Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-12-26 09:58:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/source/n/openssl11/0003-openssl-1.1.1za_CVE-2024-5535.patch
Patrick J Volkerding 5df6155d42 Wed Jul 17 19:29:24 UTC 2024 
a/openssl11-solibs-1.1.1za-x86_64-1.txz:  Upgraded.
ap/vim-9.1.0595-x86_64-1.txz:  Upgraded.
l/python-sphinx-7.4.5-x86_64-1.txz:  Upgraded.
n/iproute2-6.10.0-x86_64-1.txz:  Upgraded.
n/nftables-1.1.0-x86_64-1.txz:  Upgraded.
n/openssl11-1.1.1za-x86_64-1.txz:  Upgraded.
  Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
  were only available to subscribers to OpenSSL's premium extended support.
  These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
  The reported version number has been updated so that vulnerability scanners
  calm down. All of these issues were considered to be of low severity.
  We probably won't keep 1.1.1 in -current for long anyway, but might as well
  patch it first. :-)
  Thanks to Ken Zalewski for the patches!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-5678
    https://www.cve.org/CVERecord?id=CVE-2024-0727
    https://www.cve.org/CVERecord?id=CVE-2024-2511
    https://www.cve.org/CVERecord?id=CVE-2024-4741
    https://www.cve.org/CVERecord?id=CVE-2024-5535
  (* Security fix *)
x/mesa-24.1.4-x86_64-1.txz:  Upgraded.
xap/vim-gvim-9.1.0595-x86_64-1.txz:  Upgraded.
2024-07-17 22:04:22 +02:00

108 lines
4 KiB
Diff
Raw Permalink Blame History

From 72f5c8e48a09ab09dae91c869e53e3d0c75ef921 Mon Sep 17 00:00:00 2001
From: Ken Zalewski <ken.zalewski@gmail.com>
Date: Sat, 13 Jul 2024 12:19:50 -0400
Subject: [PATCH] Patch to openssl-1.1.1za. This version addresses one
vulnerability: CVE-2024-5535
---
include/openssl/opensslv.h | 4 +--
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++--------------
2 files changed, 42 insertions(+), 25 deletions(-)
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 585109a..a1a5d07 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010119fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024"
+# define OPENSSL_VERSION_NUMBER 0x101011afL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 356d65c..ccb1d4a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
Reference in a new issue View git blame Copy permalink