[Pkg-openssl-changes] r524 - openssl/branches/squeeze/debian/patches
Kurt Roeckx
kroeckx at alioth.debian.org
Sat Jan 14 21:47:26 UTC 2012
Author: kroeckx
Date: 2012-01-14 21:47:26 +0000 (Sat, 14 Jan 2012)
New Revision: 524
Modified:
openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch
openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch
openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch
Log:
Make patches apply
Modified: openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch 2012-01-14 21:26:12 UTC (rev 523)
+++ openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch 2012-01-14 21:47:26 UTC (rev 524)
@@ -1,8 +1,8 @@
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index e4f47e9..83702e5 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -335,6 +335,7 @@ dtls1_process_record(SSL *s)
+Index: openssl-0.9.8o/ssl/d1_pkt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_pkt.c 2010-04-14 00:09:39.000000000 +0000
++++ openssl-0.9.8o/ssl/d1_pkt.c 2012-01-14 21:36:36.000000000 +0000
+@@ -338,6 +338,7 @@
SSL3_RECORD *rr;
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
@@ -10,16 +10,15 @@
rr= &(s->s3->rrec);
-@@ -369,13 +370,10 @@ dtls1_process_record(SSL *s)
+@@ -372,12 +373,10 @@
enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0)
{
-- /* decryption failed, silently discard message */
-- if (enc_err < 0)
-- {
-- rr->length = 0;
-- s->packet_length = 0;
-- }
+- if (enc_err == 0)
+- /* SSLerr() and ssl3_send_alert() have been called */
+- goto err;
+-
+- /* otherwise enc_err == -1 */
- goto err;
+ /* To minimize information leaked via timing, we will always
+ * perform all computations before discarding the message.
@@ -28,7 +27,7 @@
}
#ifdef TLS_DEBUG
-@@ -401,7 +399,7 @@ if ( (sess == NULL) ||
+@@ -403,7 +402,7 @@
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
@@ -37,7 +36,7 @@
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-@@ -412,17 +410,25 @@ if ( (sess == NULL) ||
+@@ -414,17 +413,25 @@
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
@@ -46,7 +45,7 @@
#endif
}
rr->length-=mac_size;
- s->method->ssl3_enc->mac(s,md,0);
+ i=s->method->ssl3_enc->mac(s,md,0);
if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
{
- goto err;
Modified: openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch 2012-01-14 21:26:12 UTC (rev 523)
+++ openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch 2012-01-14 21:47:26 UTC (rev 524)
@@ -1,8 +1,8 @@
-diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
-index d27a707..c0e1d2d 100644
---- a/crypto/x509v3/v3_addr.c
-+++ b/crypto/x509v3/v3_addr.c
-@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
+Index: openssl-0.9.8o/crypto/x509v3/v3_addr.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/x509v3/v3_addr.c 2012-01-14 21:41:17.000000000 +0000
++++ openssl-0.9.8o/crypto/x509v3/v3_addr.c 2012-01-14 21:42:33.000000000 +0000
+@@ -142,12 +142,13 @@
* Expand the bitstring form of an address into a raw byte array.
* At the moment this is coded for simplicity, not speed.
*/
@@ -18,7 +18,7 @@
if (bs->length > 0) {
memcpy(addr, bs->data, bs->length);
if ((bs->flags & 7) != 0) {
-@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
+@@ -159,6 +160,7 @@
}
}
memset(addr + bs->length, fill, length - bs->length);
@@ -26,25 +26,23 @@
}
/*
-@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
- return 0;
+@@ -179,11 +181,13 @@
+
switch (afi) {
case IANA_AFI_IPV4:
-- if (bs->length > 4)
-+ if (!addr_expand(addr, bs, 4, fill))
- return 0;
- addr_expand(addr, bs, 4, fill);
++ if (!addr_expand(addr, bs, 4, fill))
++ return 0;
BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
break;
case IANA_AFI_IPV6:
-- if (bs->length > 16)
-+ if (!addr_expand(addr, bs, 16, fill))
- return 0;
- addr_expand(addr, bs, 16, fill);
++ if (!addr_expand(addr, bs, 16, fill))
++ return 0;
for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
;
for (i = 0; i < n; i += 2)
-@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
+@@ -309,6 +313,12 @@
/*
* Sort comparison function for a sequence of IPAddressOrRange
* elements.
@@ -57,7 +55,7 @@
*/
static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
const IPAddressOrRange *b,
-@@ -327,22 +333,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
+@@ -321,22 +331,26 @@
switch (a->type) {
case IPAddressOrRange_addressPrefix:
@@ -88,7 +86,7 @@
prefixlen_b = length * 8;
break;
}
-@@ -658,22 +668,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
+@@ -651,22 +665,22 @@
/*
* Extract min and max values from an IPAddressOrRange.
*/
@@ -119,7 +117,7 @@
}
/*
-@@ -689,9 +699,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
+@@ -682,9 +696,10 @@
if (aor == NULL || min == NULL || max == NULL ||
afi_length == 0 || length < afi_length ||
(aor->type != IPAddressOrRange_addressPrefix &&
@@ -132,7 +130,7 @@
return afi_length;
}
-@@ -773,8 +784,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
+@@ -766,8 +781,9 @@
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
@@ -144,17 +142,17 @@
/*
* Punt misordered list, overlapping start, or inverted range.
-@@ -809,7 +821,8 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
+@@ -801,7 +817,8 @@
{
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
- if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+ if (a->type == IPAddressOrRange_addressRange) {
- extract_min_max(a, a_min, a_max, length);
+ if (!extract_min_max(a, a_min, a_max, length))
+ return 0;
- if (memcmp(a_min, a_max, length) > 0 ||
- range_should_be_prefix(a_min, a_max, length) >= 0)
+ if (range_should_be_prefix(a_min, a_max, length) >= 0)
return 0;
-@@ -845,8 +858,9 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
+ }
+@@ -836,8 +853,9 @@
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
@@ -165,8 +163,8 @@
+ return 0;
/*
- * Punt inverted ranges.
-@@ -1132,13 +1146,15 @@ static int addr_contains(IPAddressOrRanges *parent,
+ * Punt overlaps.
+@@ -1097,13 +1115,15 @@
p = 0;
for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
Modified: openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch 2012-01-14 21:26:12 UTC (rev 523)
+++ openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch 2012-01-14 21:47:26 UTC (rev 524)
@@ -1,8 +1,8 @@
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 1c4158d..85f4d83 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -793,7 +793,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+Index: openssl-0.9.8o/ssl/d1_both.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_both.c 2010-05-03 13:01:59.000000000 +0000
++++ openssl-0.9.8o/ssl/d1_both.c 2012-01-14 21:46:02.000000000 +0000
+@@ -806,7 +806,13 @@
*ok = 0;
return i;
}
@@ -17,7 +17,7 @@
/* parse the message fragment header */
dtls1_get_message_header(wire, &msg_hdr);
-@@ -865,7 +871,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+@@ -876,7 +882,12 @@
/* XDTLS: an incorrectly formatted fragment should cause the
* handshake to fail */
More information about the Pkg-openssl-changes
mailing list