mirror of
git://slackware.nl/current.git
synced 2024-12-27 09:59:16 +01:00
5df6155d42
a/openssl11-solibs-1.1.1za-x86_64-1.txz: Upgraded. ap/vim-9.1.0595-x86_64-1.txz: Upgraded. l/python-sphinx-7.4.5-x86_64-1.txz: Upgraded. n/iproute2-6.10.0-x86_64-1.txz: Upgraded. n/nftables-1.1.0-x86_64-1.txz: Upgraded. n/openssl11-1.1.1za-x86_64-1.txz: Upgraded. Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that were only available to subscribers to OpenSSL's premium extended support. These patches were prepared by backporting commits from the OpenSSL-3.0 repo. The reported version number has been updated so that vulnerability scanners calm down. All of these issues were considered to be of low severity. We probably won't keep 1.1.1 in -current for long anyway, but might as well patch it first. :-) Thanks to Ken Zalewski for the patches! For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-5678 https://www.cve.org/CVERecord?id=CVE-2024-0727 https://www.cve.org/CVERecord?id=CVE-2024-2511 https://www.cve.org/CVERecord?id=CVE-2024-4741 https://www.cve.org/CVERecord?id=CVE-2024-5535 (* Security fix *) x/mesa-24.1.4-x86_64-1.txz: Upgraded. xap/vim-gvim-9.1.0595-x86_64-1.txz: Upgraded.
108 lines
4 KiB
Diff
108 lines
4 KiB
Diff
From 72f5c8e48a09ab09dae91c869e53e3d0c75ef921 Mon Sep 17 00:00:00 2001
|
|
From: Ken Zalewski <ken.zalewski@gmail.com>
|
|
Date: Sat, 13 Jul 2024 12:19:50 -0400
|
|
Subject: [PATCH] Patch to openssl-1.1.1za. This version addresses one
|
|
vulnerability: CVE-2024-5535
|
|
|
|
---
|
|
include/openssl/opensslv.h | 4 +--
|
|
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++--------------
|
|
2 files changed, 42 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
|
|
index 585109a..a1a5d07 100644
|
|
--- a/include/openssl/opensslv.h
|
|
+++ b/include/openssl/opensslv.h
|
|
@@ -39,8 +39,8 @@ extern "C" {
|
|
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
|
* major minor fix final patch/beta)
|
|
*/
|
|
-# define OPENSSL_VERSION_NUMBER 0x1010119fL
|
|
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024"
|
|
+# define OPENSSL_VERSION_NUMBER 0x101011afL
|
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024"
|
|
|
|
/*-
|
|
* The macros below are to be used for shared library (.so, .dll, ...)
|
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
index 356d65c..ccb1d4a 100644
|
|
--- a/ssl/ssl_lib.c
|
|
+++ b/ssl/ssl_lib.c
|
|
@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
|
|
unsigned int server_len,
|
|
const unsigned char *client, unsigned int client_len)
|
|
{
|
|
- unsigned int i, j;
|
|
- const unsigned char *result;
|
|
- int status = OPENSSL_NPN_UNSUPPORTED;
|
|
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
|
|
+
|
|
+ if (!PACKET_buf_init(&cpkt, client, client_len)
|
|
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
|
|
+ || PACKET_remaining(&csubpkt) == 0) {
|
|
+ *out = NULL;
|
|
+ *outlen = 0;
|
|
+ return OPENSSL_NPN_NO_OVERLAP;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Set the default opportunistic protocol. Will be overwritten if we find
|
|
+ * a match.
|
|
+ */
|
|
+ *out = (unsigned char *)PACKET_data(&csubpkt);
|
|
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
|
|
|
|
/*
|
|
* For each protocol in server preference order, see if we support it.
|
|
*/
|
|
- for (i = 0; i < server_len;) {
|
|
- for (j = 0; j < client_len;) {
|
|
- if (server[i] == client[j] &&
|
|
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
|
|
- /* We found a match */
|
|
- result = &server[i];
|
|
- status = OPENSSL_NPN_NEGOTIATED;
|
|
- goto found;
|
|
+ if (PACKET_buf_init(&spkt, server, server_len)) {
|
|
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
|
|
+ if (PACKET_remaining(&ssubpkt) == 0)
|
|
+ continue; /* Invalid - ignore it */
|
|
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
|
|
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
|
|
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
|
|
+ PACKET_remaining(&ssubpkt))) {
|
|
+ /* We found a match */
|
|
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
|
|
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
|
|
+ return OPENSSL_NPN_NEGOTIATED;
|
|
+ }
|
|
+ }
|
|
+ /* Ignore spurious trailing bytes in the client list */
|
|
+ } else {
|
|
+ /* This should never happen */
|
|
+ return OPENSSL_NPN_NO_OVERLAP;
|
|
}
|
|
- j += client[j];
|
|
- j++;
|
|
}
|
|
- i += server[i];
|
|
- i++;
|
|
+ /* Ignore spurious trailing bytes in the server list */
|
|
}
|
|
|
|
- /* There's no overlap between our protocols and the server's list. */
|
|
- result = client;
|
|
- status = OPENSSL_NPN_NO_OVERLAP;
|
|
-
|
|
- found:
|
|
- *out = (unsigned char *)result + 1;
|
|
- *outlen = result[0];
|
|
- return status;
|
|
+ /*
|
|
+ * There's no overlap between our protocols and the server's list. We use
|
|
+ * the default opportunistic protocol selected earlier
|
|
+ */
|
|
+ return OPENSSL_NPN_NO_OVERLAP;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|