Accepting request 184582 from Base:System

- compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92
2013-07-30 16:42:57 +00:00 · 2013-07-30 16:42:57 +00:00 · 483bcc84c1
commit 483bcc84c1
parent bb5cf13064
3 changed files with 57 additions and 0 deletions
--- a/compression_methods_switch.patch
+++ b/compression_methods_switch.patch
@ -0,0 +1,46 @@
 Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
 ===================================================================
 --- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod
 +++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -41,6 +41,24 @@ of compression methods supported on a pe
 The OpenSSL library has the compression methods B<COMP_rle()> and (when
 especially enabled during compilation) B<COMP_zlib()> available.
 +And, there is an environment variable to switch the compression
 +methods off and on. In default the compression is off to mitigate 
 +the so called CRIME attack ( CVE-2012-4929). If you want to enable 
 +compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
 +
 +The variable can be switched on and off at runtime; when this variable
 +is set "no" compression is enabled, otherwise no, for example:
 +
 +in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
 +or in C to call
 +int setenv(const char *name, const char *value, int overwrite); and
 +int unsetenv(const char *name);
 +
 +Note: This reverts the behavior of the variable as it was before!
 +
 +And pay attention that this freaure is temporary, it maybe changed by
 +the following updates.
 +
 =head1 WARNINGS
 Once the identities of the compression methods for the TLS protocol have
 Index: openssl-1.0.1e/ssl/ssl_ciph.c
 ===================================================================
 --- openssl-1.0.1e.orig/ssl/ssl_ciph.c
 +++ openssl-1.0.1e/ssl/ssl_ciph.c
@@ -455,7 +455,11 @@ static void load_builtin_compressions(vo
 			MemCheck_off();
 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
 -			if (ssl_comp_methods != NULL)
 +
 +			if( getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
 +				setenv("OPENSSL_NO_DEFAULT_ZLIB", "yes", 1);
 +
 +			if (ssl_comp_methods != NULL && strncmp( getenv("OPENSSL_NO_DEFAULT_ZLIB"), "no", 2) == 0)
 				{
 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
 				if (comp != NULL)
--- a/openssl.changes
+++ b/openssl.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Mon Jul 29 08:06:48 UTC 2013 - meissner@suse.com
 - compression_methods_switch.patch: Disable compression by default to
  avoid the CRIME attack (CVE-2012-4929 bnc#793420)
  Can be override by setting environment variable
      OPENSSL_NO_DEFAULT_ZLIB=no
 -------------------------------------------------------------------
 Tue Jul  2 09:02:59 UTC 2013 - lnussel@suse.de
--- a/openssl.spec
+++ b/openssl.spec
@ -49,6 +49,7 @@ Patch4:         VIA_padlock_support_on_64systems.patch
 # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
 Patch5:         openssl-fix-pod-syntax.diff
 Patch6:         openssl-1.0.1e-truststore.diff
 Patch7:         compression_methods_switch.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -131,6 +132,7 @@ this package's base documentation.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags