Accepting request 738529 from security:tls
OBS-URL: https://build.opensuse.org/request/show/738529 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=9
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
9551f15083
@ -1,79 +0,0 @@
|
||||
From fac9200a881a83bef038ebed628ebd409786a1a6 Mon Sep 17 00:00:00 2001
|
||||
From: Vitezslav Cizek <vcizek@suse.com>
|
||||
Date: Tue, 4 Jun 2019 13:24:59 +0200
|
||||
Subject: [PATCH] build_SYS_str_reasons: Fix a crash caused by overlong locales
|
||||
|
||||
The 4 kB SPACE_SYS_STR_REASONS in crypto/err/err.c isn't enough for some locales.
|
||||
The Russian locales consume 6856 bytes, Ukrainian even 7000.
|
||||
|
||||
build_SYS_str_reasons() contains an overflow check:
|
||||
|
||||
if (cnt > sizeof(strerror_pool))
|
||||
cnt = sizeof(strerror_pool);
|
||||
|
||||
But since commit 9f15e5b911ba6053e09578f190354568e01c07d7 it no longer
|
||||
works as cnt is incremented once more after the condition.
|
||||
|
||||
cnt greater than sizeof(strerror_pool) results in an unbounded
|
||||
OPENSSL_strlcpy() in openssl_strerror_r(), eventually causing a crash.
|
||||
|
||||
When the first received error string was empty or contained only
|
||||
spaces, cur would move in front of the start of the strerror_pool.
|
||||
|
||||
Also don't call openssl_strerror_r when the pool is full.
|
||||
|
||||
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/8966)
|
||||
---
|
||||
crypto/err/err.c | 16 +++++++++-------
|
||||
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/crypto/err/err.c b/crypto/err/err.c
|
||||
index 57399f82ad..cf3ae4d3b3 100644
|
||||
--- a/crypto/err/err.c
|
||||
+++ b/crypto/err/err.c
|
||||
@@ -188,8 +188,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
|
||||
-# define SPACE_SYS_STR_REASONS 4 * 1024
|
||||
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
|
||||
+# define SPACE_SYS_STR_REASONS 8 * 1024
|
||||
# define NUM_SYS_STR_REASONS 127
|
||||
|
||||
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
|
||||
@@ -223,21 +223,23 @@ static void build_SYS_str_reasons(void)
|
||||
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
|
||||
|
||||
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
|
||||
- if (str->string == NULL) {
|
||||
+ /*
|
||||
+ * If we have used up all the space in strerror_pool,
|
||||
+ * there's no point in calling openssl_strerror_r()
|
||||
+ */
|
||||
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
|
||||
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
|
||||
size_t l = strlen(cur);
|
||||
|
||||
str->string = cur;
|
||||
cnt += l;
|
||||
- if (cnt > sizeof(strerror_pool))
|
||||
- cnt = sizeof(strerror_pool);
|
||||
cur += l;
|
||||
|
||||
/*
|
||||
* VMS has an unusual quirk of adding spaces at the end of
|
||||
- * some (most? all?) messages. Lets trim them off.
|
||||
+ * some (most? all?) messages. Lets trim them off.
