From fd14d1dfb2e2b11e9787d4e901fff5698d67d781d86bd24c1d4c3924e5a09515 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 9 Jan 2009 13:45:25 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=23 --- disable-optimization-for-ripemd.diff | 11 -- ...iff => disable-optimization-for-s390x.diff | 13 ++ openssl-CVE-2008-5077.patch | 163 ++++++++++++++++++ openssl.changes | 16 ++ openssl.spec | 36 +++- 5 files changed, 223 insertions(+), 16 deletions(-) delete mode 100644 disable-optimization-for-ripemd.diff rename disable-optimization-for-md4.diff => disable-optimization-for-s390x.diff (51%) create mode 100644 openssl-CVE-2008-5077.patch diff --git a/disable-optimization-for-ripemd.diff b/disable-optimization-for-ripemd.diff deleted file mode 100644 index 2c304c1..0000000 --- a/disable-optimization-for-ripemd.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- crypto/ripemd/Makefile -+++ crypto/ripemd/Makefile -@@ -13,7 +13,7 @@ - - RIP_ASM_OBJ= - --CFLAGS= $(INCLUDES) $(CFLAG) -+CFLAGS= $(INCLUDES) $(CFLAG) -O0 - ASFLAGS= $(INCLUDES) $(ASFLAG) - AFLAGS= $(ASFLAGS) - diff --git a/disable-optimization-for-md4.diff b/disable-optimization-for-s390x.diff similarity index 51% rename from disable-optimization-for-md4.diff rename to disable-optimization-for-s390x.diff index e85b9ce..0a06f8f 100644 --- a/disable-optimization-for-md4.diff +++ b/disable-optimization-for-s390x.diff @@ -1,3 +1,16 @@ +Index: crypto/ripemd/Makefile +=================================================================== +--- crypto/ripemd/Makefile.orig ++++ crypto/ripemd/Makefile +@@ -13,7 +13,7 @@ AR= ar r + + RIP_ASM_OBJ= + +-CFLAGS= $(INCLUDES) $(CFLAG) ++CFLAGS= $(INCLUDES) $(CFLAG) -O0 + ASFLAGS= $(INCLUDES) $(ASFLAG) + AFLAGS= $(ASFLAGS) + Index: crypto/md4/Makefile =================================================================== --- crypto/md4/Makefile.orig diff --git a/openssl-CVE-2008-5077.patch b/openssl-CVE-2008-5077.patch new file mode 100644 index 0000000..8b53545 --- /dev/null +++ b/openssl-CVE-2008-5077.patch @@ -0,0 +1,163 @@ + +Index: openssl-0.9.8h/apps/speed.c +=================================================================== +--- openssl-0.9.8h.orig/apps/speed.c ++++ openssl-0.9.8h/apps/speed.c +@@ -2132,7 +2132,7 @@ int MAIN(int argc, char **argv) + { + ret=RSA_verify(NID_md5_sha1, buf,36, buf2, + rsa_num, rsa_key[j]); +- if (ret == 0) ++ if (ret <= 0) + { + BIO_printf(bio_err, + "RSA verify failure\n"); +Index: openssl-0.9.8h/apps/spkac.c +=================================================================== +--- openssl-0.9.8h.orig/apps/spkac.c ++++ openssl-0.9.8h/apps/spkac.c +@@ -285,7 +285,7 @@ bad: + pkey = NETSCAPE_SPKI_get_pubkey(spki); + if(verify) { + i = NETSCAPE_SPKI_verify(spki, pkey); +- if(i) BIO_printf(bio_err, "Signature OK\n"); ++ if (i > 0) BIO_printf(bio_err, "Signature OK\n"); + else { + BIO_printf(bio_err, "Signature Failure\n"); + ERR_print_errors(bio_err); +Index: openssl-0.9.8h/apps/verify.c +=================================================================== +--- openssl-0.9.8h.orig/apps/verify.c ++++ openssl-0.9.8h/apps/verify.c +@@ -266,7 +266,7 @@ static int check(X509_STORE *ctx, char * + + ret=0; + end: +- if (i) ++ if (i > 0) + { + fprintf(stdout,"OK\n"); + ret=1; +@@ -367,4 +367,3 @@ static int MS_CALLBACK cb(int ok, X509_S + ERR_clear_error(); + return(ok); + } +- +Index: openssl-0.9.8h/apps/x509.c +=================================================================== +--- openssl-0.9.8h.orig/apps/x509.c ++++ openssl-0.9.8h/apps/x509.c +@@ -1151,7 +1151,7 @@ static int x509_certify(X509_STORE *ctx, + /* NOTE: this certificate can/should be self signed, unless it was + * a certificate request in which case it is not. */ + X509_STORE_CTX_set_cert(&xsc,x); +- if (!reqfile && !X509_verify_cert(&xsc)) ++ if (!reqfile && X509_verify_cert(&xsc) <= 0) + goto end; + + if (!X509_check_private_key(xca,pkey)) +Index: openssl-0.9.8h/crypto/cms/cms_sd.c +=================================================================== +--- openssl-0.9.8h.orig/crypto/cms/cms_sd.c ++++ openssl-0.9.8h/crypto/cms/cms_sd.c +@@ -830,7 +830,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo + cms_fixup_mctx(&mctx, si->pkey); + r = EVP_VerifyFinal(&mctx, + si->signature->data, si->signature->length, si->pkey); +- if (!r) ++ if (r <= 0) + CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE); + err: + EVP_MD_CTX_cleanup(&mctx); +Index: openssl-0.9.8h/ssl/s2_clnt.c +=================================================================== +--- openssl-0.9.8h.orig/ssl/s2_clnt.c ++++ openssl-0.9.8h/ssl/s2_clnt.c +@@ -1044,7 +1044,7 @@ int ssl2_set_certificate(SSL *s, int typ + + i=ssl_verify_cert_chain(s,sk); + +- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) ++ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) + { + SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); + goto err; +Index: openssl-0.9.8h/ssl/s2_srvr.c +=================================================================== +--- openssl-0.9.8h.orig/ssl/s2_srvr.c ++++ openssl-0.9.8h/ssl/s2_srvr.c +@@ -1054,7 +1054,7 @@ static int request_certificate(SSL *s) + + i=ssl_verify_cert_chain(s,sk); + +- if (i) /* we like the packet, now check the chksum */ ++ if (i > 0) /* we like the packet, now check the chksum */ + { + EVP_MD_CTX ctx; + EVP_PKEY *pkey=NULL; +@@ -1083,7 +1083,7 @@ static int request_certificate(SSL *s) + EVP_PKEY_free(pkey); + EVP_MD_CTX_cleanup(&ctx); + +- if (i) ++ if (i > 0) + { + if (s->session->peer != NULL) + X509_free(s->session->peer); +Index: openssl-0.9.8h/ssl/s3_clnt.c +=================================================================== +--- openssl-0.9.8h.orig/ssl/s3_clnt.c ++++ openssl-0.9.8h/ssl/s3_clnt.c +@@ -965,7 +965,7 @@ int ssl3_get_server_certificate(SSL *s) + } + + i=ssl_verify_cert_chain(s,sk); +- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) ++ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) + #ifndef OPENSSL_NO_KRB5 + && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + != (SSL_aKRB5|SSL_kKRB5) +@@ -1450,7 +1450,7 @@ int ssl3_get_key_exchange(SSL *s) + EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); + EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); + EVP_VerifyUpdate(&md_ctx,param,param_len); +- if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) ++ if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) + { + /* bad signature */ + al=SSL_AD_DECRYPT_ERROR; +@@ -1468,7 +1468,7 @@ int ssl3_get_key_exchange(SSL *s) + EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); + EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); + EVP_VerifyUpdate(&md_ctx,param,param_len); +- if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) ++ if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) + { + /* bad signature */ + al=SSL_AD_DECRYPT_ERROR; +Index: openssl-0.9.8h/ssl/s3_srvr.c +=================================================================== +--- openssl-0.9.8h.orig/ssl/s3_srvr.c ++++ openssl-0.9.8h/ssl/s3_srvr.c +@@ -2558,7 +2558,7 @@ int ssl3_get_client_certificate(SSL *s) + else + { + i=ssl_verify_cert_chain(s,sk); +- if (!i) ++ if (i <= 0) + { + al=ssl_verify_alarm_type(s->verify_result); + SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); +Index: openssl-0.9.8h/ssl/ssltest.c +=================================================================== +--- openssl-0.9.8h.orig/ssl/ssltest.c ++++ openssl-0.9.8h/ssl/ssltest.c +@@ -2072,7 +2072,7 @@ static int MS_CALLBACK app_verify_callba + + if (cb_arg->proxy_auth) + { +- if (ok) ++ if (ok > 0) + { + const char *cond_end = NULL; + diff --git a/openssl.changes b/openssl.changes index aa17f8b..3fe1468 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Dec 18 08:15:12 CET 2008 - jshi@suse.de + +- fix security bug [bnc#459468] + CVE-2008-5077 + +------------------------------------------------------------------- +Tue Dec 9 11:32:50 CET 2008 - xwhu@suse.de + +- Disable optimization for s390x + ------------------------------------------------------------------- Mon Dec 8 12:12:14 CET 2008 - xwhu@suse.de diff --git a/openssl.spec b/openssl.spec index 645b969..0835f07 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,7 +1,7 @@ # # spec file for package openssl (Version 0.9.8h) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,8 +26,13 @@ License: BSD 3-Clause Group: Productivity/Networking/Security Provides: ssl AutoReqProv: on +# bug437293 +%ifarch ppc64 +Obsoletes: openssl-64bit +%endif +# Version: 0.9.8h -Release: 29 +Release: 30 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 @@ -43,8 +48,10 @@ Patch5: openssl-0.9.6g-alpha.diff Patch6: openssl-0.9.8a.ca-app-segfault.bug128655.dif Patch7: bswap.diff Patch8: func-parm-err.patch -Patch9: disable-optimization-for-ripemd.diff -Patch10: disable-optimization-for-md4.diff +%ifarch s390x +Patch9: disable-optimization-for-s390x.diff +%endif +Patch10: openssl-CVE-2008-5077.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -81,6 +88,11 @@ License: BSD 3-Clause Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security Recommends: openssl-certs +# bug437293 +%ifarch ppc64 +Obsoletes: openssl-64bit +%endif +# %description -n libopenssl0_9_8 The OpenSSL Project is a collaborative effort to develop a robust, @@ -119,6 +131,11 @@ Group: Development/Libraries/C and C++ Obsoletes: openssl-devel <= 0.9.8e-8 Requires: libopenssl0_9_8 = %{version} zlib-devel Provides: openssl-devel = 0.9.8e-8 +# bug437293 +%ifarch ppc64 +Obsoletes: openssl-devel-64bit +%endif +# %description -n libopenssl-devel This package contains all necessary include files and libraries needed @@ -171,8 +188,10 @@ Authors: %patch6 -p1 %patch7 %patch8 -p1 +%ifarch s390x %patch9 -%patch10 +%endif +%patch10 -p1 cp -p %{S:10} . # lib64 installation fixes for i in Makefile.org engines/Makefile; do @@ -384,6 +403,13 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %{_bindir}/%{name} %changelog +* Wed Jan 07 2009 olh@suse.de +- obsolete old -XXbit packages (bnc#437293) +* Thu Dec 18 2008 jshi@suse.de +- fix security bug [bnc#459468] + CVE-2008-5077 +* Tue Dec 09 2008 xwhu@suse.de +- Disable optimization for s390x * Mon Dec 08 2008 xwhu@suse.de - Disable optimization of md4 * Mon Nov 10 2008 xwhu@suse.de