[Pkg-openssl-changes] r524 - openssl/branches/squeeze/debian/patches

Kurt Roeckx kroeckx at alioth.debian.org
Sat Jan 14 21:47:26 UTC 2012


Author: kroeckx
Date: 2012-01-14 21:47:26 +0000 (Sat, 14 Jan 2012)
New Revision: 524

Modified:
   openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch
   openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch
   openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch
Log:
Make patches apply


Modified: openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch	2012-01-14 21:26:12 UTC (rev 523)
+++ openssl/branches/squeeze/debian/patches/CVE-2011-4108.patch	2012-01-14 21:47:26 UTC (rev 524)
@@ -1,8 +1,8 @@
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index e4f47e9..83702e5 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -335,6 +335,7 @@ dtls1_process_record(SSL *s)
+Index: openssl-0.9.8o/ssl/d1_pkt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_pkt.c	2010-04-14 00:09:39.000000000 +0000
++++ openssl-0.9.8o/ssl/d1_pkt.c	2012-01-14 21:36:36.000000000 +0000
+@@ -338,6 +338,7 @@
      SSL3_RECORD *rr;
  	unsigned int mac_size;
  	unsigned char md[EVP_MAX_MD_SIZE];
@@ -10,16 +10,15 @@
  
  
  	rr= &(s->s3->rrec);
-@@ -369,13 +370,10 @@ dtls1_process_record(SSL *s)
+@@ -372,12 +373,10 @@
  	enc_err = s->method->ssl3_enc->enc(s,0);
  	if (enc_err <= 0)
  		{
--		/* decryption failed, silently discard message */
--		if (enc_err < 0)
--			{
--			rr->length = 0;
--			s->packet_length = 0;
--			}
+-		if (enc_err == 0)
+-			/* SSLerr() and ssl3_send_alert() have been called */
+-			goto err;
+-
+-		/* otherwise enc_err == -1 */
 -		goto err;
 +		/* To minimize information leaked via timing, we will always
 +		 * perform all computations before discarding the message.
@@ -28,7 +27,7 @@
  		}
  
  #ifdef TLS_DEBUG
-@@ -401,7 +399,7 @@ if (	(sess == NULL) ||
+@@ -403,7 +402,7 @@
  			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
  			goto f_err;
  #else
@@ -37,7 +36,7 @@
  #endif			
  			}
  		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-@@ -412,17 +410,25 @@ if (	(sess == NULL) ||
+@@ -414,17 +413,25 @@
  			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
  			goto f_err;
  #else
@@ -46,7 +45,7 @@
  #endif
  			}
  		rr->length-=mac_size;
- 		s->method->ssl3_enc->mac(s,md,0);
+ 		i=s->method->ssl3_enc->mac(s,md,0);
  		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
  			{
 -			goto err;

Modified: openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch	2012-01-14 21:26:12 UTC (rev 523)
+++ openssl/branches/squeeze/debian/patches/CVE-2011-4577.patch	2012-01-14 21:47:26 UTC (rev 524)
@@ -1,8 +1,8 @@
-diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
-index d27a707..c0e1d2d 100644
---- a/crypto/x509v3/v3_addr.c
-+++ b/crypto/x509v3/v3_addr.c
-@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
+Index: openssl-0.9.8o/crypto/x509v3/v3_addr.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/x509v3/v3_addr.c	2012-01-14 21:41:17.000000000 +0000
++++ openssl-0.9.8o/crypto/x509v3/v3_addr.c	2012-01-14 21:42:33.000000000 +0000
+@@ -142,12 +142,13 @@
   * Expand the bitstring form of an address into a raw byte array.
   * At the moment this is coded for simplicity, not speed.
   */
@@ -18,7 +18,7 @@
    if (bs->length > 0) {
      memcpy(addr, bs->data, bs->length);
      if ((bs->flags & 7) != 0) {
-@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
+@@ -159,6 +160,7 @@
      }
    }
    memset(addr + bs->length, fill, length - bs->length);
@@ -26,25 +26,23 @@
  }
  
