From 483bcc84c183edb082fb532a903bad274ef82c458f6a31cd385265bb5d1f0c79 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 30 Jul 2013 16:42:57 +0000 Subject: [PATCH] Accepting request 184582 from Base:System - compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92 --- compression_methods_switch.patch | 46 ++++++++++++++++++++++++++++++++ openssl.changes | 9 +++++++ openssl.spec | 2 ++ 3 files changed, 57 insertions(+) create mode 100644 compression_methods_switch.patch diff --git a/compression_methods_switch.patch b/compression_methods_switch.patch new file mode 100644 index 0000000..0b0bb6e --- /dev/null +++ b/compression_methods_switch.patch @@ -0,0 +1,46 @@ +Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod +=================================================================== +--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod ++++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod +@@ -41,6 +41,24 @@ of compression methods supported on a pe + The OpenSSL library has the compression methods B and (when + especially enabled during compilation) B available. + ++And, there is an environment variable to switch the compression ++methods off and on. In default the compression is off to mitigate ++the so called CRIME attack ( CVE-2012-4929). If you want to enable ++compression again set OPENSSL_NO_DEFAULT_ZLIB to "no". ++ ++The variable can be switched on and off at runtime; when this variable ++is set "no" compression is enabled, otherwise no, for example: ++ ++in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no' ++or in C to call ++int setenv(const char *name, const char *value, int overwrite); and ++int unsetenv(const char *name); ++ ++Note: This reverts the behavior of the variable as it was before! ++ ++And pay attention that this freaure is temporary, it maybe changed by ++the following updates. ++ + =head1 WARNINGS + + Once the identities of the compression methods for the TLS protocol have +Index: openssl-1.0.1e/ssl/ssl_ciph.c +=================================================================== +--- openssl-1.0.1e.orig/ssl/ssl_ciph.c ++++ openssl-1.0.1e/ssl/ssl_ciph.c +@@ -455,7 +455,11 @@ static void load_builtin_compressions(vo + + MemCheck_off(); + ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); +- if (ssl_comp_methods != NULL) ++ ++ if( getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL) ++ setenv("OPENSSL_NO_DEFAULT_ZLIB", "yes", 1); ++ ++ if (ssl_comp_methods != NULL && strncmp( getenv("OPENSSL_NO_DEFAULT_ZLIB"), "no", 2) == 0) + { + comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) diff --git a/openssl.changes b/openssl.changes index d62d933..f531d23 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Jul 29 08:06:48 UTC 2013 - meissner@suse.com + +- compression_methods_switch.patch: Disable compression by default to + avoid the CRIME attack (CVE-2012-4929 bnc#793420) + + Can be override by setting environment variable + OPENSSL_NO_DEFAULT_ZLIB=no + ------------------------------------------------------------------- Tue Jul 2 09:02:59 UTC 2013 - lnussel@suse.de diff --git a/openssl.spec b/openssl.spec index ba57035..e473bef 100644 --- a/openssl.spec +++ b/openssl.spec @@ -49,6 +49,7 @@ Patch4: VIA_padlock_support_on_64systems.patch # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049 Patch5: openssl-fix-pod-syntax.diff Patch6: openssl-1.0.1e-truststore.diff +Patch7: compression_methods_switch.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -131,6 +132,7 @@ this package's base documentation. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags