From 21fa437a37dad14145b6c8c8c16c95f1b074e09c Mon Sep 17 00:00:00 2001 From: Paul Eggleton Date: Mon, 9 Jun 2014 16:53:44 +0100 Subject: openssl: use upstream fix for CVE-2014-0198 This replaces the fix for CVE-2014-0198 with one borrowed from Fedora, which is the same as the patch which was actually applied upstream for the issue, i.e.: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c Signed-off-by: Paul Eggleton Signed-off-by: Richard Purdie --- .../openssl-1.0.1e-cve-2014-0198.patch | 38 ++++++++++++++++++++++ .../openssl-1.0.1e/openssl-CVE-2014-0198-fix.patch | 23 ------------- .../recipes-connectivity/openssl/openssl_1.0.1e.bb | 2 +- 3 files changed, 39 insertions(+), 24 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0198.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-CVE-2014-0198-fix.patch diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0198.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0198.patch new file mode 100644 index 0000000000..12dcfb7f3a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0198.patch @@ -0,0 +1,38 @@ +From: Matt Caswell +Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) +Subject: Fixed NULL pointer dereference. See PR#3321 +X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586 + +Fixed NULL pointer dereference. See PR#3321 + +Patch borrowed from Fedora +Upstream-Status: Backport +Signed-off-by: Paul Eggleton + +--- + +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 40eb0dd..d961d12 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + SSL3_BUFFER *wb=&(s->s3->wbuf); + SSL_SESSION *sess; + +- if (wb->buf == NULL) +- if (!ssl3_setup_write_buffer(s)) +- return -1; + + /* first check if there is a SSL3_BUFFER still being written + * out. This will happen with non blocking IO */ +@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + /* if it went, fall through and send more stuff */ + } + ++ if (wb->buf == NULL) ++ if (!ssl3_setup_write_buffer(s)) ++ return -1; ++ + if (len == 0 && !create_empty_fragment) + return 0; + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-CVE-2014-0198-fix.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-CVE-2014-0198-fix.patch deleted file mode 100644 index 4c51d746ff..0000000000 --- a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-CVE-2014-0198-fix.patch +++ /dev/null @@ -1,23 +0,0 @@ -Upstream-Status: Backport - -Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1093837 - -CVE-2014-0198: An attacker can trigger generation of an SSL -alert which could cause a null pointer dereference. - -Signed-off-by: Maxin B. John ---- -diff -Naur openssl-1.0.1g-orig/ssl/s3_pkt.c openssl-1.0.1g/ssl/s3_pkt.c ---- openssl-1.0.1g-orig/ssl/s3_pkt.c 2014-03-17 17:14:20.000000000 +0100 -+++ openssl-1.0.1g/ssl/s3_pkt.c 2014-05-06 02:32:43.862587660 +0200 -@@ -657,6 +657,10 @@ - if (i <= 0) - return(i); - /* if it went, fall through and send more stuff */ -+ /* we may have released our buffer, so get it again */ -+ if (wb->buf == NULL) -+ if (!ssl3_setup_write_buffer(s)) -+ return -1; - } - - if (len == 0 && !create_empty_fragment) diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index 7783206a4b..38cdb3f740 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb @@ -38,8 +38,8 @@ SRC_URI += "file://configure-targets.patch \ file://0001-Fix-DTLS-retransmission-from-previous-session.patch \ file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \ file://CVE-2014-0160.patch \ - file://openssl-CVE-2014-0198-fix.patch \ file://openssl-1.0.1e-cve-2014-0195.patch \ + file://openssl-1.0.1e-cve-2014-0198.patch \ " SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c" -- cgit 1.2.3-korg