Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-05-09 06:57:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-05-06 13:39:37.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-05-09 06:57:36.000000000 +0200 @@ -1,0 +2,30 @@ +Mon May 5 16:25:17 UTC 2014 - crrodriguez@opensuse.org + +- 0005-libssl-Hide-library-private-symbols.patch + Update to hide more symbols that are not part of + the public API + +- openssl-gcc-attributes.patch BUF_memdup also + needs attribute alloc_size as it returns memory + of size of the second parameter. + +- openssl-ocloexec.patch Update, accept() + also needs O_CLOEXEC. + +- 0009-Fix-double-frees.patch, 0017-Double-free-in-i2o_ECPublicKey.patch + fix various double frees (from upstream) + +- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should + return an error inmediately on failure of i2d_ECPrivateKey (from upstream) + +- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + From libressl, modified to work on linux systems that do not have + funopen() but fopencookie() instead. + Once upon a time, OS didn't have snprintf, which caused openssl to + bundle a *printf implementation. We know better nowadays, the glibc + implementation has buffer overflow checking, has sane failure modes + deal properly with threads, signals..etc.. + +- build with -fno-common as well. + +------------------------------------------------------------------- New: ---- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch 0009-Fix-double-frees.patch 0012-Fix-eckey_priv_encode.patch 0017-Double-free-in-i2o_ECPublicKey.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.KcyBJP/_old 2014-05-09 06:57:37.000000000 +0200 +++ /var/tmp/diff_new_pack.KcyBJP/_new 2014-05-09 06:57:37.000000000 +0200 @@ -68,6 +68,10 @@ Patch20: openssl-buffreelistbug-aka-CVE-2010-5298.patch Patch21: openssl-libssl-noweakciphers.patch Patch22: CVE-2014-0198.patch +Patch23: 0009-Fix-double-frees.patch +Patch24: 0012-Fix-eckey_priv_encode.patch +Patch25: 0017-Double-free-in-i2o_ECPublicKey.patch +Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -177,6 +181,10 @@ %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -240,7 +248,7 @@ $RPM_OPT_FLAGS -O3 -std=gnu99 \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ --fomit-frame-pointer \ +-fno-common \ -DTERMIO \ -DPURIFY \ -DSSL_FORBID_ENULL \ ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ ++++ 835 lines (skipped) ++++++ 0005-libssl-Hide-library-private-symbols.patch ++++++ --- /var/tmp/diff_new_pack.KcyBJP/_old 2014-05-09 06:57:37.000000000 +0200 +++ /var/tmp/diff_new_pack.KcyBJP/_new 2014-05-09 06:57:37.000000000 +0200 @@ -1,20 +1,42 @@ -From 89d5aecbc62842651cf22e48c405eb435feb0df3 Mon Sep 17 00:00:00 2001 +From f33b5a4cb7da3947d06b74e6f6cd2f264faca170 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org> -Date: Wed, 24 Jul 2013 23:29:05 -0400 -Subject: [PATCH 5/5] libssl: Hide library private symbols - -This patch only contains the libssl part (the easy one) -patch to libcrypto will follow after it is complete and good enough. +Date: Sun, 20 Apr 2014 19:39:37 -0300 +Subject: [PATCH] libssl: Hide library private symbols It hides all the library symbols that are not part of the public API/ABI when GCC 4 or later is used. --- + ssl/d1_lib.c | 5 ++--- ssl/kssl_lcl.h | 9 +++++++++ + ssl/s23_srvr.c | 4 ++-- + ssl/s2_lib.c | 1 - + ssl/s3_lib.c | 1 - + ssl/ssl_lib.c | 1 - ssl/ssl_locl.h | 8 ++++++++ - 2 files changed, 17 insertions(+) + ssl/t1_lib.c | 6 ++---- + 8 files changed, 23 insertions(+), 12 