[Pkg-openssl-changes] r461 - in openssl/trunk/debian: . patches

Tue Nov 16 18:02:39 UTC 2010

Author: kroeckx
Date: 2010-11-16 18:02:30 +0000 (Tue, 16 Nov 2010)
New Revision: 461

Added:
   openssl/trunk/debian/patches/CVE-2010-3864.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/series
Log:
Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)


Modified: openssl/trunk/debian/changelog
===================================================================

--- openssl/trunk/debian/changelog	2010-08-26 16:46:16 UTC (rev 460)
+++ openssl/trunk/debian/changelog	2010-11-16 18:02:30 UTC (rev 461)
@@ -1,3 +1,9 @@
+openssl (0.9.8o-3) unstable; urgency=low
+
+  * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Tue, 16 Nov 2010 19:01:06 +0100
+
 openssl (0.9.8o-2) unstable; urgency=high
 
   * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)

Added: openssl/trunk/debian/patches/CVE-2010-3864.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2010-3864.patch	                        (rev 0)
+++ openssl/trunk/debian/patches/CVE-2010-3864.patch	2010-11-16 18:02:30 UTC (rev 461)
@@ -0,0 +1,45 @@
+Index: ssl/t1_lib.c
+===================================================================
+RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
+retrieving revision 1.13.2.27
+diff -u -r1.13.2.27 t1_lib.c
+--- ssl/t1_lib.c	12 Jun 2010 13:18:58 -0000	1.13.2.27
++++ ssl/t1_lib.c	3 Nov 2010 23:44:54 -0000
+@@ -432,14 +432,23 @@
+ 				switch (servname_type)
+ 					{
+ 				case TLSEXT_NAMETYPE_host_name:
+-					if (s->session->tlsext_hostname == NULL)
++					if (!s->hit)
+ 						{
+-						if (len > TLSEXT_MAXLEN_host_name || 
+-							((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
++						if(s->session->tlsext_hostname)
++							{
++							*al = SSL_AD_DECODE_ERROR;
++							return 0;
++							}
++						if (len > TLSEXT_MAXLEN_host_name)
+ 							{
+ 							*al = TLS1_AD_UNRECOGNIZED_NAME;
+ 							return 0;
+ 							}
++						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
++							{
++							*al = TLS1_AD_INTERNAL_ERROR;
++							return 0;
++							}
+ 						memcpy(s->session->tlsext_hostname, sdata, len);
+ 						s->session->tlsext_hostname[len]='\0';
+ 						if (strlen(s->session->tlsext_hostname) != len) {
+@@ -452,7 +461,8 @@
+ 
+ 						}
+ 					else 
+-						s->servername_done = strlen(s->session->tlsext_hostname) == len 
++						s->servername_done = s->session->tlsext_hostname
++							&& strlen(s->session->tlsext_hostname) == len 
+ 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
+ 					
+ 					break;
+

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2010-08-26 16:46:16 UTC (rev 460)
+++ openssl/trunk/debian/patches/series	2010-11-16 18:02:30 UTC (rev 461)
@@ -19,3 +19,4 @@
 version-script.patch
 perl-path.diff
 CVE-2010-2939.patch
+CVE-2010-3864.patch


