From fc7e76a88f47d87f0472a9624e1b58c4e184862131a5df0fcdb17fc391424ecf Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Thu, 23 Apr 2009 17:17:27 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=24

---
 openssl-CVE-2009-0590.patch | 64 +++++++++++++++++++++++++++++++++++++
 openssl-CVE-2009-0591.patch | 13 ++++++++
 openssl-CVE-2009-0789.patch | 20 ++++++++++++
 openssl.changes             |  8 +++++
 openssl.spec                | 15 +++++++--
 5 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100644 openssl-CVE-2009-0590.patch
 create mode 100644 openssl-CVE-2009-0591.patch
 create mode 100644 openssl-CVE-2009-0789.patch

diff --git a/openssl-CVE-2009-0590.patch b/openssl-CVE-2009-0590.patch
new file mode 100644
index 0000000..0e028e8
--- /dev/null
+++ b/openssl-CVE-2009-0590.patch
@@ -0,0 +1,64 @@
+
+Index: openssl-0.9.8h/crypto/asn1/asn1.h
+===================================================================
+--- openssl-0.9.8h.orig/crypto/asn1/asn1.h
++++ openssl-0.9.8h/crypto/asn1/asn1.h
+@@ -1218,6 +1218,7 @@
+ #define ASN1_R_BAD_OBJECT_HEADER			 102
+ #define ASN1_R_BAD_PASSWORD_READ			 103
+ #define ASN1_R_BAD_TAG					 104
++#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH		 210
+ #define ASN1_R_BN_LIB					 105
+ #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH			 106
+ #define ASN1_R_BUFFER_TOO_SMALL				 107
+@@ -1307,6 +1308,7 @@
+ #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
+ #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
+ #define ASN1_R_UNEXPECTED_EOC				 159
++#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH		 211
+ #define ASN1_R_UNKNOWN_FORMAT				 160
+ #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM		 161
+ #define ASN1_R_UNKNOWN_OBJECT_TYPE			 162
+Index: openssl-0.9.8h/crypto/asn1/asn1_err.c
+===================================================================
+--- openssl-0.9.8h.orig/crypto/asn1/asn1_err.c
++++ openssl-0.9.8h/crypto/asn1/asn1_err.c
+@@ -195,6 +195,7 @@
+ {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
+ {ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
+ {ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
++{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
+ {ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
+ {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
+ {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
+@@ -284,6 +285,7 @@
+ {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
+ {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
+ {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
++{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
+ {ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
+ {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
+ {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},
+Index: openssl-0.9.8h/crypto/asn1/tasn_dec.c
+===================================================================
+--- openssl-0.9.8h.orig/crypto/asn1/tasn_dec.c
++++ openssl-0.9.8h/crypto/asn1/tasn_dec.c
+@@ -1012,6 +1012,18 @@
+ 		case V_ASN1_SET:
+ 		case V_ASN1_SEQUENCE:
+ 		default:
++		if (utype == V_ASN1_BMPSTRING && (len & 1))
++			{
++			ASN1err(ASN1_F_ASN1_EX_C2I,
++					ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
++			goto err;
++			}
++		if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
++			{
++			ASN1err(ASN1_F_ASN1_EX_C2I,
++					ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
++			goto err;
++			}
+ 		/* All based on ASN1_STRING and handled the same */
+ 		if (!*pval)
+ 			{
diff --git a/openssl-CVE-2009-0591.patch b/openssl-CVE-2009-0591.patch
new file mode 100644
index 0000000..39974e1
--- /dev/null
+++ b/openssl-CVE-2009-0591.patch
@@ -0,0 +1,13 @@
+Index: openssl-0.9.8h/crypto/cms/cms_smime.c
+===================================================================
+--- openssl-0.9.8h.orig/crypto/cms/cms_smime.c
++++ openssl-0.9.8h/crypto/cms/cms_smime.c
+@@ -425,7 +425,7 @@
+ 		for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++)
+ 			{
+ 			si = sk_CMS_SignerInfo_value(sinfos, i);
+-			if (!CMS_SignerInfo_verify_content(si, cmsbio))
++			if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0)
+ 				{
+ 				CMSerr(CMS_F_CMS_VERIFY,
+ 					CMS_R_CONTENT_VERIFY_ERROR);
diff --git a/openssl-CVE-2009-0789.patch b/openssl-CVE-2009-0789.patch
new file mode 100644
index 0000000..18b8ace
--- /dev/null
+++ b/openssl-CVE-2009-0789.patch
@@ -0,0 +1,20 @@
+
+Index: openssl-0.9.8h/crypto/asn1/tasn_dec.c
+===================================================================
+--- openssl-0.9.8h.orig/crypto/asn1/tasn_dec.c
++++ openssl-0.9.8h/crypto/asn1/tasn_dec.c
+@@ -611,7 +611,6 @@
+ 
+ 	err:
+ 	ASN1_template_free(val, tt);
+-	*val = NULL;
+ 	return 0;
+ 	}
+ 
+@@ -758,7 +757,6 @@
+ 
+ 	err:
+ 	ASN1_template_free(val, tt);
+-	*val = NULL;
+ 	return 0;
+ 	}
diff --git a/openssl.changes b/openssl.changes
index 3fe1468..6546a2f 100644
--- a/openssl.changes
+++ b/openssl.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 15 12:28:29 CEST 2009 - gjhe@suse.de
+
+- fix security bug [bnc#489641]
+  CVE-2009-0590
+  CVE-2009-0591
+  CVE-2009-0789
+
 -------------------------------------------------------------------
 Wed Jan  7 12:34:56 CET 2009 - olh@suse.de
 
diff --git a/openssl.spec b/openssl.spec
index 0835f07..116dfad 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -32,7 +32,7 @@ Obsoletes:      openssl-64bit
 %endif
 #
 Version:        0.9.8h
-Release:        30
+Release:        32
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -52,6 +52,9 @@ Patch8:         func-parm-err.patch
 Patch9:         disable-optimization-for-s390x.diff
 %endif
 Patch10:        openssl-CVE-2008-5077.patch
+Patch11:        openssl-CVE-2009-0590.patch
+Patch12:        openssl-CVE-2009-0591.patch
+Patch13:        openssl-CVE-2009-0789.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -192,6 +195,9 @@ Authors:
 %patch9 
 %endif
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 cp -p %{S:10} .
 # lib64 installation fixes
 for i in Makefile.org engines/Makefile; do
@@ -403,6 +409,11 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %{_bindir}/%{name}
 
 %changelog
+* Wed Apr 15 2009 gjhe@suse.de
+- fix security bug [bnc#489641]
+  CVE-2009-0590
+  CVE-2009-0591
+  CVE-2009-0789
 * Wed Jan 07 2009 olh@suse.de
 - obsolete old -XXbit packages (bnc#437293)
 * Thu Dec 18 2008 jshi@suse.de
@@ -907,7 +918,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 * Tue Aug 06 2002 draht@suse.de
 - Correction for changes in the ASN1 code, assembled in
   openssl-0.9.6e-cvs-20020802-asn1_lib.diff
-* Wed Jul 31 2002 poeml@suse.de
+* Thu Aug 01 2002 poeml@suse.de
 - update to 0.9.6e. Major changes:
   o Various security fixes (sanity checks to asn1_get_length(),
   various remote buffer overflows)