From bd58b954dcf5e849e5183a3a4e5c587ed71edc6e Mon Sep 17 00:00:00 2001 From: tez Date: Wed, 10 Jun 2009 13:57:08 +0000 Subject: Patches for CVE-2009-1377, CVE-2009-1378 & CVE-2009-1379 from http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.9&v2=1.4.2.10 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15 http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.c&v1=1.2.2.4&v2=1.2.2.5 http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.h&v1=1.2.2.1&v2=1.2.2.2 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_pkt.c&v1=1.4.2.17&v2=1.4.2.18 --- security/openssl/Makefile | 3 ++- security/openssl/distinfo | 6 +++++- security/openssl/patches/patch-ax | 24 ++++++++++++++++++++++ security/openssl/patches/patch-ay | 13 ++++++++++++ security/openssl/patches/patch-az | 42 +++++++++++++++++++++++++++++++++++++++ security/openssl/patches/patch-ba | 17 ++++++++++++++++ 6 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 security/openssl/patches/patch-ax create mode 100644 security/openssl/patches/patch-ay create mode 100644 security/openssl/patches/patch-az create mode 100644 security/openssl/patches/patch-ba (limited to 'security') diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 4d0e9db20eb..be6e6c5c41e 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.139 2009/05/21 21:37:28 zafer Exp $ +# $NetBSD: Makefile,v 1.140 2009/06/10 13:57:08 tez Exp $ OPENSSL_SNAPSHOT?= # empty OPENSSL_STABLE?= # empty OPENSSL_VERS?= 0.9.8k +PKGREVISION= 1 .if empty(OPENSSL_SNAPSHOT) DISTNAME= openssl-${OPENSSL_VERS} diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 98e4c5f2757..286fd16eea3 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.67 2009/04/16 09:50:37 tnn Exp $ +$NetBSD: distinfo,v 1.68 2009/06/10 13:57:08 tez Exp $ SHA1 (openssl-0.9.8k.tar.gz) = 3ba079f91d3c1ec90a36dcd1d43857165035703f RMD160 (openssl-0.9.8k.tar.gz) = 496df7a5d33457b0d8e3b930a8e5cf068923182c @@ -11,3 +11,7 @@ SHA1 (patch-af) = 1eda5a96835b65d325c77ce5d39f1e524815a3c7 SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 +SHA1 (patch-ax) = ef0c657de2aa42baa365b9857583d1c55d0e7d1b +SHA1 (patch-ay) = 6d5de155e5508cd2237387626c8e1ff7ee603f8e +SHA1 (patch-az) = aa7ef7192d56979ba09aa1dab8a2cdf9868f9c4a +SHA1 (patch-ba) = b8ab55c0c6ab4b995cae18517609720f0803e11f diff --git a/security/openssl/patches/patch-ax b/security/openssl/patches/patch-ax new file mode 100644 index 00000000000..b710884ea85 --- /dev/null +++ b/security/openssl/patches/patch-ax @@ -0,0 +1,24 @@ +$NetBSD: patch-ax,v 1.1 2009/06/10 13:57:08 tez Exp $ + +Part of CVE-2009-1377 fix. + +--- crypto/pqueue/pqueue.c.orig 2009-06-08 18:55:59.826213100 -0500 ++++ crypto/pqueue/pqueue.c +@@ -234,3 +234,17 @@ pqueue_next(pitem **item) + + return ret; + } ++ ++int ++pqueue_size(pqueue_s *pq) ++{ ++ pitem *item = pq->items; ++ int count = 0; ++ ++ while(item != NULL) ++ { ++ count++; ++ item = item->next; ++ } ++ return count; ++} diff --git a/security/openssl/patches/patch-ay b/security/openssl/patches/patch-ay new file mode 100644 index 00000000000..166214c5209 --- /dev/null +++ b/security/openssl/patches/patch-ay @@ -0,0 +1,13 @@ +$NetBSD: patch-ay,v 1.1 2009/06/10 13:57:08 tez Exp $ + +Part of CVE-2009-1377 fix. + +--- crypto/pqueue/pqueue.h.orig 2009-06-08 18:57:00.672546600 -0500 ++++ crypto/pqueue/pqueue.h +@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); + pitem *pqueue_next(piterator *iter); + + void pqueue_print(pqueue pq); ++int pqueue_size(pqueue pq); + + #endif /* ! HEADER_PQUEUE_H */ diff --git a/security/openssl/patches/patch-az b/security/openssl/patches/patch-az new file mode 100644 index 00000000000..9106990b117 --- /dev/null +++ b/security/openssl/patches/patch-az @@ -0,0 +1,42 @@ +$NetBSD: patch-az,v 1.1 2009/06/10 13:57:08 tez Exp $ + +CVE-2009-1378 and CVE-2009-1379 fixes. + +--- ssl/d1_both.c.orig 2009-06-08 18:59:50.629293200 -0500 ++++ ssl/d1_both.c +@@ -519,6 +519,8 @@ dtls1_retrieve_buffered_fragment(SSL *s, + + if ( s->d1->handshake_read_seq == frag->msg_header.seq) + { ++ unsigned long frag_len = frag->msg_header.frag_len; ++ + pqueue_pop(s->d1->buffered_messages); + + al=dtls1_preprocess_fragment(s,&frag->msg_header,max); +@@ -536,7 +538,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, + if (al==0) + { + *ok = 1; +- return frag->msg_header.frag_len; ++ return frag_len; + } + + ssl3_send_alert(s,SSL3_AL_FATAL,al); +@@ -561,7 +563,16 @@ dtls1_process_out_of_seq_message(SSL *s, + if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) + goto err; + +- if (msg_hdr->seq <= s->d1->handshake_read_seq) ++ /* Try to find item in queue, to prevent duplicate entries */ ++ pq_64bit_init(&seq64); ++ pq_64bit_assign_word(&seq64, msg_hdr->seq); ++ item = pqueue_find(s->d1->buffered_messages, seq64); ++ pq_64bit_free(&seq64); ++ ++ /* Discard the message if sequence number was already there, is ++ * too far in the future or the fragment is already in the queue */ ++ if (msg_hdr->seq <= s->d1->handshake_read_seq || ++ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) + { + unsigned char devnull [256]; + diff --git a/security/openssl/patches/patch-ba b/security/openssl/patches/patch-ba new file mode 100644 index 00000000000..557e03224ed --- /dev/null +++ b/security/openssl/patches/patch-ba @@ -0,0 +1,17 @@ +$NetBSD: patch-ba,v 1.1 2009/06/10 13:57:08 tez Exp $ + +Part of CVE-2009-1377 fix. + +--- ssl/d1_pkt.c.orig 2009-06-08 18:58:13.784215600 -0500 ++++ ssl/d1_pkt.c +@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu + DTLS1_RECORD_DATA *rdata; + pitem *item; + ++ /* Limit the size of the queue to prevent DOS attacks */ ++ if (pqueue_size(queue->q) >= 100) ++ return 0; ++ + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); + item = pitem_new(priority, rdata); + if (rdata == NULL || item == NULL) -- cgit v1.2.3