Ticket #6136: openssl_v2.patch

File openssl_v2.patch, 8.0 KB (added by puchu, 7 years ago)

md5sum was malformed ... here an updated patch :)

  • package/openssl

    diff -burN package/openssl/Makefile package/openssl.patched/Makefile
    old new  
    88include $(TOPDIR)/rules.mk 
    99 
    1010PKG_NAME:=openssl 
    11 PKG_VERSION:=0.9.8k 
    12 PKG_RELEASE:=2 
     11PKG_VERSION:=0.9.8l 
     12PKG_RELEASE:=1 
    1313 
    1414PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz 
    1515PKG_SOURCE_URL:=http://www.openssl.org/source/ \ 
    1616        ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \ 
    1717        ftp://ftp.webmonster.de/pub/openssl/source/ \ 
    1818        ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/ 
    19 PKG_MD5SUM:=e555c6d58d276aec7fdc53363e338ab3 
     19PKG_MD5SUM:=05a0ece1372392a2cf310ebb96333025 
    2020 
    2121PKG_BUILD_DEPENDS:=ocf-crypto-headers 
    2222 
  • patches/900-CVE-2009-1377.patch

    diff -burN package/openssl/patches/900-CVE-2009-1377.patch package/openssl.patched/patches/900-CVE-2009-1377.patch
    old new  
     1http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest 
     2 
     3Index: openssl/crypto/pqueue/pqueue.c 
     4RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v 
     5rcsdiff -q -kk '-r1.2.2.4' '-r1.2.2.5' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v' 2>/dev/null 
     6--- pqueue.c    2005/06/28 12:53:33     1.2.2.4 
     7+++ pqueue.c    2009/05/16 16:18:44     1.2.2.5 
     8@@ -234,3 +234,17 @@ 
     9  
     10        return ret; 
     11        } 
     12+ 
     13+int 
     14+pqueue_size(pqueue_s *pq) 
     15+{ 
     16+       pitem *item = pq->items; 
     17+       int count = 0; 
     18+        
     19+       while(item != NULL) 
     20+       { 
     21+               count++; 
     22+               item = item->next; 
     23+       } 
     24+       return count; 
     25+} 
     26Index: openssl/crypto/pqueue/pqueue.h 
     27RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v 
     28rcsdiff -q -kk '-r1.2.2.1' '-r1.2.2.2' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v' 2>/dev/null 
     29--- pqueue.h    2005/05/30 22:34:27     1.2.2.1 
     30+++ pqueue.h    2009/05/16 16:18:44     1.2.2.2 
     31@@ -91,5 +91,6 @@ 
     32 pitem *pqueue_next(piterator *iter); 
     33  
     34 void   pqueue_print(pqueue pq); 
     35+int    pqueue_size(pqueue pq); 
     36  
     37 #endif /* ! HEADER_PQUEUE_H */ 
     38Index: openssl/ssl/d1_pkt.c 
     39RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v 
     40rcsdiff -q -kk '-r1.4.2.17' '-r1.4.2.18' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null 
     41--- d1_pkt.c    2009/05/16 15:51:59     1.4.2.17 
     42+++ d1_pkt.c    2009/05/16 16:18:45     1.4.2.18 
     43@@ -167,6 +167,10 @@ 
     44     DTLS1_RECORD_DATA *rdata; 
     45        pitem *item; 
     46  
     47+       /* Limit the size of the queue to prevent DOS attacks */ 
     48+       if (pqueue_size(queue->q) >= 100) 
     49+               return 0; 
     50+                
     51        rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 
     52        item = pitem_new(priority, rdata); 
     53        if (rdata == NULL || item == NULL) 
  • patches/900-CVE-2009-1378.patch

    diff -burN package/openssl/patches/900-CVE-2009-1378.patch package/openssl.patched/patches/900-CVE-2009-1378.patch
    old new  
     1http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest 
     2 
     3Index: openssl/ssl/d1_both.c 
     4=================================================================== 
     5--- d1_both.c.orig 
     6+++ d1_both.c 
     7@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, 
     8        if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) 
     9                goto err; 
     10  
     11-       if (msg_hdr->seq <= s->d1->handshake_read_seq) 
     12+       /* Try to find item in queue, to prevent duplicate entries */ 
     13+       pq_64bit_init(&seq64); 
     14+       pq_64bit_assign_word(&seq64, msg_hdr->seq); 
     15+       item = pqueue_find(s->d1->buffered_messages, seq64); 
     16+       pq_64bit_free(&seq64); 
     17+        
     18+       /* Discard the message if sequence number was already there, is 
     19+        * too far in the future or the fragment is already in the queue */ 
     20+       if (msg_hdr->seq <= s->d1->handshake_read_seq || 
     21+               msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) 
     22                { 
     23                unsigned char devnull [256]; 
     24  
  • patches/900-CVE-2009-1379.patch

    diff -burN package/openssl/patches/900-CVE-2009-1379.patch package/openssl.patched/patches/900-CVE-2009-1379.patch
    old new  
     1Index: openssl/ssl/d1_both.c 
     2RCS File: /v/openssl/cvs/openssl/ssl/d1_both.c,v 
     3rcsdiff -q -kk '-r1.14.2.6' '-r1.14.2.7' -u '/v/openssl/cvs/openssl/ssl/d1_both.c,v' 2>/dev/null 
     4--- d1_both.c   2009/04/22 12:17:02     1.14.2.6 
     5+++ d1_both.c   2009/05/13 11:51:30     1.14.2.7 
     6@@ -519,6 +519,7 @@ 
     7  
     8        if ( s->d1->handshake_read_seq == frag->msg_header.seq) 
     9                { 
     10+               unsigned long frag_len = frag->msg_header.frag_len; 
     11                pqueue_pop(s->d1->buffered_messages); 
     12  
     13                al=dtls1_preprocess_fragment(s,&frag->msg_header,max); 
     14@@ -536,7 +537,7 @@ 
     15                if (al==0) 
     16                        { 
     17                        *ok = 1; 
     18-                       return frag->msg_header.frag_len; 
     19+                       return frag_len; 
     20                        } 
     21  
     22                ssl3_send_alert(s,SSL3_AL_FATAL,al); 
  • patches/901-remove_rej.patch

    diff -burN package/openssl/patches/901-remove_rej.patch package/openssl.patched/patches/901-remove_rej.patch
    old new  
     1diff -burN openssl-0.9.8l/Configure.rej openssl-0.9.8l.patched/Configure.rej 
     2--- openssl-0.9.8l/Configure.rej        2009-11-05 13:07:06.000000000 +0100 
     3+++ openssl-0.9.8l.patched/Configure.rej        1970-01-01 01:00:00.000000000 +0100 
     4@@ -1,16 +0,0 @@ 
     5-*************** 
     6-*** 162,167 **** 
     7-  "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", 
     8-  "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", 
     9-  "debug-ben-debug",   "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::", 
     10-  "debug-ben-strict",  "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", 
     11-  "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", 
     12-  "debug-bodo",        "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", 
     13---- 162,168 ---- 
     14-  "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", 
     15-  "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", 
     16-  "debug-ben-debug",   "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::", 
     17-+ "debug-ben-no-renegotiation",        "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -DNO_RENEGOTIATION -g3 -O2 -pipe::(unknown)::::::", 
     18-  "debug-ben-strict",  "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", 
     19-  "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", 
     20-  "debug-bodo",        "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",