diff --git a/bswap.diff b/bswap.diff deleted file mode 100644 index fd2e945..0000000 --- a/bswap.diff +++ /dev/null @@ -1,13 +0,0 @@ -Index: crypto/camellia/cmll_locl.h -=================================================================== ---- crypto/camellia/cmll_locl.h.orig -+++ crypto/camellia/cmll_locl.h -@@ -97,7 +97,7 @@ extern "C" { - (ct)[2] = (u8)((st) >> 8); \ - (ct)[3] = (u8)(st); } - --#if (defined (__GNUC__) && (defined(__x86_64__) || defined(__x86_64))) -+#if (defined (__GNUC__) && (defined(__x86_64__) || defined(__x86_64) || defined(i386))) - #define CAMELLIA_SWAP4(x) \ - do{\ - asm("bswap %1" : "+r" (x));\ diff --git a/bug-526319_openssl-0.9.8k-no-extssl.patch b/bug-526319_openssl-0.9.8k-no-extssl.patch deleted file mode 100644 index a60f4c8..0000000 --- a/bug-526319_openssl-0.9.8k-no-extssl.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c ---- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 -+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 -@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) -+ { -+ return ret; -+ } -+ - ret+=2; - - if (ret>=limit) return NULL; /* this really never occurs, but ... */ -@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex - int extdatalen=0; - unsigned char *ret = p; - -+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) -+ { -+ return ret; -+ } -+ - ret+=2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ - diff --git a/disable-optimization-for-s390x.diff b/disable-optimization-for-s390x.diff deleted file mode 100644 index 0a06f8f..0000000 --- a/disable-optimization-for-s390x.diff +++ /dev/null @@ -1,31 +0,0 @@ -Index: crypto/ripemd/Makefile -=================================================================== ---- crypto/ripemd/Makefile.orig -+++ crypto/ripemd/Makefile -@@ -13,7 +13,7 @@ AR= ar r - - RIP_ASM_OBJ= - --CFLAGS= $(INCLUDES) $(CFLAG) -+CFLAGS= $(INCLUDES) $(CFLAG) -O0 - ASFLAGS= $(INCLUDES) $(ASFLAG) - AFLAGS= $(ASFLAGS) - -Index: crypto/md4/Makefile -=================================================================== ---- crypto/md4/Makefile.orig -+++ crypto/md4/Makefile -@@ -7,11 +7,11 @@ TOP= ../.. - CC= cc - CPP= $(CC) -E - INCLUDES= --CFLAG=-g -+CFLAG=-g - MAKEFILE= Makefile - AR= ar r - --CFLAGS= $(INCLUDES) $(CFLAG) -+CFLAGS= $(INCLUDES) $(CFLAG) -O0 - - GENERAL=Makefile - TEST=md4test.c diff --git a/func-parm-err.patch b/func-parm-err.patch deleted file mode 100644 index 3ce9d25..0000000 --- a/func-parm-err.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: openssl-0.9.8k/crypto/x509/x509_att.c -=================================================================== ---- openssl-0.9.8k.orig/crypto/x509/x509_att.c -+++ openssl-0.9.8k/crypto/x509/x509_att.c -@@ -312,7 +312,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIB - if(!(ttmp = ASN1_TYPE_new())) goto err; - if ((len == -1) && !(attrtype & MBSTRING_FLAG)) - { -- if (!ASN1_TYPE_set1(ttmp, attrtype, data)) -+ if (!ASN1_TYPE_set1(ttmp, attrtype, stmp)) - goto err; - } - else diff --git a/merge_from_0_9_8k.patch b/merge_from_0_9_8k.patch new file mode 100644 index 0000000..8ac481a --- /dev/null +++ b/merge_from_0_9_8k.patch @@ -0,0 +1,99 @@ +Index: openssl-0.9.8m/Configure +=================================================================== +--- openssl-0.9.8m.orig/Configure ++++ openssl-0.9.8m/Configure +@@ -874,7 +874,7 @@ PROCESS_ARGS: + } + else + { +- die "target already defined - $target (offending arg: $_)\n" if ($target ne ""); ++ warn "target already defined - $target (offending arg: $_)\n" if ($target ne ""); + $target=$_; + } + +@@ -1123,7 +1123,7 @@ else { $lflags=$prelflags; undef $pre + my $no_shared_warn=0; + my $no_user_cflags=0; + +-if ($flags ne "") { $cflags="$flags$cflags"; } ++if ($flags ne "") { $cflags="$cflags $flags"; } + else { $no_user_cflags=1; } + + # Kerberos settings. The flavor must be provided from outside, either through +Index: openssl-0.9.8m/config +=================================================================== +--- openssl-0.9.8m.orig/config ++++ openssl-0.9.8m/config +@@ -526,7 +526,8 @@ case "$GUESSOS" in + ppc-apple-darwin*) OUT="darwin-ppc-cc" ;; + i386-apple-darwin*) OUT="darwin-i386-cc" ;; + alpha-*-linux2) +- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` ++ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` ++ ISA=EV56 + case ${ISA:-generic} in + *[678]) OUT="linux-alpha+bwx-$CC" ;; + *) OUT="linux-alpha-$CC" ;; +@@ -546,7 +547,8 @@ case "$GUESSOS" in + echo " You have about 5 seconds to press Ctrl-C to abort." + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 + fi +- OUT="linux-ppc" ++ # we have the target and force it here ++ OUT="linux-ppc64" + ;; + ppc-*-linux2) OUT="linux-ppc" ;; + ia64-*-linux?) OUT="linux-ia64" ;; +@@ -562,10 +564,10 @@ case "$GUESSOS" in + sparc-*-linux2) + KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` + case ${KARCH:-sun4} in +- sun4u*) OUT="linux-sparcv9" ;; +- sun4m) OUT="linux-sparcv8" ;; +- sun4d) OUT="linux-sparcv8" ;; +- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; ++# sun4u*) OUT="linux-sparcv9" ;; ++# sun4m) OUT="linux-sparcv8" ;; ++# sun4d) OUT="linux-sparcv8" ;; ++ *) OUT="linux-sparcv8" ;; + esac ;; + parisc*-*-linux2) + # 64-bit builds under parisc64 linux are not supported and +@@ -584,7 +586,11 @@ case "$GUESSOS" in + # PA8500 -> 8000 (2.0) + # PA8600 -> 8000 (2.0) + +- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'` ++ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` ++ # lets have CPUSCHEDULE for 1.1: ++ CPUSCHEDULE=7100LC ++ # we want to support 1.1 CPUs as well: ++ CPUARCH=1.1 + # Finish Model transformations + + options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH" +Index: openssl-0.9.8m/crypto/camellia/cmll_locl.h +=================================================================== +--- openssl-0.9.8m.orig/crypto/camellia/cmll_locl.h ++++ openssl-0.9.8m/crypto/camellia/cmll_locl.h +@@ -97,7 +97,7 @@ extern "C" { + (ct)[2] = (u8)((st) >> 8); \ + (ct)[3] = (u8)(st); } + +-#if (defined (__GNUC__) && (defined(__x86_64__) || defined(__x86_64))) ++#if (defined (__GNUC__) && (defined(__x86_64__) || defined(__x86_64) || defined(i386))) + #define CAMELLIA_SWAP4(x) \ + do{\ + asm("bswap %1" : "+r" (x));\ +Index: openssl-0.9.8m/crypto/perlasm/x86unix.pl +=================================================================== +--- openssl-0.9.8m.orig/crypto/perlasm/x86unix.pl ++++ openssl-0.9.8m/crypto/perlasm/x86unix.pl +@@ -557,6 +557,7 @@ sub main'file_end + push(@out,$const); + $const=""; + } ++ push(@out, ".section .note.GNU-stack,\"\",\@progbits"); + } + + sub main'data_byte diff --git a/non-exec-stack.diff b/non-exec-stack.diff deleted file mode 100644 index 9dd9f97..0000000 --- a/non-exec-stack.diff +++ /dev/null @@ -1,12 +0,0 @@ -Index: crypto/perlasm/x86unix.pl -=================================================================== ---- crypto/perlasm/x86unix.pl.orig -+++ crypto/perlasm/x86unix.pl -@@ -557,6 +557,7 @@ sub main'file_end - push(@out,$const); - $const=""; - } -+ push(@out, ".section .note.GNU-stack,\"\",\@progbits"); - } - - sub main'data_byte diff --git a/openssl-0.9.6g-alpha.diff b/openssl-0.9.6g-alpha.diff deleted file mode 100644 index 4fc98ca..0000000 --- a/openssl-0.9.6g-alpha.diff +++ /dev/null @@ -1,12 +0,0 @@ ---- openssl-0.9.8a/config -+++ openssl-0.9.8a/config -@@ -520,7 +520,8 @@ - ppc-apple-darwin*) OUT="darwin-ppc-cc" ;; - i386-apple-darwin*) OUT="darwin-i386-cc" ;; - alpha-*-linux2) -- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` -+ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` -+ ISA=EV56 - case ${ISA:-generic} in - *[678]) OUT="linux-alpha+bwx-$CC" ;; - *) OUT="linux-alpha-$CC" ;; diff --git a/openssl-0.9.7f-ppc64.diff b/openssl-0.9.7f-ppc64.diff deleted file mode 100644 index c17117e..0000000 --- a/openssl-0.9.7f-ppc64.diff +++ /dev/null @@ -1,12 +0,0 @@ ---- openssl-0.9.8a/config -+++ openssl-0.9.8a/config -@@ -540,7 +540,8 @@ - echo " You have about 5 seconds to press Ctrl-C to abort." - (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 - fi -- OUT="linux-ppc" -+ # we have the target and force it here -+ OUT="linux-ppc64" - ;; - ppc-*-linux2) OUT="linux-ppc" ;; - ia64-*-linux?) OUT="linux-ia64" ;; diff --git a/openssl-0.9.8-flags-priority.dif b/openssl-0.9.8-flags-priority.dif deleted file mode 100644 index c16aeef..0000000 --- a/openssl-0.9.8-flags-priority.dif +++ /dev/null @@ -1,11 +0,0 @@ ---- openssl-0.9.8/Configure.orig 2005-07-05 01:24:11.000000000 +0200 -+++ openssl-0.9.8/Configure 2005-07-06 15:16:50.481056819 +0200 -@@ -957,7 +957,7 @@ - my $no_shared_warn=0; - my $no_user_cflags=0; - --if ($flags ne "") { $cflags="$flags$cflags"; } -+if ($flags ne "") { $cflags="$cflags $flags"; } - else { $no_user_cflags=1; } - - # Kerberos settings. The flavor must be provided from outside, either through diff --git a/openssl-0.9.8-sparc.dif b/openssl-0.9.8-sparc.dif deleted file mode 100644 index 46f5c47..0000000 --- a/openssl-0.9.8-sparc.dif +++ /dev/null @@ -1,17 +0,0 @@ ---- openssl-0.9.8/config.orig 2005-06-26 20:10:20.000000000 +0200 -+++ openssl-0.9.8/config 2005-07-06 15:03:56.144875647 +0200 -@@ -558,10 +558,10 @@ - sparc-*-linux2) - KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` - case ${KARCH:-sun4} in -- sun4u*) OUT="linux-sparcv9" ;; -- sun4m) OUT="linux-sparcv8" ;; -- sun4d) OUT="linux-sparcv8" ;; -- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; -+# sun4u*) OUT="linux-sparcv9" ;; -+# sun4m) OUT="linux-sparcv8" ;; -+# sun4d) OUT="linux-sparcv8" ;; -+ *) OUT="linux-sparcv8" ;; - esac ;; - parisc*-*-linux2) - # 64-bit builds under parisc64 linux are not supported and diff --git a/openssl-0.9.8a.ca-app-segfault.bug128655.dif b/openssl-0.9.8a.ca-app-segfault.bug128655.dif deleted file mode 100644 index 4c1f46b..0000000 --- a/openssl-0.9.8a.ca-app-segfault.bug128655.dif +++ /dev/null @@ -1,12 +0,0 @@ ---- openssl-0.9.8a/apps/ca.c -+++ openssl-0.9.8a/apps/ca.c -@@ -1515,7 +1515,8 @@ - if (free_key && key) - OPENSSL_free(key); - BN_free(serial); -- free_index(db); -+ if (db) -+ free_index(db); - EVP_PKEY_free(pkey); - if (x509) X509_free(x509); - X509_CRL_free(crl); diff --git a/openssl-0.9.8k.tar.bz2 b/openssl-0.9.8k.tar.bz2 deleted file mode 100644 index 9f90e39..0000000 --- a/openssl-0.9.8k.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b51b8d0974be7936545020c096fe6e3bf454fdcc7bf798f7c01c46d492c7438c -size 3092074 diff --git a/openssl-0.9.8m.tar.bz2 b/openssl-0.9.8m.tar.bz2 new file mode 100644 index 0000000..a427209 --- /dev/null +++ b/openssl-0.9.8m.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4752c8fb0de6225d0a714183f23e23fd57752bcb908cba93f0adf15d4319cd80 +size 2968475 diff --git a/openssl-CVE-2010-0740.patch b/openssl-CVE-2010-0740.patch new file mode 100644 index 0000000..9815b8d --- /dev/null +++ b/openssl-CVE-2010-0740.patch @@ -0,0 +1,17 @@ +Index: openssl-0.9.8m/ssl/s3_pkt.c +=================================================================== +--- openssl-0.9.8m.orig/ssl/s3_pkt.c ++++ openssl-0.9.8m/ssl/s3_pkt.c +@@ -291,9 +291,9 @@ again: + if (version != s->version) + { + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); +- /* Send back error using their +- * version number :-) */ +- s->version=version; ++ if ((s->version & 0xFF00) == (version & 0xFF00)) ++ /* Send back error using their minor version number :-) */ ++ s->version = (unsigned short)version; + al=SSL_AD_PROTOCOL_VERSION; + goto f_err; + } diff --git a/openssl-allow-arch.diff b/openssl-allow-arch.diff deleted file mode 100644 index 20533c9..0000000 --- a/openssl-allow-arch.diff +++ /dev/null @@ -1,17 +0,0 @@ ---- - Configure | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: openssl-0.9.8k/Configure -=================================================================== ---- openssl-0.9.8k.orig/Configure -+++ openssl-0.9.8k/Configure -@@ -857,7 +857,7 @@ PROCESS_ARGS: - } - else - { -- die "target already defined - $target (offending arg: $_)\n" if ($target ne ""); -+ warn "target already defined - $target (offending arg: $_)\n" if ($target ne ""); - $target=$_; - } - diff --git a/openssl-hppa-config.diff b/openssl-hppa-config.diff deleted file mode 100644 index 7490646..0000000 --- a/openssl-hppa-config.diff +++ /dev/null @@ -1,15 +0,0 @@ ---- config -+++ config -@@ -579,7 +579,11 @@ - # PA8500 -> 8000 (2.0) - # PA8600 -> 8000 (2.0) - -- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'` -+ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` -+ # lets have CPUSCHEDULE for 1.1: -+ CPUSCHEDULE=7100LC -+ # we want to support 1.1 CPUs as well: -+ CPUARCH=1.1 - # Finish Model transformations - - options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH" diff --git a/openssl.changes b/openssl.changes index 3ddf680..cf51f2b 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Mar 25 02:18:22 UTC 2010 - gjhe@novell.com + +- fix security bug [bnc#590833] + CVE-2010-0740 + +------------------------------------------------------------------- +Mon Mar 22 06:29:14 UTC 2010 - gjhe@novell.com + +- update to version 0.9.8m + Merge the following patches from 0.9.8k: + bswap.diff + non-exec-stack.diff + openssl-0.9.6g-alpha.diff + openssl-0.9.7f-ppc64.diff + openssl-0.9.8-flags-priority.dif + openssl-0.9.8-sparc.dif + openssl-allow-arch.diff + openssl-hppa-config.diff + ------------------------------------------------------------------- Fri Feb 5 01:24:55 UTC 2010 - jengelh@medozas.de diff --git a/openssl.spec b/openssl.spec index 48b18ff..19eb77f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,5 +1,5 @@ # -# spec file for package openssl (Version 0.9.8k) +# spec file for package openssl (Version 0.9.8m) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -31,29 +31,15 @@ AutoReqProv: on Obsoletes: openssl-64bit %endif # -Version: 0.9.8k -Release: 5 +Version: 0.9.8m +Release: 1 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 Source2: baselibs.conf Source10: README.SuSE -Patch0: openssl-0.9.8-sparc.dif -Patch1: openssl-0.9.8-flags-priority.dif -Patch2: non-exec-stack.diff -Patch3: openssl-0.9.7f-ppc64.diff -Patch4: openssl-hppa-config.diff -Patch5: openssl-0.9.6g-alpha.diff -# http://www-124.ibm.com/developerworks/projects/libica/ -#Patch10: openssl-0.9.7d-ICA_engine-jun142004.patch.bz2 -Patch6: openssl-0.9.8a.ca-app-segfault.bug128655.dif -Patch7: bswap.diff -Patch8: func-parm-err.patch -%ifarch s390x -Patch9: disable-optimization-for-s390x.diff -%endif -Patch10: bug-526319_openssl-0.9.8k-no-extssl.patch -Patch11: openssl-allow-arch.diff +Patch0: merge_from_0_9_8k.patch +Patch1: openssl-CVE-2010-0740.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -181,21 +167,8 @@ Authors: %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -%patch3 -p1 -%patch4 -%patch5 -p1 -#%patch10 -p1 -%patch6 -p1 -%patch7 -%patch8 -p1 -%ifarch s390x -%patch9 -%endif -%patch10 -p1 -%patch -P 11 -p1 +%patch0 -p1 +%patch1 -p1 cp -p %{S:10} . # lib64 installation fixes for i in Makefile.org engines/Makefile; do