  /*
-@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
-     return 0;
+@@ -179,11 +181,13 @@
+ 
    switch (afi) {
    case IANA_AFI_IPV4:
--    if (bs->length > 4)
-+    if (!addr_expand(addr, bs, 4, fill))
-       return 0;
 -    addr_expand(addr, bs, 4, fill);
++    if (!addr_expand(addr, bs, 4, fill))
++      return 0;
      BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
      break;
    case IANA_AFI_IPV6:
--    if (bs->length > 16)
-+    if (!addr_expand(addr, bs, 16, fill))
-       return 0;
 -    addr_expand(addr, bs, 16, fill);
++    if (!addr_expand(addr, bs, 16, fill))
++      return 0;
      for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
        ;
      for (i = 0; i < n; i += 2)
-@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
+@@ -309,6 +313,12 @@
  /*
   * Sort comparison function for a sequence of IPAddressOrRange
   * elements.
@@ -57,7 +55,7 @@
   */
  static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
  				const IPAddressOrRange *b,
-@@ -327,22 +333,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
+@@ -321,22 +331,26 @@
  
    switch (a->type) {
    case IPAddressOrRange_addressPrefix:
@@ -88,7 +86,7 @@
      prefixlen_b = length * 8;
      break;
    }
-@@ -658,22 +668,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
+@@ -651,22 +665,22 @@
  /*
   * Extract min and max values from an IPAddressOrRange.
   */
@@ -119,7 +117,7 @@
  }
  
  /*
-@@ -689,9 +699,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
+@@ -682,9 +696,10 @@
    if (aor == NULL || min == NULL || max == NULL ||
        afi_length == 0 || length < afi_length ||
        (aor->type != IPAddressOrRange_addressPrefix &&
@@ -132,7 +130,7 @@
    return afi_length;
  }
  
-@@ -773,8 +784,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
+@@ -766,8 +781,9 @@
        IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
        IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
  
@@ -144,17 +142,17 @@
  
        /*
         * Punt misordered list, overlapping start, or inverted range.
-@@ -809,7 +821,8 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
+@@ -801,7 +817,8 @@
      {
        IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
-       if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+       if (a->type == IPAddressOrRange_addressRange) {
 -	extract_min_max(a, a_min, a_max, length);
 +	if (!extract_min_max(a, a_min, a_max, length))
 +	  return 0;
- 	if (memcmp(a_min, a_max, length) > 0 ||
- 	    range_should_be_prefix(a_min, a_max, length) >= 0)
+ 	if (range_should_be_prefix(a_min, a_max, length) >= 0)
  	  return 0;
-@@ -845,8 +858,9 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
+       }
+@@ -836,8 +853,9 @@
      unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
      unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
  
@@ -165,8 +163,8 @@
 +      return 0;
  
      /*
-      * Punt inverted ranges.
-@@ -1132,13 +1146,15 @@ static int addr_contains(IPAddressOrRanges *parent,
+      * Punt overlaps.
+@@ -1097,13 +1115,15 @@
  
    p = 0;
    for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {

Modified: openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch	2012-01-14 21:26:12 UTC (rev 523)
+++ openssl/branches/squeeze/debian/patches/dtls-fragment-alert.patch	2012-01-14 21:47:26 UTC (rev 524)
@@ -1,8 +1,8 @@
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 1c4158d..85f4d83 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -793,7 +793,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+Index: openssl-0.9.8o/ssl/d1_both.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_both.c	2010-05-03 13:01:59.000000000 +0000
++++ openssl-0.9.8o/ssl/d1_both.c	2012-01-14 21:46:02.000000000 +0000
+@@ -806,7 +806,13 @@
  		*ok = 0;
  		return i;
  		}
@@ -17,7 +17,7 @@
  
  	/* parse the message fragment header */
  	dtls1_get_message_header(wire, &msg_hdr);
-@@ -865,7 +871,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+@@ -876,7 +882,12 @@
  
  	/* XDTLS:  an incorrectly formatted fragment should cause the 
  	 * handshake to fail */




More information about the Pkg-openssl-changes mailing list