0xff; + else + v[1]=p[10]; /* minor version according to client_version */ +@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s) + v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ + v[1] = p[4]; + ++ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 ++ * header is sent directly on the wire, not wrapped as a TLS ++ * record. It's format is: ++ * Byte Content ++ * 0-1 msg_length ++ * 2 msg_type ++ * 3-4 version ++ * 5-6 cipher_spec_length ++ * 7-8 session_id_length ++ * 9-10 challenge_length ++ * ... ... ++ */ + n=((p[0]&0x7f)<<8)|p[1]; + if (n > (1024*4)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); + goto err; + } ++ if (n < 9) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); ++ goto err; ++ } + + j=ssl23_read_bytes(s,n+2); ++ /* We previously read 11 bytes, so if j > 0, we must have ++ * j == n+2 == s->packet_length. We have at least 11 valid ++ * packet bytes. */ + if (j <= 0) return(j); + + ssl3_finish_mac(s, s->packet+2, s->packet_length-2); +-- +1.8.3.1 + diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 886fbf2..d55dbcb 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 34%{?dist}.3 +Release: 34%{?dist}.4 Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -99,6 +99,13 @@ Patch93: openssl-1.0.1e-cve-2014-0198.patch Patch94: openssl-1.0.1e-cve-2014-0221.patch Patch95: openssl-1.0.1e-cve-2014-0224.patch Patch96: openssl-1.0.1e-cve-2014-3470.patch +Patch100: openssl-1.0.1e-cve-2014-3505.patch +Patch101: openssl-1.0.1e-cve-2014-3506.patch +Patch102: openssl-1.0.1e-cve-2014-3507.patch +Patch103: openssl-1.0.1e-cve-2014-3508.patch +Patch104: openssl-1.0.1e-cve-2014-3509.patch +Patch105: openssl-1.0.1e-cve-2014-3510.patch +Patch106: openssl-1.0.1e-cve-2014-3511.patch License: OpenSSL Group: System Environment/Libraries @@ -229,6 +236,13 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch94 -p1 -b .dtls1-dos %patch95 -p1 -b .keying-mitm %patch96 -p1 -b .anon-ecdh-dos +%patch100 -p1 -b .dtls-doublefree +%patch101 -p1 -b .dtls-sizechecks +%patch102 -p1 -b .dtls-memleak +%patch103 -p1 -b .oid-handling +%patch104 -p1 -b .tlsext-race +%patch105 -p1 -b .adh-dos +%patch106 -p1 -b .frag-downgrade sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -492,6 +506,15 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri Aug 8 2014 Tomáš Mráz 1.0.1e-34.4 +- fix CVE-2014-3505 - doublefree in DTLS packet processing +- fix CVE-2014-3506 - avoid memory exhaustion in DTLS +- fix CVE-2014-3507 - avoid memory leak in DTLS +- fix CVE-2014-3508 - fix OID handling to avoid information leak +- fix CVE-2014-3509 - fix race condition when parsing server hello +- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS +- fix CVE-2014-3511 - disallow protocol downgrade via fragmentation + * Tue Jun 3 2014 Tomáš Mráz 1.0.1e-34.3 - fix CVE-2010-5298 - possible use of memory after free - fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment