Accepting request 854071 from home:vitezslav_cizek:branches:security:tls

- Update to 1.1.1i (bsc#1179491)
  * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

OBS-URL: https://build.opensuse.org/request/show/854071
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=76

openssl-1.1.1-fips-post-rand.patch

@@ -1,7 +1,7 @@
-Index: openssl-1.1.1e/crypto/fips/fips.c
+Index: openssl-1.1.1i/crypto/fips/fips.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/fips/fips.c	2020-03-20 14:08:12.235758574 +0100
-+++ openssl-1.1.1e/crypto/fips/fips.c	2020-03-20 14:08:13.787766679 +0100
+--- openssl-1.1.1i.orig/crypto/fips/fips.c	2020-12-08 16:46:23.666760618 +0100
++++ openssl-1.1.1i/crypto/fips/fips.c	2020-12-08 16:46:25.626772700 +0100
 @@ -68,6 +68,7 @@
  
  # include <openssl/fips.h>
@@ -52,10 +52,10 @@ Index: openssl-1.1.1e/crypto/fips/fips.c
          ret = 1;
          goto end;
      }
-Index: openssl-1.1.1e/include/crypto/fips_int.h
+Index: openssl-1.1.1i/include/crypto/fips_int.h
 ===================================================================
---- openssl-1.1.1e.orig/include/crypto/fips_int.h	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/include/crypto/fips_int.h	2020-03-20 14:08:13.787766679 +0100
+--- openssl-1.1.1i.orig/include/crypto/fips_int.h	2020-12-08 16:46:23.666760618 +0100
++++ openssl-1.1.1i/include/crypto/fips_int.h	2020-12-08 16:46:25.626772700 +0100
 @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
  int FIPS_selftest_drbg(void);
  int FIPS_selftest_cmac(void);
@@ -65,10 +65,10 @@ Index: openssl-1.1.1e/include/crypto/fips_int.h
  int fips_pkey_signature_test(EVP_PKEY *pkey,
                                   const unsigned char *tbs, int tbslen,
                                   const unsigned char *kat,
-Index: openssl-1.1.1e/include/crypto/rand.h
+Index: openssl-1.1.1i/include/crypto/rand.h
 ===================================================================
---- openssl-1.1.1e.orig/include/crypto/rand.h	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/include/crypto/rand.h	2020-03-20 14:08:13.791766699 +0100
+--- openssl-1.1.1i.orig/include/crypto/rand.h	2020-12-08 16:46:23.670760642 +0100
++++ openssl-1.1.1i/include/crypto/rand.h	2020-12-08 16:46:25.626772700 +0100
 @@ -24,6 +24,7 @@
  typedef struct rand_pool_st RAND_POOL;
  
@@ -77,11 +77,11 @@ Index: openssl-1.1.1e/include/crypto/rand.h
  void rand_drbg_cleanup_int(void);
  void drbg_delete_thread_state(void);
  
-Index: openssl-1.1.1e/crypto/rand/drbg_lib.c
+Index: openssl-1.1.1i/crypto/rand/drbg_lib.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/rand/drbg_lib.c	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/crypto/rand/drbg_lib.c	2020-03-20 14:08:13.791766699 +0100
-@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
+--- openssl-1.1.1i.orig/crypto/rand/drbg_lib.c	2020-12-08 16:46:23.670760642 +0100
++++ openssl-1.1.1i/crypto/rand/drbg_lib.c	2020-12-08 16:46:25.626772700 +0100
+@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
      return min_entropy > min_entropylen ? min_entropy : min_entropylen;
  }
  
