From c4c7d739afa3eecc684320fea7a943487c914daa2f1a6c8d59343a16b06bddfe Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 9 Oct 2014 10:33:42 +0000 Subject: [PATCH] - added 0001-Fix-for-openssl-1.0.1i.patch From http://sourceforge.net/p/xca/patches/14/ OBS-URL: https://build.opensuse.org/package/show/security/xca?expand=0&rev=3 --- 0001-Fix-for-openssl-1.0.1i.patch | 57 +++++++++++++++++++++++++++++++ xca.changes | 6 ++++ xca.spec | 2 ++ 3 files changed, 65 insertions(+) create mode 100644 0001-Fix-for-openssl-1.0.1i.patch diff --git a/0001-Fix-for-openssl-1.0.1i.patch b/0001-Fix-for-openssl-1.0.1i.patch new file mode 100644 index 0000000..5d7cff1 --- /dev/null +++ b/0001-Fix-for-openssl-1.0.1i.patch @@ -0,0 +1,57 @@ +From abd9d530776e8bb6d8f05312fc3ae3044796139c Mon Sep 17 00:00:00 2001 +From: Oliver Winker +Date: Tue, 12 Aug 2014 19:08:05 +0200 +Subject: [PATCH] Fix for openssl 1.0.1i + +Fixes following application error +--- +Errors +error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error +--- + +Due to openssl 1.0.1i change: +--- +commit 03b04ddac162c7b7fa3c57eadccc5a583a00d291 +Author: Emilia Kasper +Date: Wed Jul 2 19:02:33 2014 +0200 + + Fix OID handling: + + - Upon parsing, reject OIDs with invalid base-128 encoding. + - Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. + + CVE-2014-3508 + + Reviewed-by: Dr. Stephen Henson + Reviewed-by: Kurt Roeckx + Reviewed-by: Tim Hudson +--- +--- + lib/x509v3ext.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/x509v3ext.cpp b/lib/x509v3ext.cpp +index cf74c32..d94cbda 100644 +--- a/lib/x509v3ext.cpp ++++ b/lib/x509v3ext.cpp +@@ -27,6 +27,8 @@ x509v3ext::x509v3ext(const X509_EXTENSION *n) + x509v3ext::x509v3ext(const x509v3ext &n) + { + ext = NULL; ++ if (!n.isValid()) ++ return; + set(n.ext); + } + +@@ -743,7 +745,7 @@ X509_EXTENSION *x509v3ext::get() const + + bool x509v3ext::isValid() const + { +- return ext->value->length > 0 && ++ return ext && ext->value && ext->value->length > 0 && + OBJ_obj2nid(ext->object) != NID_undef; + } + +-- +2.0.1 + diff --git a/xca.changes b/xca.changes index 30895c0..f22400e 100644 --- a/xca.changes +++ b/xca.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Oct 9 10:29:12 UTC 2014 - mrueckert@suse.de + +- added 0001-Fix-for-openssl-1.0.1i.patch + From http://sourceforge.net/p/xca/patches/14/ + ------------------------------------------------------------------- Wed Jun 6 20:37:43 UTC 2012 - chris@computersalat.de diff --git a/xca.spec b/xca.spec index 968a5b6..94ea007 100644 --- a/xca.spec +++ b/xca.spec @@ -28,6 +28,7 @@ Autoreqprov: on Source: %{name}-%{version}.tar.gz Patch0: %{name}-configure.patch Patch1: %{name}-desktop.patch +Patch2: 0001-Fix-for-openssl-1.0.1i.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ >= 3.1.0 %if 0%{?sles_version} == 10 @@ -61,6 +62,7 @@ Graphical certification authority is an interface for managing RSA keys and cert %setup -n %{name}-%{version} %patch0 %patch1 +%patch2 -p1 CFLAGS="$RPM_OPT_FLAGS" \ prefix=%{_prefix} lib=%{_lib} libdir=%{_libdir} mandir=%{_mandir} ./configure