[Pkg-erlang-commits] r2000 - in erlang/branches/backport-wheezy: . debian debian/patches

sgolovan at alioth.debian.org sgolovan at alioth.debian.org
Fri Dec 15 12:30:07 UTC 2017 

Author: sgolovan
Date: 2017-12-15 12:30:07 +0000 (Fri, 15 Dec 2017)
New Revision: 2000

Added:
   erlang/branches/backport-wheezy/debian/patches/cve-2016-10253.patch
   erlang/branches/backport-wheezy/debian/patches/cve-2017-1000385.patch
Modified:
   erlang/branches/backport-wheezy/
   erlang/branches/backport-wheezy/debian/changelog
   erlang/branches/backport-wheezy/debian/patches/series
Log:
[erlang-wheezy-backports]
  * Merged jessie security changes to backport to wheezy.



Property changes on: erlang/branches/backport-wheezy
___________________________________________________________________
Modified: svn:mergeinfo
   - /erlang/branches/experimental:1283-1305,1468-1497,1591-1615
/erlang/tags/1:17.1-dfsg-4:1655-1656
/erlang/tags/1:17.3-dfsg-4:1701-1901
/erlang/trunk:1539-1696
   + /erlang/branches/experimental:1283-1305,1468-1497,1591-1615
/erlang/branches/jessie:1983-1999
/erlang/tags/1:17.1-dfsg-4:1655-1656
/erlang/tags/1:17.3-dfsg-4:1701-1982
/erlang/trunk:1539-1696

Modified: erlang/branches/backport-wheezy/debian/changelog
===================================================================
--- erlang/branches/backport-wheezy/debian/changelog	2017-12-15 12:20:44 UTC (rev 1999)
+++ erlang/branches/backport-wheezy/debian/changelog	2017-12-15 12:30:07 UTC (rev 2000)
@@ -1,9 +1,29 @@
-erlang (1:17.3-dfsg-4~bpo70+2) UNRELEASED; urgency=medium
+erlang (1:17.3-dfsg-4+deb8u2~bpo70+1) wheezy-backports; urgency=medium
 
-  * NOT RELEASED YET
+  * Backport to wheezy.
+  * Switched back to wxWidgets 2.8 for wheezy.
+  * Disabled patch which fixes wx constants for wxWidgets 3.0.
+  * Disabled systemd support for epmd.
 
- -- Sergei Golovan <sgolovan at debian.org>  Sat, 04 Mar 2017 08:23:03 +0300
+ -- Sergei Golovan <sgolovan at debian.org>  Fri, 15 Dec 2017 15:28:09 +0300
 
+erlang (1:17.3-dfsg-4+deb8u2) jessie-security; urgency=high
+
+  * Applied a patch from the upstream which fixes CVE-2017-1000385
+    vulnerability (TLS server vunlerable to Adaptive Chosen Ciphertext attack
+    allowing plaintext recovery ot MITM attack).
+
+ -- Sergei Golovan <sgolovan at debian.org>  Wed, 06 Dec 2017 09:50:47 +0300
+
+erlang (1:17.3-dfsg-4+deb8u1) stable-proposed-updates; urgency=medium
+
+  * Applied a patch from the PCRE upstream which fixes CVE-2016-10253
+    vulnerability (heap overflow while compiling certain regular expressions).
+    The patch is taken from https://github.com/erlang/otp/pull/1108 and
+    modified to match the original patch by PCRE developers (closes: #858313).
+
+ -- Sergei Golovan <sgolovan at debian.org>  Mon, 24 Apr 2017 09:13:29 +0300
+
 erlang (1:17.3-dfsg-4~bpo70+1) wheezy-backports; urgency=low
 
   * Backport to wheezy.