deletions(-) -Index: openssl-1.0.1g/ssl/kssl_lcl.h -=================================================================== +--- openssl-1.0.1g.orig/ssl/d1_lib.c ++++ openssl-1.0.1g/ssl/d1_lib.c +@@ -67,8 +67,7 @@ + #endif + + static void get_current_time(struct timeval *t); +-const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; +-int dtls1_listen(SSL *s, struct sockaddr *client); ++static int dtls1_listen(SSL *s, struct sockaddr *client); + + SSL3_ENC_METHOD DTLSv1_enc_data={ + dtls1_enc, +@@ -468,7 +467,7 @@ static void get_current_time(struct time + #endif + } + +-int dtls1_listen(SSL *s, struct sockaddr *client) ++static int dtls1_listen(SSL *s, struct sockaddr *client) + { + int ret; + --- openssl-1.0.1g.orig/ssl/kssl_lcl.h +++ openssl-1.0.1g/ssl/kssl_lcl.h @@ -61,6 +61,10 @@ @@ -38,8 +60,56 @@ +#endif + #endif /* KSSL_LCL_H */ -Index: openssl-1.0.1g/ssl/ssl_locl.h -=================================================================== +--- openssl-1.0.1g.orig/ssl/s23_srvr.c ++++ openssl-1.0.1g/ssl/s23_srvr.c +@@ -120,7 +120,7 @@ + #endif + + static const SSL_METHOD *ssl23_get_server_method(int ver); +-int ssl23_get_client_hello(SSL *s); ++static int ssl23_get_client_hello(SSL *s); + static const SSL_METHOD *ssl23_get_server_method(int ver) + { + #ifndef OPENSSL_NO_SSL2 +@@ -235,7 +235,7 @@ end: + } + + +-int ssl23_get_client_hello(SSL *s) ++static int ssl23_get_client_hello(SSL *s) + { + char buf_space[11]; /* Request this many bytes in initial read. + * We can detect SSL 3.0/TLS 1.0 Client Hellos +--- openssl-1.0.1g.orig/ssl/s2_lib.c ++++ openssl-1.0.1g/ssl/s2_lib.c +@@ -116,7 +116,6 @@ + #include <openssl/evp.h> + #include <openssl/md5.h> + +-const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT; + + #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) + +--- openssl-1.0.1g.orig/ssl/s3_lib.c ++++ openssl-1.0.1g/ssl/s3_lib.c +@@ -162,7 +162,6 @@ + #include <openssl/dh.h> + #endif + +-const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; + + #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) + +--- openssl-1.0.1g.orig/ssl/ssl_lib.c ++++ openssl-1.0.1g/ssl/ssl_lib.c +@@ -160,7 +160,6 @@ + #include <openssl/engine.h> + #endif + +-const char *SSL_version_str=OPENSSL_VERSION_TEXT; + + SSL3_ENC_METHOD ssl3_undef_enc_method={ + /* evil casts, but these functions are only called if there's a library bug */ --- openssl-1.0.1g.orig/ssl/ssl_locl.h +++ openssl-1.0.1g/ssl/ssl_locl.h @@ -165,6 +165,10 @@ @@ -53,12 +123,26 @@ #ifdef OPENSSL_BUILD_SHLIBSSL # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT -@@ -1174,4 +1178,8 @@ void tls_fips_digest_extra( +@@ -1174,4 +1178,12 @@ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); ++int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len, ++ const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len, ++ const unsigned char *sec, int slen, unsigned char *out1, unsigned char *out2, int olen); ++ +#if defined(__GNUC__) && __GNUC__ >= 4 +#pragma GCC visibility pop +#endif + #endif +--- openssl-1.0.1g.orig/ssl/t1_lib.c ++++ openssl-1.0.1g/ssl/t1_lib.c +@@ -117,7 +117,6 @@ + #include <openssl/rand.h> + #include "ssl_locl.h" + +-const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; + + #ifndef OPENSSL_NO_TLSEXT + static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, ++++++ 0009-Fix-double-frees.patch ++++++
From 9c8dc84ac16a2f21063ae36809d202d0284ecf82 Mon Sep 17 00:00:00 2001 From: Ben Laurie <ben@links.org> Date: Tue, 22 Apr 2014 13:11:56 +0100 Subject: [PATCH 09/17] Fix double frees.
--- CHANGES | 3 ++- crypto/pkcs7/pk7_doit.c | 1 + crypto/ts/ts_rsp_verify.c | 1 + ssl/d1_srvr.c | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 77fda3b..4c12a9d 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -928,6 +928,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) goto err; OPENSSL_free(abuf); + abuf = NULL; if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) goto err; abuf = OPENSSL_malloc(siglen); diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index afe16af..b7d170a 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -629,6 +629,7 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR_free(*md_alg); OPENSSL_free(*imprint); *imprint_len = 0; + *imprint = NULL; return 0; } diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 9975e20..1384ab0 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -1356,6 +1356,7 @@ int dtls1_send_server_key_exchange(SSL *s) (unsigned char *)encodedPoint, encodedlen); OPENSSL_free(encodedPoint); + encodedPoint = NULL; p += encodedlen; } #endif -- 1.8.4.5 ++++++ 0012-Fix-eckey_priv_encode.patch ++++++
From f0816174d264b11f6f4ccb41c75883640a2416bb Mon Sep 17 00:00:00 2001 From: mancha <mancha1@zoho.com> Date: Thu, 24 Apr 2014 19:06:20 +0000 Subject: [PATCH 12/17] Fix eckey_priv_encode()
Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey. --- CHANGES | 4 ++++ crypto/ec/ec_ameth.c | 1 + 2 files changed, 5 insertions(+) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 0ce4524..f715a23 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -352,6 +352,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) EC_KEY_set_enc_flags(ec_key, old_flags); OPENSSL_free(ep); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); + return 0; } /* restore old encoding flags */ EC_KEY_set_enc_flags(ec_key, old_flags); -- 1.8.4.5 ++++++ 0017-Double-free-in-i2o_ECPublicKey.patch ++++++
From 8eb094b9460575a328ba04708147c91fc267b394 Mon Sep 17 00:00:00 2001 From: David Ramos <daramos@stanford.edu> Date: Sat, 3 May 2014 12:00:27 +0200 Subject: [PATCH 17/17] Double free in i2o_ECPublicKey
PR: 3338 --- crypto/ec/ec_asn1.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 145807b..e94f34e 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1435,8 +1435,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned char **out) *out, buf_len, NULL)) { ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB); - OPENSSL_free(*out); - *out = NULL; + if (new_buffer) + { + OPENSSL_free(*out); + *out = NULL; + } return 0; } if (!new_buffer) -- 1.8.4.5 ++++++ openssl-gcc-attributes.patch ++++++ --- /var/tmp/diff_new_pack.KcyBJP/_old 2014-05-09 06:57:38.000000000 +0200 +++ /var/tmp/diff_new_pack.KcyBJP/_new 2014-05-09 06:57:38.000000000 +0200 @@ -32,3 +32,14 @@ void OPENSSL_cleanse(void *ptr, size_t len); +--- openssl-1.0.1g.orig/crypto/buffer/buffer.h ++++ openssl-1.0.1g/crypto/buffer/buffer.h +@@ -87,7 +87,7 @@ int BUF_MEM_grow(BUF_MEM *str, size_t le + int BUF_MEM_grow_clean(BUF_MEM *str, size_t len); + char * BUF_strdup(const char *str); + char * BUF_strndup(const char *str, size_t siz); +-void * BUF_memdup(const void *data, size_t siz); ++void * BUF_memdup(const void *data, size_t siz) __attribute__((alloc_size(2))); + void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz); + + /* safe string functions */ ++++++ openssl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.KcyBJP/_old 2014-05-09 06:57:38.000000000 +0200 +++ /var/tmp/diff_new_pack.KcyBJP/_new 2014-05-09 06:57:38.000000000 +0200 @@ -1,5 +1,3 @@ -Index: crypto/bio/b_sock.c -=================================================================== --- crypto/bio/b_sock.c.orig +++ crypto/bio/b_sock.c @@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in @@ -20,8 +18,15 @@ if (cs != INVALID_SOCKET) { int ii; -Index: crypto/bio/bss_conn.c -=================================================================== +@@ -866,7 +866,7 @@ int BIO_accept(int sock, char **addr) + sa.len.s=0; + sa.len.i=sizeof(sa.from); + memset(&sa.from,0,sizeof(sa.from)); +- ret=accept(sock,&sa.from.sa,(void *)&sa.len); ++ ret=accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC); + if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) + { + OPENSSL_assert(sa.len.s<=sizeof(sa.from)); --- crypto/bio/bss_conn.c.orig +++ crypto/bio/bss_conn.c @@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC @@ -33,8 +38,6 @@ if (ret == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET,get_last_socket_error()); -Index: crypto/bio/bss_dgram.c -=================================================================== --- crypto/bio/bss_dgram.c.orig +++ crypto/bio/bss_dgram.c @@ -1032,7 +1032,7 @@ static int dgram_sctp_read(BIO *b, char @@ -91,8 +94,6 @@ if (data->handle_notifications != NULL) data->handle_notifications(b, data->notification_context, (void*) &snp); -Index: crypto/bio/bss_file.c -=================================================================== --- crypto/bio/bss_file.c.orig +++ crypto/bio/bss_file.c @@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename, @@ -133,8 +134,6 @@ fp=fopen(ptr,p); if (fp == NULL) { -Index: crypto/rand/rand_unix.c -=================================================================== --- crypto/rand/rand_unix.c.orig +++ crypto/rand/rand_unix.c @@ -262,7 +262,7 @@ int RAND_poll(void) @@ -146,8 +145,6 @@ #ifdef O_NONBLOCK |O_NONBLOCK #endif -Index: crypto/rand/randfile.c -=================================================================== --- crypto/rand/randfile.c.orig +++ crypto/rand/randfile.c @@ -136,7 +136,7 @@ int RAND_load_file(const char *file, lon -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org