Accepting request 184582 from Base:System

- compression_methods_switch.patch: Disable compression by default to avoid the CRIME attack (CVE-2012-4929 bnc#793420) Can be override by setting environment variable OPENSSL_NO_DEFAULT_ZLIB=no OBS-URL: https://build.opensuse.org/request/show/184582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=92
2013-07-30 16:42:57 +00:00 · 2013-07-30 16:42:57 +00:00 · 483bcc84c1
commit 483bcc84c1
parent bb5cf13064
3 changed files with 57 additions and 0 deletions
--- a/compression_methods_switch.patch
+++ b/compression_methods_switch.patch
@ -0,0 +1,46 @@
+Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
+===================================================================
+--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
+@@ -41,6 +41,24 @@ of compression methods supported on a pe
+ The OpenSSL library has the compression methods B<COMP_rle()> and (when
+ especially enabled during compilation) B<COMP_zlib()> available.
+ 
+And, there is an environment variable to switch the compression
+methods off and on. In default the compression is off to mitigate 
+the so called CRIME attack ( CVE-2012-4929). If you want to enable 
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
+
+The variable can be switched on and off at runtime; when this variable
+is set "no" compression is enabled, otherwise no, for example:
+
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
+or in C to call
+int setenv(const char *name, const char *value, int overwrite); and
+int unsetenv(const char *name);
+
+Note: This reverts the behavior of the variable as it was before!
+
+And pay attention that this freaure is temporary, it maybe changed by
+the following updates.
+
+ =head1 WARNINGS
+ 
+ Once the identities of the compression methods for the TLS protocol have
+Index: openssl-1.0.1e/ssl/ssl_ciph.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1e/ssl/ssl_ciph.c
+@@ -455,7 +455,11 @@ static void load_builtin_compressions(vo
+ 
+ 			MemCheck_off();
+ 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+-			if (ssl_comp_methods != NULL)
+
+			if( getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
+				setenv("OPENSSL_NO_DEFAULT_ZLIB", "yes", 1);
+
+			if (ssl_comp_methods != NULL && strncmp( getenv("OPENSSL_NO_DEFAULT_ZLIB"), "no", 2) == 0)
+ 				{
+ 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ 				if (comp != NULL)
--- a/openssl.changes
+++ b/openssl.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Jul 29 08:06:48 UTC 2013 - meissner@suse.com
+
+- compression_methods_switch.patch: Disable compression by default to
+  avoid the CRIME attack (CVE-2012-4929 bnc#793420)
+
+  Can be override by setting environment variable
+      OPENSSL_NO_DEFAULT_ZLIB=no
+
 -------------------------------------------------------------------
 Tue Jul  2 09:02:59 UTC 2013 - lnussel@suse.de

--- a/openssl.spec
+++ b/openssl.spec
@ -49,6 +49,7 @@ Patch4:         VIA_padlock_support_on_64systems.patch
 # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
 Patch5:         openssl-fix-pod-syntax.diff
 Patch6:         openssl-1.0.1e-truststore.diff
+Patch7:         compression_methods_switch.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -131,6 +132,7 @@ this package's base documentation.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags