From 26d03f47ca5257fbbd25fa38476016b7c6b286a5cb33091ca16b13f58fce17fd Mon Sep 17 00:00:00 2001
From: Marcus Rueckert <mrueckert@suse.com>
Date: Fri, 10 Dec 2010 14:41:07 +0000
Subject: [PATCH] Accepting request 55363 from Base:System

Accepted submit request 55363 from user a_jaeger

OBS-URL: https://build.opensuse.org/request/show/55363
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=43
---
 CVE-2010-1633_and_CVE-2010-0742.patch |  28 ----
 CVE-2010-2939.patch                   |  12 --
 openssl-1.0.0.tar.bz2                 |   3 -
 openssl-1.0.0c.tar.bz2                |   3 +
 openssl.changes                       |  16 +++
 openssl.spec                          |  37 ++---
 patchset-19727.diff                   | 189 --------------------------
 7 files changed, 39 insertions(+), 249 deletions(-)
 delete mode 100644 CVE-2010-1633_and_CVE-2010-0742.patch
 delete mode 100644 CVE-2010-2939.patch
 delete mode 100644 openssl-1.0.0.tar.bz2
 create mode 100644 openssl-1.0.0c.tar.bz2
 delete mode 100644 patchset-19727.diff

diff --git a/CVE-2010-1633_and_CVE-2010-0742.patch b/CVE-2010-1633_and_CVE-2010-0742.patch
deleted file mode 100644
index 7a03c6d..0000000
--- a/CVE-2010-1633_and_CVE-2010-0742.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Index: openssl-1.0.0/crypto/cms/cms_asn1.c
-===================================================================
---- openssl-1.0.0.orig/crypto/cms/cms_asn1.c
-+++ openssl-1.0.0/crypto/cms/cms_asn1.c
-@@ -131,8 +131,8 @@ ASN1_NDEF_SEQUENCE(CMS_SignedData) = {
- } ASN1_NDEF_SEQUENCE_END(CMS_SignedData)
- 
- ASN1_SEQUENCE(CMS_OriginatorInfo) = {
--	ASN1_IMP_SET_OF_OPT(CMS_SignedData, certificates, CMS_CertificateChoices, 0),
--	ASN1_IMP_SET_OF_OPT(CMS_SignedData, crls, CMS_RevocationInfoChoice, 1)
-+	ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, certificates, CMS_CertificateChoices, 0),
-+	ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1)
- } ASN1_SEQUENCE_END(CMS_OriginatorInfo)
- 
- ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = {
-Index: openssl-1.0.0/crypto/rsa/rsa_pmeth.c
-===================================================================
---- openssl-1.0.0.orig/crypto/rsa/rsa_pmeth.c
-+++ openssl-1.0.0/crypto/rsa/rsa_pmeth.c
-@@ -246,6 +246,8 @@ static int pkey_rsa_verifyrecover(EVP_PK
- 			ret = int_rsa_verify(EVP_MD_type(rctx->md),
- 						NULL, 0, rout, &sltmp,
- 					sig, siglen, ctx->pkey->pkey.rsa);
-+			if (ret <= 0)
-+				return 0;
- 			ret = sltmp;
- 			}
- 		else
diff --git a/CVE-2010-2939.patch b/CVE-2010-2939.patch
deleted file mode 100644
index bfa79f5..0000000
--- a/CVE-2010-2939.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: openssl-1.0.0/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.0.orig/ssl/s3_clnt.c
-+++ openssl-1.0.0/ssl/s3_clnt.c
-@@ -1508,6 +1508,7 @@ int ssl3_get_key_exchange(SSL *s)
- 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
- 		ecdh=NULL;
- 		BN_CTX_free(bn_ctx);
-+		bn_ctx=NULL;
- 		EC_POINT_free(srvr_ecpoint);
- 		srvr_ecpoint = NULL;
- 		}
diff --git a/openssl-1.0.0.tar.bz2 b/openssl-1.0.0.tar.bz2
deleted file mode 100644
index 51743f4..0000000
--- a/openssl-1.0.0.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:164d74696522f4758c383ba16e544ecd16c94c93df87cadc940b2fc3e0a8ce5a
-size 3195261
diff --git a/openssl-1.0.0c.tar.bz2 b/openssl-1.0.0c.tar.bz2
new file mode 100644
index 0000000..dca4042
--- /dev/null
+++ b/openssl-1.0.0c.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fabc7750eb05c2b15916b1abdff7287064dd4bc120b0b77e233bc390352bae5d
+size 3207024
diff --git a/openssl.changes b/openssl.changes
index 1416250..8f71ba5 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Dec  9 07:04:32 UTC 2010 - gjhe@novell.com
+
+- update to stable version 1.0.0c.
+  patch included:
+  CVE-2010-1633_and_CVE-2010-0742.patch
+  patchset-19727.diff
+  CVE-2010-2939.patch
+  CVE-2010-3864.patch
+
+-------------------------------------------------------------------
+Thu Nov 18 07:53:12 UTC 2010 - gjhe@novell.com
+
+- fix bug [bnc#651003]
+  CVE-2010-3864
+
 -------------------------------------------------------------------
 Sat Sep 25 08:55:02 UTC 2010 - gjhe@novell.com
 