|
||||
*/
|
||||
- while (ossl_isspace(cur[-1])) {
|
||||
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
|
||||
cur--;
|
||||
cnt--;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -1,7 +1,8 @@
|
||||
diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
|
||||
+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
|
||||
@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
|
||||
Index: openssl-1.1.1d/Configurations/unix-Makefile.tmpl
|
||||
===================================================================
|
||||
--- openssl-1.1.1d.orig/Configurations/unix-Makefile.tmpl 2019-09-11 15:38:17.788265421 +0200
|
||||
+++ openssl-1.1.1d/Configurations/unix-Makefile.tmpl 2019-09-11 15:38:35.640368636 +0200
|
||||
@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
|
||||
|
||||
@ -9,4 +10,4 @@ diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r -v $(DESTDIR)$(DOCDIR)
|
||||
$(RM) -r $(DESTDIR)$(DOCDIR)
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90
|
||||
size 8864262
|
||||
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAlztM8IACgkQ1enkP335
|
||||
7oxQwQ/9G4kkoJC0pat5P4uNBgVyxmXso63Eea91QYGC39BABSL+KpEzfyJtFwqR
|
||||
36EAI8f5L5iGRKuBKerWtP8YUZ9Jc0Yf/a1R7sPGKh/0hor6dWhU1fh5x3HCatBC
|
||||
TanYbgXgAQhNHQcwVG6qdvHIwtb9so5NtDB0cKNcegoH6D0IOUtQmYrqXiovsc3K
|
||||
DwqgUL2ctUvDmroJVE4lQ6zpz239D3UoeSiTWAVGy/GudpQgx/9v6fqwO91/tyWk
|
||||
Grlpf2v320dLCbCXrbbW4lPq7IeoIkTgPwnVlyLMrm4Ht+Ck6KPgbUyRaVpSuJum
|
||||
6geA9Miczekv3PhPkF2/ltKwRLUt1TmujBdNTAxYXX6VWw32oh5YSQ2wTVZgvCN/
|
||||
HJvSW5N2fuEsO8jYX/0RxZjGrbsGyCXtXqElwmETO8JX+wuc6Rd1IFdDKDszUbLh
|
||||
HEtMBdb/Dhv//gNkEwrPHw9tLH8nd+B4dCJNC/4+Au54t6SpRT2sV6FVNA4Ytkpu
|
||||
O1OCs2cmIuGFBylDDZCSCWG+1U/dUVoqRh0ufg9PcFDdeicp6Q6cqyBNEVNXG7HU
|
||||
g7c5zf0XOT7m3+G+d+pPvvzOsZrTKVlOcsAlI7aiqTFFtUUGpHtjm03OP2SKrakb
|
||||
bPjVbZWzjvRe3st8+GXdv2/i0SuVZW0mTE+6+pPd1/6VlRGOqmI=
|
||||
=+39w
|
||||
-----END PGP SIGNATURE-----
|
||||
3
openssl-1.1.1d.tar.gz
Normal file
3
openssl-1.1.1d.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
|
||||
size 8845861
|
||||
11
openssl-1.1.1d.tar.gz.asc
Normal file
11
openssl-1.1.1d.tar.gz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl13oWoACgkQ2cTSbQ5g
|
||||
RJH0Agf+IekQXtSPsrn/5RMgXFGSyK+S1BpFhyoJRvDocVZAxwgvd4F1fcYkFVXH
|
||||
5+Q6o6s6tIDb+VkuIajcDxTQvrFoXKWMbsFsu3NBAan5R0OlYINRYtXULg0ZqQv4
|
||||
zxclCSLQTpuMyptuGGbg0/8+9IAhGFk2XSA5EEI+SC6lswRQiT7p6dbULj4CvH3m
|
||||
7mqovojAAaEJpgfG8b+L+QBJ4XId99uC6tiLM1tTMCsn1ErLsTd366fzEpC1w12a
|
||||
V/gWQ1mVs+bmSRySPx8mO4CpHfhAI+sZrSsWG+UXP9Guf9YKHFLJDiSrX7EmvszR
|
||||
B+/LvZqce4iCnwCUoIuYhxM6EybDdQ==
|
||||
=v5CI
|
||||
-----END PGP SIGNATURE-----
|
||||
@ -1,3 +1,64 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 18:36:37 UTC 2019 - Jason Sikes <jsikes@suse.com>
|
||||
|
||||
- Merged upstream changes to allow NULL salt values in EVP_PBE_scrypt().
|
||||
* Revealed by nodejs12 during bsc#1149572.
|
||||
* Modified openssl-jsc-SLE-8789-backport_KDF.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 08:45:39 UTC 2019 - Adam Majer <adam.majer@suse.de>
|
||||
|
||||
- openssl-jsc-SLE-8789-backport_KDF.patch: retain old behaviour
|
||||
of EVP_PBE_scrypt. When key output buffer is not provided,
|
||||
only check if the input parameters are in valid range and
|
||||
ignore passphrase/salt fields as they are only used in
|
||||
the actual calculation.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 11 09:32:16 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- Update to 1.1.1d (bsc#1133925, jsc#SLE-6430)
|
||||
* Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
|
||||
number generator (RNG). This was intended to include protection in the
|
||||
event of a fork() system call in order to ensure that the parent and child
|
||||
processes did not share the same RNG state. However this protection was not
|
||||
being used in the default case.
|
||||
(bsc#1150247, CVE-2019-1549)
|
||||
* Compute ECC cofactors if not provided during EC_GROUP construction. Before
|
||||
this change, EC_GROUP_set_generator would accept order and/or cofactor as
|
||||
NULL. After this change, only the cofactor parameter can be NULL.
|
||||
(bsc#1150003, CVE-2019-1547)
|
||||
* Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
|
||||
(bsc#1150250, CVE-2019-1563)
|
||||
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
|
||||
used even when parsing explicit parameters, when loading a serialized key
|
||||
or calling EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters().
|
||||
* Early start up entropy quality from the DEVRANDOM seed source has been
|
||||
improved for older Linux systems.
|
||||
* Changed DH_check to accept parameters with order q and 2q subgroups.
|
||||
With order 2q subgroups the bit 0 of the private key is not secret
|
||||
but DH_generate_key works around that by clearing bit 0 of the
|
||||
private key for those. This avoids leaking bit 0 of the private key.
|
||||
* Significantly reduce secure memory usage by the randomness pools.
|
||||
* Revert the DEVRANDOM_WAIT feature for Linux systems
|
||||
- drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch (upstream)
|
||||
- refresh patches
|
||||
* openssl-1.1.0-no-html.patch
|
||||
* openssl-jsc-SLE-8789-backport_KDF.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 10 19:26:34 UTC 2019 - Jason Sikes <jsikes@suse.com>
|
||||
|
||||
- To avoid seperate certification of openssh server / client
|
||||
move the SSH KDF (Key Derivation Function) into openssl.
|
||||
* jsc#SLE-8789
|
||||
* Sourced from commit
|
||||
8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34
|
||||
in openssl master (introduce the SSH KDF)
|
||||
and commit 5a285addbf39f91d567f95f04b2b41764127950d
|
||||
in openssl master (backport EVP/KDF API framework)
|
||||
* added openssl-jsc-SLE-8789-backport_KDF.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 6 10:06:45 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
%define _rname openssl
|
||||
Name: openssl-1_1
|
||||
# Don't forget to update the version in the "openssl" package!
|
||||
Version: 1.1.1c
|
||||
Version: 1.1.1d
|
||||
Release: 0
|
||||
Summary: Secure Sockets and Transport Layer Security
|
||||
License: OpenSSL
|
||||
@ -43,8 +43,6 @@ Patch3: openssl-pkgconfig.patch
|
||||
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
||||
Patch5: openssl-ppc64-config.patch
|
||||
Patch6: openssl-no-date.patch
|
||||
# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8966
|
||||
Patch7: 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
|
||||
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
|
||||
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
|
||||
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
|
||||
@ -52,6 +50,7 @@ Patch10: 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
|
||||
Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
|
||||
Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
|
||||
Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
|
||||
Patch14: openssl-jsc-SLE-8789-backport_KDF.patch
|
||||
BuildRequires: pkgconfig
|
||||
Conflicts: ssl
|
||||
Provides: ssl
|
||||
|
||||
10719
openssl-jsc-SLE-8789-backport_KDF.patch
Normal file
10719
openssl-jsc-SLE-8789-backport_KDF.patch
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user