gnu: openssl: Fix CVE-2019-1559.
* gnu/packages/tls.scm (openssl)[replacement]: New field. (openssl/fixed): New variable. (openssl-next)[inherit]: Inherit from it instead. * gnu/packages/patches/openssl-CVE-2019-1559.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
This commit is contained in:
parent
8849109703
commit
a92c6b1a2b
@ -1098,6 +1098,7 @@ dist_patch_DATA = \
|
|||||||
%D%/packages/patches/openssl-runpath.patch \
|
%D%/packages/patches/openssl-runpath.patch \
|
||||||
%D%/packages/patches/openssl-1.1-c-rehash-in.patch \
|
%D%/packages/patches/openssl-1.1-c-rehash-in.patch \
|
||||||
%D%/packages/patches/openssl-c-rehash-in.patch \
|
%D%/packages/patches/openssl-c-rehash-in.patch \
|
||||||
|
%D%/packages/patches/openssl-CVE-2019-1559.patch \
|
||||||
%D%/packages/patches/orpheus-cast-errors-and-includes.patch \
|
%D%/packages/patches/orpheus-cast-errors-and-includes.patch \
|
||||||
%D%/packages/patches/osip-CVE-2017-7853.patch \
|
%D%/packages/patches/osip-CVE-2017-7853.patch \
|
||||||
%D%/packages/patches/ots-no-include-missing-file.patch \
|
%D%/packages/patches/ots-no-include-missing-file.patch \
|
||||||
|
60
gnu/packages/patches/openssl-CVE-2019-1559.patch
Normal file
60
gnu/packages/patches/openssl-CVE-2019-1559.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Fri, 14 Dec 2018 07:28:30 +0000
|
||||||
|
Subject: [PATCH] Go into the error state if a fatal alert is sent or received
|
||||||
|
|
||||||
|
If an application calls SSL_shutdown after a fatal alert has occured and
|
||||||
|
then behaves different based on error codes from that function then the
|
||||||
|
application may be vulnerable to a padding oracle.
|
||||||
|
|
||||||
|
CVE-2019-1559
|
||||||
|
|
||||||
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||||
|
---
|
||||||
|
ssl/d1_pkt.c | 1 +
|
||||||
|
ssl/s3_pkt.c | 10 +++++++---
|
||||||
|
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
|
||||||
|
index 23aa9db..c7fe977 100644
|
||||||
|
--- a/ssl/d1_pkt.c
|
||||||
|
+++ b/ssl/d1_pkt.c
|
||||||
|
@@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||||
|
ERR_add_error_data(2, "SSL alert number ", tmp);
|
||||||
|
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
|
||||||
|
SSL_CTX_remove_session(s->session_ctx, s->session);
|
||||||
|
+ s->state = SSL_ST_ERR;
|
||||||
|
return (0);
|
||||||
|
} else {
|
||||||
|
al = SSL_AD_ILLEGAL_PARAMETER;
|
||||||
|
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
|
||||||
|
index 6527df8..830b723 100644
|
||||||
|
--- a/ssl/s3_pkt.c
|
||||||
|
+++ b/ssl/s3_pkt.c
|
||||||
|
@@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||||
|
ERR_add_error_data(2, "SSL alert number ", tmp);
|
||||||
|
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
|
||||||
|
SSL_CTX_remove_session(s->session_ctx, s->session);
|
||||||
|
+ s->state = SSL_ST_ERR;
|
||||||
|
return (0);
|
||||||
|
} else {
|
||||||
|
al = SSL_AD_ILLEGAL_PARAMETER;
|
||||||
|
@@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, int desc)
|
||||||
|
* protocol_version alerts */
|
||||||
|
if (desc < 0)
|
||||||
|
return -1;
|
||||||
|
- /* If a fatal one, remove from cache */
|
||||||
|
- if ((level == 2) && (s->session != NULL))
|
||||||
|
- SSL_CTX_remove_session(s->session_ctx, s->session);
|
||||||
|
+ /* If a fatal one, remove from cache and go into the error state */
|
||||||
|
+ if (level == SSL3_AL_FATAL) {
|
||||||
|
+ if (s->session != NULL)
|
||||||
|
+ SSL_CTX_remove_session(s->session_ctx, s->session);
|
||||||
|
+ s->state = SSL_ST_ERR;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
s->s3->alert_dispatch = 1;
|
||||||
|
s->s3->send_alert[0] = level;
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -10,7 +10,7 @@
|
|||||||
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
|
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
|
||||||
;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
|
;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
|
||||||
;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
|
;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
|
||||||
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
|
;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
|
;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
|
||||||
;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
|
;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
|
||||||
;;;
|
;;;
|
||||||
@ -271,6 +271,7 @@ required structures.")
|
|||||||
(define-public openssl
|
(define-public openssl
|
||||||
(package
|
(package
|
||||||
(name "openssl")
|
(name "openssl")
|
||||||
|
(replacement openssl/fixed)
|
||||||
(version "1.0.2p")
|
(version "1.0.2p")
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
@ -399,9 +400,18 @@ required structures.")
|
|||||||
(license license:openssl)
|
(license license:openssl)
|
||||||
(home-page "https://www.openssl.org/")))
|
(home-page "https://www.openssl.org/")))
|
||||||
|
|
||||||
(define-public openssl-next
|
(define-public openssl/fixed
|
||||||
|
(hidden-package
|
||||||
(package
|
(package
|
||||||
(inherit openssl)
|
(inherit openssl)
|
||||||
|
(source (origin
|
||||||
|
(inherit (package-source openssl))
|
||||||
|
(patches (append (origin-patches (package-source openssl))
|
||||||
|
(search-patches "openssl-CVE-2019-1559.patch"))))))))
|
||||||
|
|
||||||
|
(define-public openssl-next
|
||||||
|
(package
|
||||||
|
(inherit openssl/fixed)
|
||||||
(name "openssl")
|
(name "openssl")
|
||||||
(version "1.1.1a")
|
(version "1.1.1a")
|
||||||
(source (origin
|
(source (origin
|
||||||
|
Loading…
Reference in New Issue
Block a user