diff --git a/openssl.spec b/openssl.spec
index 64755f2..cbeef51 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
 Name:           openssl
 BuildRequires:  bc ed pkg-config zlib-devel
 %define ssletcdir %{_sysconfdir}/ssl
-#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
+%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/Security
 Provides:       ssl
@@ -31,8 +31,9 @@ AutoReqProv:    on
 Obsoletes:      openssl-64bit
 %endif
 #
-Version:        1.0.0
-Release:        10
+#Version:        1.0.0
+Version:        1.0.0c
+Release:        11
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -43,9 +44,10 @@ Source10:       README.SuSE
 Patch0:         merge_from_0.9.8k.patch
 Patch1:         openssl-1.0.0-c_rehash-compat.diff
 Patch2:         bug610223.patch
-Patch3:         CVE-2010-1633_and_CVE-2010-0742.patch
-Patch4:         patchset-19727.diff
-Patch5:         CVE-2010-2939.patch
+#Patch3:         CVE-2010-1633_and_CVE-2010-0742.patch
+#Patch4:         patchset-19727.diff
+#Patch5:         CVE-2010-2939.patch
+#Patch6:         CVE-2010-3864.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -175,9 +177,10 @@ Authors:
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+#%patch3 -p1
+#%patch4 -p1
+#%patch5 -p1
+#%patch6 -p1
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@@ -314,8 +317,8 @@ popd
 # check wether some shared library has been installed
 #
 ls -l $RPM_BUILD_ROOT%{_libdir}
-test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version}
-test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version}
+test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version}
+test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
 test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so
 test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
 #
@@ -355,12 +358,12 @@ find demos -type f -perm /111 -exec chmod 644 {} \;
 
 #process openssllib
 mkdir $RPM_BUILD_ROOT/%{_lib}
-mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} $RPM_BUILD_ROOT/%{_lib}/
-mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} $RPM_BUILD_ROOT/%{_lib}/
+mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
+mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
 mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
 cd $RPM_BUILD_ROOT%{_libdir}/
-ln -sf /%{_lib}/libssl.so.%{version} ./libssl.so
-ln -sf /%{_lib}/libcrypto.so.%{version} ./libcrypto.so
+ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
+ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
 
 %clean
 if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
@@ -373,8 +376,8 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 
 %files -n libopenssl1_0_0
 %defattr(-, root, root)
-/%{_lib}/libssl.so.%{version}
-/%{_lib}/libcrypto.so.%{version}
+/%{_lib}/libssl.so.%{num_version}
+/%{_lib}/libcrypto.so.%{num_version}
 /%{_lib}/engines
 
 %files -n libopenssl-devel
diff --git a/patchset-19727.diff b/patchset-19727.diff
deleted file mode 100644
index c35578f..0000000
--- a/patchset-19727.diff
+++ /dev/null
@@ -1,189 +0,0 @@
-Index: openssl/crypto/sha/asm/sha1-sparcv9.pl
-RCS File: /v/openssl/cvs/openssl/crypto/sha/asm/sha1-sparcv9.pl,v
-rcsdiff -q -kk '-r1.2' '-r1.2.2.1' -u '/v/openssl/cvs/openssl/crypto/sha/asm/sha1-sparcv9.pl,v' 2>/dev/null
---- sha1-sparcv9.pl	2007/05/10 06:48:28	1.2
-+++ sha1-sparcv9.pl	2010/07/01 07:57:20	1.2.2.1
-@@ -276,6 +276,7 @@
- .type	sha1_block_data_order,#function
- .size	sha1_block_data_order,(.-sha1_block_data_order)
- .asciz	"SHA1 block transform for SPARCv9, CRYPTOGAMS by <appro\@openssl.org>"
-+.align	4
- ___
- 
- $code =~ s/\`([^\`]*)\`/eval $1/gem;
-Index: openssl/crypto/sha/asm/sha1-sparcv9a.pl
-RCS File: /v/openssl/cvs/openssl/crypto/sha/asm/sha1-sparcv9a.pl,v
-rcsdiff -q -kk '-r1.4' '-r1.4.2.1' -u '/v/openssl/cvs/openssl/crypto/sha/asm/sha1-sparcv9a.pl,v' 2>/dev/null
---- sha1-sparcv9a.pl	2009/03/17 18:31:08	1.4
-+++ sha1-sparcv9a.pl	2010/07/01 07:57:20	1.4.2.1
-@@ -539,6 +539,7 @@
- .type	sha1_block_data_order,#function
- .size	sha1_block_data_order,(.-sha1_block_data_order)
- .asciz	"SHA1 block transform for SPARCv9a, CRYPTOGAMS by <appro\@openssl.org>"
-+.align	4
- ___
- 
- # Purpose of these subroutines is to explicitly encode VIS instructions,
-Index: openssl/crypto/sha/asm/sha512-sparcv9.pl
-RCS File: /v/openssl/cvs/openssl/crypto/sha/asm/sha512-sparcv9.pl,v
-rcsdiff -q -kk '-r1.4' '-r1.4.2.1' -u '/v/openssl/cvs/openssl/crypto/sha/asm/sha512-sparcv9.pl,v' 2>/dev/null
---- sha512-sparcv9.pl	2009/03/17 18:31:08	1.4
-+++ sha512-sparcv9.pl	2010/07/01 07:57:20	1.4.2.1
-@@ -586,6 +586,7 @@
- .type	sha${label}_block_data_order,#function
- .size	sha${label}_block_data_order,(.-sha${label}_block_data_order)
- .asciz	"SHA${label} block transform for SPARCv9, CRYPTOGAMS by <appro\@openssl.org>"
-+.align	4
- ___
- 
- $code =~ s/\`([^\`]*)\`/eval $1/gem;
-Index: openssl/crypto/sparccpuid.S
-RCS File: /v/openssl/cvs/openssl/crypto/sparccpuid.S,v
-rcsdiff -q -kk '-r1.5.2.2' '-r1.5.2.3' -u '/v/openssl/cvs/openssl/crypto/sparccpuid.S,v' 2>/dev/null
---- sparccpuid.S	2010/04/10 13:37:06	1.5.2.2
-+++ sparccpuid.S	2010/07/01 07:57:19	1.5.2.3
-@@ -225,13 +225,33 @@
- 	xor	%o0,%o0,%o0
- 	.word	0x91410000	!rd	%tick,%o0
- 	retl
--	.word	0x93323020	!srlx	%o2,32,%o1
-+	.word	0x93323020	!srlx	%o0,32,%o1
- .notick:
- 	retl
- 	xor	%o1,%o1,%o1
- .type	_sparcv9_rdtick,#function
- .size	_sparcv9_rdtick,.-_sparcv9_rdtick
- 
-+.global	_sparcv9_rdwrasi
-+.align	8
-+_sparcv9_rdwrasi:
-+	.word	0x9340c000	!rd	%asi,%o1
-+	.word	0x87820000	!wr	%o0,%g0,%asi
-+	retl
-+	mov	%o1,%o0
-+.type	_sparcv9_rdwrasi,#function
-+.size	_sparcv9_rdwrasi,.-_sparcv9_rdwrasi
-+
-+.global	_sparcv9_vis1_probe
-+.align	8
-+_sparcv9_vis1_probe:
-+	.word	0x81b00c20	!fzeros	%f0
-+	.word	0xc19ba002+BIAS	!ldda	[%sp+BIAS+2]%asi,%f0
-+	retl
-+	nop
-+.type	_sparcv9_vis1_probe,#function
-+.size	_sparcv9_vis1_probe,.-_sparcv9_vis1_probe
-+
- .global	OPENSSL_cleanse
- .align	32
- OPENSSL_cleanse:
-Index: openssl/crypto/sparcv9cap.c
-RCS File: /v/openssl/cvs/openssl/crypto/sparcv9cap.c,v
-rcsdiff -q -kk '-r1.6' '-r1.6.2.1' -u '/v/openssl/cvs/openssl/crypto/sparcv9cap.c,v' 2>/dev/null
---- sparcv9cap.c	2007/06/20 13:02:34	1.6
-+++ sparcv9cap.c	2010/07/01 07:57:19	1.6.2.1
-@@ -1,6 +1,8 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <setjmp.h>
-+#include <signal.h>
- #include <sys/time.h>
- #include <openssl/bn.h>
- 
-@@ -9,6 +11,7 @@
- #define SPARCV9_VIS1		(1<<2)
- #define SPARCV9_VIS2		(1<<3)	/* reserved */
- #define SPARCV9_FMADD		(1<<4)	/* reserved for SPARC64 V */
-+
- static int OPENSSL_sparcv9cap_P=SPARCV9_TICK_PRIVILEGED;
- 
- int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np,const BN_ULONG *n0, int num)
-@@ -23,10 +26,12 @@
- 		return bn_mul_mont_int(rp,ap,bp,np,n0,num);
- 	}
- 
-+unsigned long	_sparcv9_rdtick(void);
-+unsigned long	_sparcv9_rdwrasi(unsigned long);
-+void		_sparcv9_vis1_probe(void);
-+
- unsigned long OPENSSL_rdtsc(void)
- 	{
--	unsigned long _sparcv9_rdtick(void);
--
- 	if (OPENSSL_sparcv9cap_P&SPARCV9_TICK_PRIVILEGED)
- #if defined(__sun) && defined(__SVR4)
- 		return gethrtime();
-@@ -137,9 +142,16 @@
- 
- #else
- 
-+static sigjmp_buf common_jmp;
-+static void common_handler(int sig) { siglongjmp(common_jmp,sig); }
-+
- void OPENSSL_cpuid_setup(void)
- 	{
- 	char *e;
-+	struct sigaction	common_act,ill_oact,bus_oact;
-+	sigset_t		all_masked,oset;
-+	unsigned long		oasi;
-+	int			sig;
-  
- 	if ((e=getenv("OPENSSL_sparcv9cap")))
- 		{
-@@ -149,6 +161,55 @@
- 
- 	/* For now we assume that the rest supports UltraSPARC-I* only */
- 	OPENSSL_sparcv9cap_P |= SPARCV9_PREFER_FPU|SPARCV9_VIS1;
-+
-+	sigfillset(&all_masked);
-+	sigdelset(&all_masked,SIGILL);
-+	sigdelset(&all_masked,SIGTRAP);
-+#ifdef SIGEMT
-+	sigdelset(&all_masked,SIGEMT);
-+#endif
-+	sigdelset(&all_masked,SIGFPE);
-+	sigdelset(&all_masked,SIGBUS);
-+	sigdelset(&all_masked,SIGSEGV);
-+	sigprocmask(SIG_SETMASK,&all_masked,&oset);
-+
-+	memset(&common_act,0,sizeof(common_act));
-+	common_act.sa_handler = common_handler;
-+	common_act.sa_mask    = all_masked;
-+
-+	sigaction(SIGILL,&common_act,&ill_oact);
-+	sigaction(SIGBUS,&common_act,&bus_oact);/* T1 fails 16-bit ldda */
-+	oasi = _sparcv9_rdwrasi(0xD2);		/* ASI_FL16_P */
-+	if ((sig=sigsetjmp(common_jmp,0)) == 0)
-+		{
-+		_sparcv9_vis1_probe();
-+		OPENSSL_sparcv9cap_P |= SPARCV9_VIS1;
-+		}
-+	else if (sig == SIGBUS)			/* T1 fails 16-bit ldda */
-+		{
-+		OPENSSL_sparcv9cap_P &= ~SPARCV9_PREFER_FPU;
-+		}
-+	else
-+		{
-+		OPENSSL_sparcv9cap_P &= ~SPARCV9_VIS1;
-+		}
-+	_sparcv9_rdwrasi(oasi);
-+	sigaction(SIGBUS,&bus_oact,NULL);
-+	sigaction(SIGILL,&ill_oact,NULL);
-+
-+	sigaction(SIGILL,&common_act,&ill_oact);
-+	if (sigsetjmp(common_jmp,0) == 0)
-+		{
-+		_sparcv9_rdtick();
-+		OPENSSL_sparcv9cap_P &= ~SPARCV9_TICK_PRIVILEGED;
-+		}
-+	else
-+		{
-+		OPENSSL_sparcv9cap_P |= SPARCV9_TICK_PRIVILEGED;
-+		}
-+	sigaction(SIGILL,&ill_oact,NULL);
-+
-+	sigprocmask(SIG_SETMASK,&oset,NULL);
- 	}
- 
- #endif