rpms/openssl096b/FC-3 openssl-0.9.6b-cve-2004-0079.patch, NONE, 1.1 openssl-0.9.6b-recursion.patch, NONE, 1.1 openssl.spec, 1.8, 1.9

Mon Oct 31 18:14:16 UTC 2005

Author: tmraz

Update of /cvs/dist/rpms/openssl096b/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv30698

Modified Files:
	openssl.spec 
Added Files:
	openssl-0.9.6b-cve-2004-0079.patch 
	openssl-0.9.6b-recursion.patch 
Log Message:
* Mon Oct 31 2005 Tomas Mraz <tmraz at redhat.com> 0.9.6b-21.42
- fix CVE-2004-0079 - prevent a null pointer assignment in
  do_change_cipher_spec()
- add security fix for CVE-2003-0851 to sync with 2.1AS


openssl-0.9.6b-cve-2004-0079.patch:
 s3_pkt.c |    7 +++++++
 1 files changed, 7 insertions(+)

--- NEW FILE openssl-0.9.6b-cve-2004-0079.patch ---
Prevents a null-pointer assignment in the
do_change_cipher_spec() function (CVE-2004-0079).
--- openssl-engine-0.9.6b/ssl/s3_pkt.c	Mon Sep 26 17:08:06 2005
+++ openssl-engine-0.9.6b/ssl/s3_pkt.c.dccs	Mon Sep 26 17:12:12 2005
@@ -1035,6 +1035,13 @@
 			goto err;
 			}
 
+		/* Check we have a cipher to change to */
+		if (s->s3->tmp.new_cipher == NULL) {
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+			goto f_err;
+		}
+
 		rr->length=0;
 		s->s3->change_cipher_spec=1;
 		if (!do_change_cipher_spec(s))

openssl-0.9.6b-recursion.patch:
 a_bytes.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

--- NEW FILE openssl-0.9.6b-recursion.patch ---
CAN-2003-0851

Patch from Dr Stephen N Henson to fix deep recursion in OpenSSL 0.9.6
and an issue there where OpenSSL doesn't work out the remaining length
for indefinite length constructed headers.

diff -ur -x CVS openssl6/crypto/asn1/a_bytes.c ossl6/crypto/asn1/a_bytes.c
--- openssl6/crypto/asn1/a_bytes.c	2000-06-01 23:16:27.000000000 +0100
+++ ossl6/crypto/asn1/a_bytes.c	2003-10-09 12:33:28.000000000 +0100
@@ -201,7 +201,10 @@
 		c.pp=pp;
 		c.p=p;
 		c.inf=inf;
-		c.slen=len;
+		if (inf & 1)
+			c.slen = p - *pp;
+		else
+			c.slen=len;
 		c.tag=Ptag;
 		c.xclass=Pclass;
 		c.max=(length == 0)?0:(p+length);
@@ -289,7 +292,7 @@
 			}
 
 		c->q=c->p;
-		if (d2i_ASN1_bytes(&os,&c->p,c->max-c->p,c->tag,c->xclass)
+		if (d2i_ASN1_bytes(&os,&c->p,c->slen,c->tag,c->xclass)
 			== NULL)
 			{
 			c->error=ERR_R_ASN1_LIB;


Index: openssl.spec
===================================================================
RCS file: /cvs/dist/rpms/openssl096b/FC-3/openssl.spec,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- openssl.spec	11 Oct 2005 19:26:41 -0000	1.8
+++ openssl.spec	31 Oct 2005 18:14:12 -0000	1.9
@@ -4,7 +4,7 @@
 Summary: The OpenSSL toolkit.
 Name: openssl096b
 Version: 0.9.6b
-Release: 21.2
+Release: 21.42
 Source: openssl-engine-%{version}-usa.tar.bz2
 Source1: hobble-openssl
 Source2: Makefile.certificate
@@ -52,6 +52,8 @@
 Patch33: openssl-0.9.6b-can-2005-0109.patch
 Patch34: openssl-engine-0.9.6b-dsa-consttime.patch
 Patch35: openssl-0.9.6b-can-2005-2969.patch
+Patch36: openssl-0.9.6b-recursion.patch
+Patch38: openssl-0.9.6b-cve-2004-0079.patch
 License: BSDish
 Group: System Environment/Libraries
 URL: http://www.openssl.org/
@@ -135,6 +137,8 @@
 %patch33 -p1 -b .modexp-consttime
 %patch34 -p1 -b .dsa-consttime
 %patch35 -p0 -b .ssl2-rollback
+%patch36 -p1 -b .recursion
+%patch38 -p1 -b .dccs
 
 chmod 644 FAQ LICENSE CHANGES NEWS INSTALL README
 chmod 644 doc/README doc/c-indentation.el doc/openssl.txt
@@ -306,6 +310,11 @@
 %postun -p /sbin/ldconfig
 
 %changelog
+* Mon Oct 31 2005 Tomas Mraz <tmraz at redhat.com> 0.9.6b-21.42
+- fix CVE-2004-0079 - prevent a null pointer assignment in
+  do_change_cipher_spec()
+- add security fix for CVE-2003-0851 to sync with 2.1AS
+
 * Thu Oct  6 2005 Tomas Mraz <tmraz at redhat.com> 0.9.6b-21.2
 - fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
   disables the countermeasure against man in the middle attack in SSLv2


