mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: openssl: Fixes for CVE-2010-5298 and extension checking.
* gnu/packages/patches/openssl-CVE-2010-5298.patch: New file. * gnu/packages/patches/openssl-extension-checking-fixes.patch: New file. * gnu/packages/openssl.scm (openssl): Add them. * gnu-system.am (dist_patch_DATA): Add them.
This commit is contained in:
parent
6ef3644e34
commit
0815f8f9a2
4 changed files with 74 additions and 1 deletions
|
@ -315,6 +315,8 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/mcron-install.patch \
|
||||
gnu/packages/patches/mit-krb5-init-fix.patch \
|
||||
gnu/packages/patches/mpc123-initialize-ao.patch \
|
||||
gnu/packages/patches/openssl-CVE-2010-5298.patch \
|
||||
gnu/packages/patches/openssl-extension-checking-fixes.patch \
|
||||
gnu/packages/patches/patchelf-page-size.patch \
|
||||
gnu/packages/patches/patchutils-xfail-gendiff-tests.patch \
|
||||
gnu/packages/patches/perl-no-sys-dirs.patch \
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
|
||||
;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -34,7 +35,10 @@ (define-public openssl
|
|||
".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))))
|
||||
"0a70qdqccg16nw4bbawa6pjvzn05vfp5wkwg6jl0grch7f683jsk"))
|
||||
(patches
|
||||
(list (search-patch "openssl-CVE-2010-5298.patch")
|
||||
(search-patch "openssl-extension-checking-fixes.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
(native-inputs `(("perl" ,perl)))
|
||||
(arguments
|
||||
|
|
27
gnu/packages/patches/openssl-CVE-2010-5298.patch
Normal file
27
gnu/packages/patches/openssl-CVE-2010-5298.patch
Normal file
|
@ -0,0 +1,27 @@
|
|||
From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
|
||||
From: Kurt Roeckx <kurt@roeckx.be>
|
||||
Date: Sun, 13 Apr 2014 15:05:30 +0200
|
||||
Subject: [PATCH] Don't release the buffer when there still is data in it
|
||||
|
||||
RT: 2167, 3265
|
||||
---
|
||||
ssl/s3_pkt.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
|
||||
index b9e45c7..32e9207 100644
|
||||
--- a/ssl/s3_pkt.c
|
||||
+++ b/ssl/s3_pkt.c
|
||||
@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||
{
|
||||
s->rstate=SSL_ST_READ_HEADER;
|
||||
rr->off=0;
|
||||
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
|
||||
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
|
||||
+ s->s3->rbuf.left == 0)
|
||||
ssl3_release_read_buffer(s);
|
||||
}
|
||||
}
|
||||
--
|
||||
1.9.1
|
||||
|
40
gnu/packages/patches/openssl-extension-checking-fixes.patch
Normal file
40
gnu/packages/patches/openssl-extension-checking-fixes.patch
Normal file
|
@ -0,0 +1,40 @@
|
|||
From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
|
||||
From: "Dr. Stephen Henson" <steve@openssl.org>
|
||||
Date: Tue, 15 Apr 2014 18:48:54 +0100
|
||||
Subject: [PATCH] Extension checking fixes.
|
||||
|
||||
When looking for an extension we need to set the last found
|
||||
position to -1 to properly search all extensions.
|
||||
|
||||
PR#3309.
|
||||
---
|
||||
crypto/x509v3/v3_purp.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
|
||||
index 6c40c7d..5f931db 100644
|
||||
--- a/crypto/x509v3/v3_purp.c
|
||||
+++ b/crypto/x509v3/v3_purp.c
|
||||
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
|
||||
/* Handle proxy certificates */
|
||||
if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
|
||||
if (x->ex_flags & EXFLAG_CA
|
||||
- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
|
||||
- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
|
||||
+ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
|
||||
+ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
if (pci->pcPathLengthConstraint) {
|
||||
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
|
||||
return 0;
|
||||
|
||||
/* Extended Key Usage MUST be critical */
|
||||
- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
|
||||
+ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
|
||||
if (i_ext >= 0)
|
||||
{
|
||||
X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
|
||||
--
|
||||
1.9.1
|
||||
|
Loading…
Reference in a new issue