Copied: erlang/branches/backport-wheezy/debian/patches/cve-2016-10253.patch (from rev 1982, erlang/tags/1:17.3-dfsg-4/debian/patches/cve-2016-10253.patch)
===================================================================
--- erlang/branches/backport-wheezy/debian/patches/cve-2016-10253.patch	                        (rev 0)
+++ erlang/branches/backport-wheezy/debian/patches/cve-2016-10253.patch	2017-12-15 12:30:07 UTC (rev 2000)
@@ -0,0 +1,116 @@
+Author: PCRE upstream
+Description: A fix for CVE-2016-10253 which is the heap overflow during
+ a regular expression compile phase. The offending regexp could be
+ "(?<=((?2))((?1)))".
+ The patch was found at https://github.com/erlang/otp/pull/1108 and
+ the original version from https://vcs.pcre.org/pcre?view=revision&revision=1542
+ and https://vcs.pcre.org/pcre?view=revision&revision=1560 and
+ https://vcs.pcre.org/pcre?view=revision&revision=1571
+ has been adapted.
+Last-Modified: Wed, 22 Mar 2017 15:35:07 +0300
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858313
+Bug-Upstream: https://bugs.erlang.org/browse/ERL-208
+
+--- a/erts/emulator/pcre/pcre_compile.c
++++ b/erts/emulator/pcre/pcre_compile.c
+@@ -649,6 +649,14 @@
+ #endif
+ 
+ 
++/* Structure for mutual recursion detection. */
++
++typedef struct recurse_check {
++  struct recurse_check *prev;
++  const pcre_uchar *group;
++} recurse_check;
++
++
+ 
+ /*************************************************
+ *            Find an error text                  *
+@@ -1734,6 +1742,7 @@
+   utf      TRUE in UTF-8 / UTF-16 / UTF-32 mode
+   atend    TRUE if called when the pattern is complete
+   cd       the "compile data" structure
++  recurses    chain of recurse_check to catch mutual recursion
+ 
+ Returns:   the fixed length,
+              or -1 if there is no fixed length,
+@@ -1743,10 +1752,11 @@
+ */
+ 
+ static int
+-find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd)
++find_fixedlength(pcre_uchar *code, BOOL utf, BOOL atend, compile_data *cd,
++  recurse_check *recurses)
+ {
+ int length = -1;
+-
++recurse_check this_recurse;
+ register int branchlength = 0;
+ register pcre_uchar *cc = code + 1 + LINK_SIZE;
+ 
+@@ -1771,7 +1781,8 @@
+     case OP_ONCE:
+     case OP_ONCE_NC:
+     case OP_COND:
+-    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd);
++    d = find_fixedlength(cc + ((op == OP_CBRA)? IMM2_SIZE : 0), utf, atend, cd,
++      recurses);
+     if (d < 0) return d;
+     branchlength += d;
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+@@ -1805,7 +1816,16 @@
+     cs = ce = (pcre_uchar *)cd->start_code + GET(cc, 1);  /* Start subpattern */
+     do ce += GET(ce, 1); while (*ce == OP_ALT);           /* End subpattern */
+     if (cc > cs && cc < ce) return -1;                    /* Recursion */
+-    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd);
++    else   /* Check for mutual recursion */
++      {
++      recurse_check *r = recurses;
++      for (r = recurses; r != NULL; r = r->prev) if (r->group == cs) break;
++      if (r != NULL) return -1;   /* Mutual recursion */
++      }
++    this_recurse.prev = recurses;
++    this_recurse.group = cs;
++    d = find_fixedlength(cs + IMM2_SIZE, utf, atend, cd, &this_recurse);
++
+     if (d < 0) return d;
+     branchlength += d;
+     cc += 1 + LINK_SIZE;
+@@ -1818,7 +1838,7 @@
+     case OP_ASSERTBACK:
+     case OP_ASSERTBACK_NOT:
+     do cc += GET(cc, 1); while (*cc == OP_ALT);
+-    cc += PRIV(OP_lengths)[*cc];
++    cc += 1 + LINK_SIZE;
+     break;
+ 
+     /* Skip over things that don't match chars */
+@@ -7255,7 +7275,7 @@
+       int fixed_length;
+       *code = OP_END;
+       fixed_length = find_fixedlength(last_branch,  (options & PCRE_UTF8) != 0,
+-        FALSE, cd);
++        FALSE, cd, NULL);
+       DPRINTF(("fixed length = %d\n", fixed_length));
+       if (fixed_length == -3)
+         {
+@@ -8249,7 +8269,7 @@
+ exceptional ones forgo this. We scan the pattern to check that they are fixed
+ length, and set their lengths. */
+ 
+-if (cd->check_lookbehind)
++if (errorcode == 0 && cd->check_lookbehind)
+   {
+   pcre_uchar *cc = (pcre_uchar *)codestart;
+ 
+@@ -8269,7 +8289,7 @@
+       int end_op = *be;
+       *be = OP_END;
+       fixed_length = find_fixedlength(cc, (re->options & PCRE_UTF8) != 0, TRUE,
+-        cd);
++        cd, NULL);
+       *be = end_op;
+       DPRINTF(("fixed length = %d\n", fixed_length));
+       if (fixed_length < 0)

