[Pkg-openssl-changes] r440 - in openssl/trunk/debian: . patches

Wed Jan 13 20:31:02 UTC 2010

Author: kroeckx
Date: 2010-01-13 20:31:01 +0000 (Wed, 13 Jan 2010)
New Revision: 440

Added:
   openssl/trunk/debian/patches/CVE-2009-4355.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/series
Log:
Clean up zlib state so that it will be reinitialized on next use and
not cause a memory leak.  (CVE-2009-4355)


Modified: openssl/trunk/debian/changelog
===================================================================

--- openssl/trunk/debian/changelog	2009-11-28 14:18:22 UTC (rev 439)
+++ openssl/trunk/debian/changelog	2010-01-13 20:31:01 UTC (rev 440)
@@ -1,3 +1,10 @@
+openssl (0.9.8k-8) unstable; urgency=high
+
+  * Clean up zlib state so that it will be reinitialized on next use and
+    not cause a memory leak.  (CVE-2009-4355)
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Wed, 13 Jan 2010 21:26:49 +0100
+
 openssl (0.9.8k-7) unstable; urgency=low
 
   * Bump the shlibs to require 0.9.8k-1.  The following symbols

Added: openssl/trunk/debian/patches/CVE-2009-4355.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-4355.patch	                        (rev 0)
+++ openssl/trunk/debian/patches/CVE-2009-4355.patch	2010-01-13 20:31:01 UTC (rev 440)
@@ -0,0 +1,54 @@
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Subject: memory consumption (DoS) vulnerability
+
+I've attached a patch which uses an alternative technique. The main problem is
+that the ex_data free function pointer is removed when
+CRYPTO_cleanup_all_ex_data() is called. If the compression structure is
+cleaned up directly this problem is avoided:
+
+Index: crypto/comp/c_zlib.c
+===================================================================
+RCS file: /v/openssl/cvs/openssl/crypto/comp/c_zlib.c,v
+retrieving revision 1.22
+diff -u -r1.22 c_zlib.c
+--- crypto/comp/c_zlib.c	13 Dec 2008 17:19:40 -0000	1.22
++++ crypto/comp/c_zlib.c	8 Jan 2010 23:56:13 -0000
+@@ -136,15 +136,6 @@
+ 
+ static int zlib_stateful_ex_idx = -1;
+ 
+-static void zlib_stateful_free_ex_data(void *obj, void *item,
+-	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
+-	{
+-	struct zlib_state *state = (struct zlib_state *)item;
+-	inflateEnd(&state->istream);
+-	deflateEnd(&state->ostream);
+-	OPENSSL_free(state);
+-	}
+-
+ static int zlib_stateful_init(COMP_CTX *ctx)
+ 	{
+ 	int err;
+@@ -188,6 +179,12 @@
+ 
+ static void zlib_stateful_finish(COMP_CTX *ctx)
+ 	{
++	struct zlib_state *state =
++		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
++			zlib_stateful_ex_idx);
++	inflateEnd(&state->istream);
++	deflateEnd(&state->ostream);
++	OPENSSL_free(state);
+ 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
+ 	}
+ 
+@@ -402,7 +399,7 @@
+ 			if (zlib_stateful_ex_idx == -1)
+ 				zlib_stateful_ex_idx =
+ 					CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
+-						0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
++						0,NULL,NULL,NULL,NULL);
+ 			CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
+ 			if (zlib_stateful_ex_idx == -1)
+ 				goto err;
+

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2009-11-28 14:18:22 UTC (rev 439)
+++ openssl/trunk/debian/patches/series	2010-01-13 20:31:01 UTC (rev 440)
@@ -26,3 +26,4 @@
 CVE-2009-2409.patch
 no_check_self_signed.patch
 CVE-2009-3555.patch
+CVE-2009-4355.patch


