diff --git a/CVE-2013-6450.patch b/CVE-2013-6450.patch new file mode 100644 index 0000000..fde93f1 --- /dev/null +++ b/CVE-2013-6450.patch @@ -0,0 +1,60 @@ +Index: openssl-1.0.1e/ssl/d1_both.c +=================================================================== +--- openssl-1.0.1e.orig/ssl/d1_both.c ++++ openssl-1.0.1e/ssl/d1_both.c +@@ -214,6 +214,11 @@ dtls1_hm_fragment_new(unsigned long frag + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +Index: openssl-1.0.1e/ssl/ssl_locl.h +=================================================================== +--- openssl-1.0.1e.orig/ssl/ssl_locl.h ++++ openssl-1.0.1e/ssl/ssl_locl.h +@@ -625,6 +625,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +Index: openssl-1.0.1e/ssl/t1_enc.c +=================================================================== +--- openssl-1.0.1e.orig/ssl/t1_enc.c ++++ openssl-1.0.1e/ssl/t1_enc.c +@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; +- else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); + dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } ++ else ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { diff --git a/openssl.changes b/openssl.changes index 2ff0e33..aa85401 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jan 2 17:28:41 UTC 2014 - shchang@suse.com + +- Fixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss + Add file: CVE-2013-6450.patch + ------------------------------------------------------------------- Sun Dec 22 08:10:55 UTC 2013 - shchang@suse.com diff --git a/openssl.spec b/openssl.spec index c464b19..8d9ce1d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,7 +1,7 @@ # # spec file for package openssl # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -64,6 +64,7 @@ Patch15: openssl-1.0.1e-fips.patch Patch16: openssl-1.0.1e-fips-ec.patch Patch17: openssl-1.0.1e-fips-ctor.patch Patch18: CVE-2013-6449.patch +Patch19: CVE-2013-6450.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -171,6 +172,7 @@ this package's base documentation. %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 cp -p %{S:10} . cp -p %{S:11} .