mirror of
git://slackware.nl/current.git
synced 2024-12-27 09:59:16 +01:00
5df6155d42
a/openssl11-solibs-1.1.1za-x86_64-1.txz: Upgraded. ap/vim-9.1.0595-x86_64-1.txz: Upgraded. l/python-sphinx-7.4.5-x86_64-1.txz: Upgraded. n/iproute2-6.10.0-x86_64-1.txz: Upgraded. n/nftables-1.1.0-x86_64-1.txz: Upgraded. n/openssl11-1.1.1za-x86_64-1.txz: Upgraded. Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that were only available to subscribers to OpenSSL's premium extended support. These patches were prepared by backporting commits from the OpenSSL-3.0 repo. The reported version number has been updated so that vulnerability scanners calm down. All of these issues were considered to be of low severity. We probably won't keep 1.1.1 in -current for long anyway, but might as well patch it first. :-) Thanks to Ken Zalewski for the patches! For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-5678 https://www.cve.org/CVERecord?id=CVE-2024-0727 https://www.cve.org/CVERecord?id=CVE-2024-2511 https://www.cve.org/CVERecord?id=CVE-2024-4741 https://www.cve.org/CVERecord?id=CVE-2024-5535 (* Security fix *) x/mesa-24.1.4-x86_64-1.txz: Upgraded. xap/vim-gvim-9.1.0595-x86_64-1.txz: Upgraded.
183 lines
6.7 KiB
Diff
183 lines
6.7 KiB
Diff
From 4e975e3aec06165e760953f6c51a795f3dcfd1a0 Mon Sep 17 00:00:00 2001
|
|
From: Ken Zalewski <ken.zalewski@gmail.com>
|
|
Date: Sat, 13 Jul 2024 12:02:52 -0400
|
|
Subject: [PATCH] Patch to openssl-1.1.1y. This version addresses two
|
|
vulnerabilities: CVE-2024-2511 and CVE-2024-4741
|
|
|
|
---
|
|
include/openssl/opensslv.h | 4 ++--
|
|
include/openssl/ssl.h | 2 +-
|
|
ssl/record/rec_layer_s3.c | 9 +++++++++
|
|
ssl/record/record.h | 1 +
|
|
ssl/ssl_lib.c | 8 ++++++--
|
|
ssl/ssl_local.h | 2 +-
|
|
ssl/ssl_sess.c | 28 ++++++++++++++++++++++------
|
|
ssl/statem/statem_srvr.c | 5 ++---
|
|
8 files changed, 44 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
|
|
index c16eafd..585109a 100644
|
|
--- a/include/openssl/opensslv.h
|
|
+++ b/include/openssl/opensslv.h
|
|
@@ -39,8 +39,8 @@ extern "C" {
|
|
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
|
* major minor fix final patch/beta)
|
|
*/
|
|
-# define OPENSSL_VERSION_NUMBER 0x1010118fL
|
|
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024"
|
|
+# define OPENSSL_VERSION_NUMBER 0x1010119fL
|
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024"
|
|
|
|
/*-
|
|
* The macros below are to be used for shared library (.so, .dll, ...)
|
|
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
|
|
index 9af0c89..64eaca3 100644
|
|
--- a/include/openssl/ssl.h
|
|
+++ b/include/openssl/ssl.h
|
|
@@ -1659,7 +1659,7 @@ __owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
|
|
__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);
|
|
|
|
__owur SSL_SESSION *SSL_SESSION_new(void);
|
|
-__owur SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src);
|
|
+__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
|
|
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
|
|
unsigned int *len);
|
|
const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
|
|
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
|
|
index 1db1712..525c3ab 100644
|
|
--- a/ssl/record/rec_layer_s3.c
|
|
+++ b/ssl/record/rec_layer_s3.c
|
|
@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
|
|
return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
|
|
}
|
|
|
|
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
|
|
+{
|
|
+ if (rl->rstate == SSL_ST_READ_BODY)
|
|
+ return 1;
|
|
+ if (RECORD_LAYER_processed_read_pending(rl))
|
|
+ return 1;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
/* Checks if we have decrypted unread record data pending */
|
|
int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
|
|
{
|
|
diff --git a/ssl/record/record.h b/ssl/record/record.h
|
|
index af56206..513ab39 100644
|
|
--- a/ssl/record/record.h
|
|
+++ b/ssl/record/record.h
|
|
@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
|
|
int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
|
|
int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
|
|
int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
|
|
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
|
|
void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
|
|
void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
|
|
int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
|
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
index 47adc32..356d65c 100644
|
|
--- a/ssl/ssl_lib.c
|
|
+++ b/ssl/ssl_lib.c
|
|
@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode)
|
|
|
|
/*
|
|
* If the session_id_length is 0, we are not supposed to cache it, and it
|
|
- * would be rather hard to do anyway :-)
|
|
+ * would be rather hard to do anyway :-). Also if the session has already
|
|
+ * been marked as not_resumable we should not cache it for later reuse.
|
|
*/
|
|
- if (s->session->session_id_length == 0)
|
|
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
|
|
return;
|
|
|
|
/*
|
|
@@ -5247,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
|
|
if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
|
|
return 0;
|
|
|
|
+ if (RECORD_LAYER_data_present(rl))
|
|
+ return 0;
|
|
+
|
|
RECORD_LAYER_release(rl);
|
|
return 1;
|
|
}
|
|
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
|
|
index 5c79215..5e73fa4 100644
|
|
--- a/ssl/ssl_local.h
|
|
+++ b/ssl/ssl_local.h
|
|
@@ -2261,7 +2261,7 @@ __owur int ssl_get_new_session(SSL *s, int session);
|
|
__owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
|
|
size_t sess_id_len);
|
|
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
|
|
-__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
|
|
+__owur SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket);
|
|
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
|
|
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
|
|
__owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
|
|
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
|
|
index 68d1737..2b27a47 100644
|
|
--- a/ssl/ssl_sess.c
|
|
+++ b/ssl/ssl_sess.c
|
|
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
|
|
return ss;
|
|
}
|
|
|
|
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
|
|
-{
|
|
- return ssl_session_dup(src, 1);
|
|
-}
|
|
-
|
|
/*
|
|
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
|
|
* ticket == 0 then no ticket information is duplicated, otherwise it is.
|
|
*/
|
|
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
|
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
|
|
{
|
|
SSL_SESSION *dest;
|
|
|
|
@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
|
return NULL;
|
|
}
|
|
|
|
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
|
|
+{
|
|
+ return ssl_session_dup_intern(src, 1);
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Used internally when duplicating a session which might be already shared.
|
|
+ * We will have resumed the original session. Subsequently we might have marked
|
|
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
|
|
+ * resume from.
|
|
+ */
|
|
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
|
|
+{
|
|
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
|
|
+
|
|
+ if (sess != NULL)
|
|
+ sess->not_resumable = 0;
|
|
+
|
|
+ return sess;
|
|
+}
|
|
+
|
|
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
|
|
{
|
|
if (len)
|
|
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
|
index 43f77a5..2f6ce8f 100644
|
|
--- a/ssl/statem/statem_srvr.c
|
|
+++ b/ssl/statem/statem_srvr.c
|
|
@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
|
|
* so the following won't overwrite an ID that we're supposed
|
|
* to send back.
|
|
*/
|
|
- if (s->session->not_resumable ||
|
|
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
|
- && !s->hit))
|
|
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
|
+ && !s->hit)
|
|
s->session->session_id_length = 0;
|
|
|
|
if (usetls13) {
|