Copied: erlang/branches/backport-wheezy/debian/patches/cve-2017-1000385.patch (from rev 1999, erlang/branches/jessie/debian/patches/cve-2017-1000385.patch)
===================================================================
--- erlang/branches/backport-wheezy/debian/patches/cve-2017-1000385.patch	                        (rev 0)
+++ erlang/branches/backport-wheezy/debian/patches/cve-2017-1000385.patch	2017-12-15 12:30:07 UTC (rev 2000)
@@ -0,0 +1,67 @@
+From de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 Mon Sep 17 00:00:00 2001
+From: Ingela Anderton Andin <ingela at erlang.org>
+Date: Tue, 7 Nov 2017 18:34:34 +0100
+Subject: [PATCH] ssl: Countermeasurements for Bleichenbacher attack
+
+--- a/lib/ssl/src/dtls_connection.erl
++++ b/lib/ssl/src/dtls_connection.erl
+@@ -213,6 +213,7 @@
+             ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign},
+ 				 State#state{connection_states  = ConnectionStates,
+ 					     negotiated_version = Version,
++                                             client_hello_version = ClientVersion,
+ 					     session = Session,
+ 					     client_ecc = {EllipticCurves, EcPointFormats}}, ?MODULE);
+         #alert{} = Alert ->
+--- a/lib/ssl/src/ssl_connection.erl
++++ b/lib/ssl/src/ssl_connection.erl
+@@ -1135,8 +1135,25 @@
+     request_client_cert(State2, Connection).
+ 
+ certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
+-			    #state{private_key = Key} = State, Connection) ->
+-    PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key),
++			    #state{private_key = Key, client_hello_version = {Major, Minor} = Version} = State, Connection) ->
++
++    %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret
++    %% and fail handshake later.RFC 5246 section 7.4.7.1.
++    PremasterSecret =
++        try ssl_handshake:premaster_secret(EncPMS, Key) of
++            Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES ->
++                case Secret of
++                    <<?BYTE(Major), ?BYTE(Minor), _/binary>> -> %% Correct
++                        Secret;
++                    <<?BYTE(_), ?BYTE(_), Rest/binary>> -> %% Version mismatch
++                        <<?BYTE(Major), ?BYTE(Minor), Rest/binary>>
++                end;
++            _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES
++                make_premaster_secret(Version, rsa)
++        catch 
++            #alert{description = ?DECRYPT_ERROR} ->
++                make_premaster_secret(Version, rsa)     
++        end,        
+     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
+ 
+ certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey},
+--- a/lib/ssl/src/ssl_connection.hrl
++++ b/lib/ssl/src/ssl_connection.hrl
+@@ -53,7 +53,8 @@
+           session               :: #session{},
+ 	  session_cache         :: db_handle(),
+ 	  session_cache_cb      :: atom(),
+-          negotiated_version    :: ssl_record:ssl_version(),
++          negotiated_version    :: ssl_record:ssl_version() | 'undefined',
++          client_hello_version  :: ssl_record:ssl_version() | 'undefined',
+           client_certificate_requested = false :: boolean(),
+ 	  key_algorithm         :: ssl_cipher:key_algo(),
+ 	  hashsign_algorithm = {undefined, undefined},
+--- a/lib/ssl/src/tls_connection.erl
++++ b/lib/ssl/src/tls_connection.erl
+@@ -197,6 +197,7 @@
+             ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign},
+ 				 State#state{connection_states  = ConnectionStates,
+ 					     negotiated_version = Version,
++                                             client_hello_version = ClientVersion,
+ 					     session = Session,
+ 					     client_ecc = {EllipticCurves, EcPointFormats}}, ?MODULE);
+         #alert{} = Alert ->

Modified: erlang/branches/backport-wheezy/debian/patches/series
===================================================================
--- erlang/branches/backport-wheezy/debian/patches/series	2017-12-15 12:20:44 UTC (rev 1999)
+++ erlang/branches/backport-wheezy/debian/patches/series	2017-12-15 12:30:07 UTC (rev 2000)
@@ -12,3 +12,5 @@
 sslv3disable.patch
 ssltlspoodle.patch
 beamload.patch
+cve-2016-10253.patch
+cve-2017-1000385.patch

More information about the Pkg-erlang-commits mailing list