[Pkg-openssl-changes] r643 - in openssl/branches/wheezy/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Mon Jan 6 17:46:16 UTC 2014 

Author: kroeckx
Date: 2014-01-06 17:46:16 +0000 (Mon, 06 Jan 2014)
New Revision: 643

Added:
   openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch
Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/series
Log:
Fix for TLS record tampering bug CVE-2013-4353


Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog	2014-01-06 17:19:41 UTC (rev 642)
+++ openssl/branches/wheezy/debian/changelog	2014-01-06 17:46:16 UTC (rev 643)
@@ -1,7 +1,9 @@
 openssl (1.0.1e-2+deb7u2) stable-security; urgency=medium
 
-  * The patch we applied for CVE-2013-6450 was missing a commit causing
-    crashes.
+  * The patch we applied for CVE-2013-6450 was causing segfaults,
+    also apply the previous commit checking for NULL in
+    EVP_MD_CTX_destroy()
+  * Fix for TLS record tampering bug CVE-2013-4353
 
  -- Kurt Roeckx <kurt at roeckx.be>  Mon, 06 Jan 2014 18:17:13 +0100
 

Added: openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch	                        (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch	2014-01-06 17:46:16 UTC (rev 643)
@@ -0,0 +1,25 @@
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Mon, 6 Jan 2014 14:35:04 +0000
+Subject: [PATCH] Fix for TLS record tampering bug CVE-2013-4353
+Origin: upstream, commit:197e0ea817ad64820789d86711d55ff50d71f631
+
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index 1e5dcab..53b9390 100644
+--- a/ssl/s3_both.c
++++ b/ssl/s3_both.c
+@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
+ 	{
+ 	const char *sender;
+ 	int slen;
+-
++	/* If no new cipher setup return immediately: other functions will
++	 * set the appropriate error.
++	 */
++	if (s->s3->tmp.new_cipher == NULL)
++		return;
+ 	if (s->state & SSL_ST_CONNECT)
+ 		{
+ 		sender=s->method->ssl3_enc->server_finished_label;
+-- 
+1.8.5.2
+

Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series	2014-01-06 17:19:41 UTC (rev 642)
+++ openssl/branches/wheezy/debian/patches/series	2014-01-06 17:46:16 UTC (rev 643)
@@ -40,3 +40,4 @@
 CVE-2013-6450.patch
 disable_rdrand.patch
 disable_dual_ec_drbg.patch
+CVE-2013-4353.patch

More information about the Pkg-openssl-changes mailing list