@@ -102,10 +102,10 @@ Index: openssl-1.1.1e/crypto/rand/drbg_lib.c
  /* Implements the default OpenSSL RAND_add() method */
  static int drbg_add(const void *buf, int num, double randomness)
  {
-Index: openssl-1.1.1e/crypto/rand/rand_unix.c
+Index: openssl-1.1.1i/crypto/rand/rand_unix.c
 ===================================================================
---- openssl-1.1.1e.orig/crypto/rand/rand_unix.c	2020-03-20 14:08:12.239758595 +0100
-+++ openssl-1.1.1e/crypto/rand/rand_unix.c	2020-03-20 14:08:41.763912735 +0100
+--- openssl-1.1.1i.orig/crypto/rand/rand_unix.c	2020-12-08 16:46:23.670760642 +0100
++++ openssl-1.1.1i/crypto/rand/rand_unix.c	2020-12-08 16:47:33.695192297 +0100
 @@ -17,10 +17,12 @@
  #include <openssl/crypto.h>
  #include "rand_local.h"
@@ -119,7 +119,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  # ifdef DEVRANDOM_WAIT
  #  include <sys/shm.h>
  #  include <sys/utsname.h>
-@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
+@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
   * syscall_random(): Try to get random data using a system call
   * returns the number of bytes returned in buf, or < 0 on error.
   */
@@ -128,15 +128,15 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  {
      /*
       * Note: 'buflen' equals the size of the buffer which is used by the
-@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
-      * - Linux since 3.17 with glibc 2.25
-      * - FreeBSD since 12.0 (1200061)
+@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
+      * Note: Sometimes getentropy() can be provided but not implemented
+      * internally. So we need to check errno for ENOSYS
       */
 +#  if 0
  #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
      extern int getentropy(void *buffer, size_t length) __attribute__((weak));
  
-@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
+@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
      if (p_getentropy.p != NULL)
          return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
  #  endif
@@ -150,7 +150,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
      return sysctl_random(buf, buflen);
  #  else
-@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
      size_t entropy_available;
  
  #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
@@ -160,7 +160,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
      {
          size_t bytes_needed;
          unsigned char *buffer;
-@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
          bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
          while (bytes_needed != 0 && attempts-- > 0) {
              buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -169,7 +169,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
              if (bytes > 0) {
                  rand_pool_add_end(pool, bytes, 8 * bytes);
                  bytes_needed -= bytes;
-@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
              int attempts = 3;
              const int fd = get_random_device(i);
  
@@ -181,7 +181,7 @@ Index: openssl-1.1.1e/crypto/rand/rand_unix.c
  
              while (bytes_needed != 0 && attempts-- > 0) {
                  buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
              return entropy_available;
      }
  #   endif

openssl-1.1.1h.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9
-size 9810045

openssl-1.1.1h.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g
-RJFkgAf/cEJVx8pptVMXRtbh9aBl73I12y+xURVt0WJ7Z6Uwotisq9otypUQH1kb
-H7IULXo7SnCjpouJQzAKCh8muv7jz7yquL19q0s4uh46Qdz57tIdfJap/F/eGwR8
-wPnciGtl9P+8uSsPTro9VlEjQRCTvGKXna35V3CilXx2zpP3X9izcUed8Irfcp0o
-eWi9W0NhG4HJZOA7RNbfp8fGLCpfp364z1fcXeQFaZFdtiqdl5qKQ0/rt52ji+fs
-M71jFvhPU3jyb921cFWO6CQN9O9+MUu02AWCYIm2VPkcqrhOQ5JoCyPsnv3ClE1v
-X0TYTMIwnqNZ9UZsgsnIzAg2VxZDDw==
-=kMzM
------END PGP SIGNATURE-----

openssl-1.1.1i.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242
+size 9808346

openssl-1.1.1i.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/PfcIACgkQ2cTSbQ5g
+RJHxYQf8DFul2uhHXbiCxshH7PiOh/TgjEMrdjUMTerYv6dssTcOF08UY7kjXdwV
+7WJ61XcDo6m6vpzqZDuz/rbMqTmNP1z8ShQ80T4DQus+QHp9zMkNDWcUFTpv2vSc
+PYTHtlBk49zDXJiRNBtWx0UjiVvcUtrDoTf/X0n/2ucqebniHxOSIFG9i/nhE5iP
+a+0ccguS9eoq4cphWmSWRQrzweNWjfJUm6kcFBUYek5cVM6JVYMDJRjwwe14lWVP
+vVMADBMc6eQFkBD/f/cI0QrFKfB6/ObTgRLqT2aNFgaSHHKvqtjLaB+haldz8oHm
+F9orllkrd9bTCxit2kEGHBKg4EjKLw==
+=K/1H
+-----END PGP SIGNATURE-----

openssl-1_1.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Dec  8 15:43:32 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.1.1i (bsc#1179491)
+  * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
+
 -------------------------------------------------------------------
 Thu Nov 19 10:54:53 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 

openssl-1_1.spec

@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1h
+Version:        1.1.1i
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL