OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=23

disable-optimization-for-ripemd.diff

@@ -1,11 +0,0 @@
---- crypto/ripemd/Makefile
-+++ crypto/ripemd/Makefile
-@@ -13,7 +13,7 @@
- 
- RIP_ASM_OBJ=
- 
--CFLAGS= $(INCLUDES) $(CFLAG)
-+CFLAGS= $(INCLUDES) $(CFLAG) -O0
- ASFLAGS= $(INCLUDES) $(ASFLAG)
- AFLAGS= $(ASFLAGS)
- 

disable-optimization-for-s390x.diff

@@ -1,3 +1,16 @@
+Index: crypto/ripemd/Makefile
+===================================================================
+--- crypto/ripemd/Makefile.orig
++++ crypto/ripemd/Makefile
+@@ -13,7 +13,7 @@ AR=             ar r
+ 
+ RIP_ASM_OBJ=
+ 
+-CFLAGS= $(INCLUDES) $(CFLAG)
++CFLAGS= $(INCLUDES) $(CFLAG) -O0
+ ASFLAGS= $(INCLUDES) $(ASFLAG)
+ AFLAGS= $(ASFLAGS)
+ 
 Index: crypto/md4/Makefile
 ===================================================================
 --- crypto/md4/Makefile.orig

openssl-CVE-2008-5077.patch

@@ -0,0 +1,163 @@
+
+Index: openssl-0.9.8h/apps/speed.c
+===================================================================
+--- openssl-0.9.8h.orig/apps/speed.c
++++ openssl-0.9.8h/apps/speed.c
+@@ -2132,7 +2132,7 @@ int MAIN(int argc, char **argv)
+ 				{
+ 				ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
+ 					rsa_num, rsa_key[j]);
+-				if (ret == 0)
++				if (ret <= 0)
+ 					{
+ 					BIO_printf(bio_err,
+ 						"RSA verify failure\n");
+Index: openssl-0.9.8h/apps/spkac.c
+===================================================================
+--- openssl-0.9.8h.orig/apps/spkac.c
++++ openssl-0.9.8h/apps/spkac.c
+@@ -285,7 +285,7 @@ bad:
+ 	pkey = NETSCAPE_SPKI_get_pubkey(spki);
+ 	if(verify) {
+ 		i = NETSCAPE_SPKI_verify(spki, pkey);
+-		if(i) BIO_printf(bio_err, "Signature OK\n");
++		if (i > 0) BIO_printf(bio_err, "Signature OK\n");
+ 		else {
+ 			BIO_printf(bio_err, "Signature Failure\n");
+ 			ERR_print_errors(bio_err);
+Index: openssl-0.9.8h/apps/verify.c
+===================================================================
+--- openssl-0.9.8h.orig/apps/verify.c
++++ openssl-0.9.8h/apps/verify.c
+@@ -266,7 +266,7 @@ static int check(X509_STORE *ctx, char *
+ 
+ 	ret=0;
+ end:
+-	if (i)
++	if (i > 0)
+ 		{
+ 		fprintf(stdout,"OK\n");
+ 		ret=1;
+@@ -367,4 +367,3 @@ static int MS_CALLBACK cb(int ok, X509_S
+ 		ERR_clear_error();
+ 	return(ok);
+ 	}
+-
+Index: openssl-0.9.8h/apps/x509.c
+===================================================================
+--- openssl-0.9.8h.orig/apps/x509.c
++++ openssl-0.9.8h/apps/x509.c
+@@ -1151,7 +1151,7 @@ static int x509_certify(X509_STORE *ctx,
+ 	/* NOTE: this certificate can/should be self signed, unless it was
+ 	 * a certificate request in which case it is not. */
+ 	X509_STORE_CTX_set_cert(&xsc,x);
+-	if (!reqfile && !X509_verify_cert(&xsc))
++	if (!reqfile && X509_verify_cert(&xsc) <= 0)
+ 		goto end;
+ 
+ 	if (!X509_check_private_key(xca,pkey))
+Index: openssl-0.9.8h/crypto/cms/cms_sd.c
+===================================================================
+--- openssl-0.9.8h.orig/crypto/cms/cms_sd.c
++++ openssl-0.9.8h/crypto/cms/cms_sd.c
+@@ -830,7 +830,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo
+ 	cms_fixup_mctx(&mctx, si->pkey);
+ 	r = EVP_VerifyFinal(&mctx,
+ 			si->signature->data, si->signature->length, si->pkey);
+-	if (!r)
++	if (r <= 0)
+ 		CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE);
+ 	err:
+ 	EVP_MD_CTX_cleanup(&mctx);
+Index: openssl-0.9.8h/ssl/s2_clnt.c
+===================================================================
+--- openssl-0.9.8h.orig/ssl/s2_clnt.c
++++ openssl-0.9.8h/ssl/s2_clnt.c
+@@ -1044,7 +1044,7 @@ int ssl2_set_certificate(SSL *s, int typ
+ 
+ 	i=ssl_verify_cert_chain(s,sk);
+ 		
+-	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
++	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0))
+ 		{
+ 		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
+ 		goto err;
+Index: openssl-0.9.8h/ssl/s2_srvr.c
+===================================================================
+--- openssl-0.9.8h.orig/ssl/s2_srvr.c
++++ openssl-0.9.8h/ssl/s2_srvr.c
+@@ -1054,7 +1054,7 @@ static int request_certificate(SSL *s)
+ 
+ 	i=ssl_verify_cert_chain(s,sk);
+ 
+-	if (i)	/* we like the packet, now check the chksum */
++	if (i > 0)	/* we like the packet, now check the chksum */
+ 		{
+ 		EVP_MD_CTX ctx;
+ 		EVP_PKEY *pkey=NULL;
+@@ -1083,7 +1083,7 @@ static int request_certificate(SSL *s)
+ 		EVP_PKEY_free(pkey);
+ 		EVP_MD_CTX_cleanup(&ctx);
+ 
+-		if (i) 
++		if (i > 0)
+ 			{
+ 			if (s->session->peer != NULL)
+ 				X509_free(s->session->peer);
+Index: openssl-0.9.8h/ssl/s3_clnt.c
+===================================================================
+--- openssl-0.9.8h.orig/ssl/s3_clnt.c
++++ openssl-0.9.8h/ssl/s3_clnt.c
+@@ -965,7 +965,7 @@ int ssl3_get_server_certificate(SSL *s)
+ 		}
+ 
+ 	i=ssl_verify_cert_chain(s,sk);
+-	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
++	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
+ #ifndef OPENSSL_NO_KRB5
+ 	        && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+ 	        != (SSL_aKRB5|SSL_kKRB5)
+@@ -1450,7 +1450,7 @@ int ssl3_get_key_exchange(SSL *s)
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,param,param_len);
+-			if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
++			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
+ 				{
+ 				/* bad signature */
+ 				al=SSL_AD_DECRYPT_ERROR;
+@@ -1468,7 +1468,7 @@ int ssl3_get_key_exchange(SSL *s)
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+ 			EVP_VerifyUpdate(&md_ctx,param,param_len);
+-			if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
++			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
+ 				{
+ 				/* bad signature */
+ 				al=SSL_AD_DECRYPT_ERROR;
+Index: openssl-0.9.8h/ssl/s3_srvr.c
+===================================================================
+--- openssl-0.9.8h.orig/ssl/s3_srvr.c
++++ openssl-0.9.8h/ssl/s3_srvr.c
+@@ -2558,7 +2558,7 @@ int ssl3_get_client_certificate(SSL *s)
+ 	else
+ 		{
+ 		i=ssl_verify_cert_chain(s,sk);
+-		if (!i)
++		if (i <= 0)
+ 			{
+ 			al=ssl_verify_alarm_type(s->verify_result);
+ 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
+Index: openssl-0.9.8h/ssl/ssltest.c
+===================================================================
+--- openssl-0.9.8h.orig/ssl/ssltest.c
++++ openssl-0.9.8h/ssl/ssltest.c
+@@ -2072,7 +2072,7 @@ static int MS_CALLBACK app_verify_callba
+ 
+ 	if (cb_arg->proxy_auth)
+ 		{
+-		if (ok)
++		if (ok > 0)
+ 			{
+ 			const char *cond_end = NULL;
+ 

openssl.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Jan  7 12:34:56 CET 2009 - olh@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Thu Dec 18 08:15:12 CET 2008 - jshi@suse.de
+
+- fix security bug [bnc#459468]
+  CVE-2008-5077
+
+-------------------------------------------------------------------
+Tue Dec  9 11:32:50 CET 2008 - xwhu@suse.de
+
+- Disable optimization for s390x
+
 -------------------------------------------------------------------
 Mon Dec  8 12:12:14 CET 2008 - xwhu@suse.de
 

openssl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssl (Version 0.9.8h)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,8 +26,13 @@ License:        BSD 3-Clause
 Group:          Productivity/Networking/Security
 Provides:       ssl
 AutoReqProv:    on
+# bug437293
+%ifarch ppc64
+Obsoletes:      openssl-64bit
+%endif
+#
 Version:        0.9.8h
-Release:        29
+Release:        30
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -43,8 +48,10 @@ Patch5:         openssl-0.9.6g-alpha.diff
 Patch6:         openssl-0.9.8a.ca-app-segfault.bug128655.dif
 Patch7:         bswap.diff
 Patch8:         func-parm-err.patch
-Patch9:         disable-optimization-for-ripemd.diff
+%ifarch s390x
-Patch10:        disable-optimization-for-md4.diff
+Patch9:         disable-optimization-for-s390x.diff
+%endif
+Patch10:        openssl-CVE-2008-5077.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -81,6 +88,11 @@ License:        BSD 3-Clause
 Summary:        Secure Sockets and Transport Layer Security
 Group:          Productivity/Networking/Security
 Recommends:     openssl-certs
+# bug437293
+%ifarch ppc64
+Obsoletes:      openssl-64bit
+%endif
+#
 
 %description -n libopenssl0_9_8
 The OpenSSL Project is a collaborative effort to develop a robust,
@@ -119,6 +131,11 @@ Group:          Development/Libraries/C and C++
 Obsoletes:      openssl-devel <= 0.9.8e-8
 Requires:       libopenssl0_9_8 = %{version} zlib-devel
 Provides:       openssl-devel = 0.9.8e-8
+# bug437293
+%ifarch ppc64
+Obsoletes:      openssl-devel-64bit
+%endif
+#
 
 %description -n libopenssl-devel
 This package contains all necessary include files and libraries needed
@@ -171,8 +188,10 @@ Authors:
 %patch6 -p1
 %patch7
 %patch8 -p1
+%ifarch s390x
 %patch9 
-%patch10
+%endif
+%patch10 -p1
 cp -p %{S:10} .
 # lib64 installation fixes
 for i in Makefile.org engines/Makefile; do
@@ -384,6 +403,13 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %{_bindir}/%{name}
 
 %changelog
+* Wed Jan 07 2009 olh@suse.de
+- obsolete old -XXbit packages (bnc#437293)
+* Thu Dec 18 2008 jshi@suse.de
+- fix security bug [bnc#459468]
+  CVE-2008-5077
+* Tue Dec 09 2008 xwhu@suse.de
+- Disable optimization for s390x
 * Mon Dec 08 2008 xwhu@suse.de
 - Disable optimization of md4
 * Mon Nov 10 2008 xwhu@suse.de