Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-12-31 10:28:29 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/patches/source/openssl/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch
Patrick J Volkerding 0e307de269 Wed Jul 17 19:29:24 UTC 2024 
patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz:  Upgraded.
  Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
  were only available to subscribers to OpenSSL's premium extended support.
  These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
  The reported version number has been updated so that vulnerability scanners
  calm down. All of these issues were considered to be of low severity.
  Thanks to Ken Zalewski for the patches!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-5678
    https://www.cve.org/CVERecord?id=CVE-2024-0727
    https://www.cve.org/CVERecord?id=CVE-2024-2511
    https://www.cve.org/CVERecord?id=CVE-2024-4741
    https://www.cve.org/CVERecord?id=CVE-2024-5535
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz:  Upgraded.
2024-07-18 13:31:00 +02:00

183 lines
6.7 KiB
Diff
Raw Blame History

From 4e975e3aec06165e760953f6c51a795f3dcfd1a0 Mon Sep 17 00:00:00 2001
From: Ken Zalewski <ken.zalewski@gmail.com>
Date: Sat, 13 Jul 2024 12:02:52 -0400
Subject: [PATCH] Patch to openssl-1.1.1y. This version addresses two
vulnerabilities: CVE-2024-2511 and CVE-2024-4741
---
include/openssl/opensslv.h | 4 ++--
include/openssl/ssl.h | 2 +-
ssl/record/rec_layer_s3.c | 9 +++++++++
ssl/record/record.h | 1 +
ssl/ssl_lib.c | 8 ++++++--
ssl/ssl_local.h | 2 +-
ssl/ssl_sess.c | 28 ++++++++++++++++++++++------
ssl/statem/statem_srvr.c | 5 ++---
8 files changed, 44 insertions(+), 15 deletions(-)
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index c16eafd..585109a 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010118fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024"
+# define OPENSSL_VERSION_NUMBER 0x1010119fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 9af0c89..64eaca3 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1659,7 +1659,7 @@ __owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);
__owur SSL_SESSION *SSL_SESSION_new(void);
-__owur SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src);
+__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
unsigned int *len);
const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 1db1712..525c3ab 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
}
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
+{
+ if (rl->rstate == SSL_ST_READ_BODY)
+ return 1;
+ if (RECORD_LAYER_processed_read_pending(rl))
+ return 1;
+ return 0;
+}
+
/* Checks if we have decrypted unread record data pending */
int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
{
diff --git a/ssl/record/record.h b/ssl/record/record.h
index af56206..513ab39 100644
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 47adc32..356d65c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
@@ -5247,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
return 0;
+ if (RECORD_LAYER_data_present(rl))
+ return 0;
+
RECORD_LAYER_release(rl);
return 1;
}
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 5c79215..5e73fa4 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2261,7 +2261,7 @@ __owur int ssl_get_new_session(SSL *s, int session);
__owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
size_t sess_id_len);
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
-__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
+__owur SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket);
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
__owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 68d1737..2b27a47 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 43f77a5..2f6ce8f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {
Reference in a new issue View git blame Copy permalink