[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 195/246] openssl: Security fix CVE-2016-8610
- From: Emmanuele Bassi <ebassi src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-continuous-yocto/gnomeostree-3.22-krogoth: 195/246] openssl: Security fix CVE-2016-8610
- Date: Thu, 14 Dec 2017 12:04:34 +0000 (UTC)
commit 5dd02c6db1f4a5210ee4564ab04ac0ac9ed7ab46
Author: Armin Kuster <akuster mvista com>
Date: Sun Nov 6 07:33:27 2016 -0800
openssl: Security fix CVE-2016-8610
affects openssl < 1.0.2i
(From OE-Core rev: 0256b61cdafe540edb3cec2a34429e24b037cfae)
(From OE-Core rev: edb2fe2202a7e725aa6abd731bdef830ee2dbd97)
Signed-off-by: Armin Kuster <akuster mvista com>
Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>
Signed-off-by: Armin Kuster <akuster808 gmail com>
Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>
.../openssl/openssl/CVE-2016-8610.patch | 124 ++++++++++++++++++++
.../recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 +
2 files changed, 125 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
b/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
new file mode 100644
index 0000000..c2af589
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
@@ -0,0 +1,124 @@
+From 22646a075e75991b4e8f5d67171e45a6aead5b48 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt openssl org>
+Date: Wed, 21 Sep 2016 14:48:16 +0100
+Subject: [PATCH] Don't allow too many consecutive warning alerts
+
+Certain warning alerts are ignored if they are received. This can mean that
+no progress will be made if one peer continually sends those warning alerts.
+Implement a count so that we abort the connection if we receive too many.
+
+Issue reported by Shi Lei.
+
+Reviewed-by: Rich Salz <rsalz openssl org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-8610
+Signed-off-by: Armin Kuster <akuster mvista com>
+
+---
+ ssl/d1_pkt.c | 15 +++++++++++++++
+ ssl/s3_pkt.c | 15 +++++++++++++++
+ ssl/ssl.h | 1 +
+ ssl/ssl_locl.h | 4 ++++
+ 4 files changed, 35 insertions(+)
+
+Index: openssl-1.0.2h/ssl/d1_pkt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_pkt.c
++++ openssl-1.0.2h/ssl/d1_pkt.c
+@@ -928,6 +928,13 @@ int dtls1_read_bytes(SSL *s, int type, u
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->cert->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1194,6 +1201,14 @@ int dtls1_read_bytes(SSL *s, int type, u
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->cert->alert_count++;
++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+ /*
+Index: openssl-1.0.2h/ssl/s3_pkt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/s3_pkt.c
++++ openssl-1.0.2h/ssl/s3_pkt.c
+@@ -1229,6 +1229,13 @@ int ssl3_read_bytes(SSL *s, int type, un
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->cert->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1443,6 +1450,14 @@ int ssl3_read_bytes(SSL *s, int type, un
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->cert->alert_count++;
++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+Index: openssl-1.0.2h/ssl/ssl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl.h
++++ openssl-1.0.2h/ssl/ssl.h
+@@ -3115,6 +3115,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+ # define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
+ # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
+Index: openssl-1.0.2h/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl_locl.h
++++ openssl-1.0.2h/ssl/ssl_locl.h
+@@ -585,6 +585,8 @@ typedef struct {
+ */
+ # define SSL_EXT_FLAG_SENT 0x2
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ typedef struct {
+ custom_ext_method *meths;
+ size_t meths_count;
+@@ -692,6 +694,8 @@ typedef struct cert_st {
+ unsigned char *alpn_proposed; /* server */
+ unsigned int alpn_proposed_len;
+ int alpn_sent; /* client */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } CERT;
+
+ typedef struct sess_cert_st {
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 5a4e52a..a9146bb 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -49,6 +49,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
file://CVE-2016-6303.patch \
file://CVE-2016-6304.patch \
file://CVE-2016-6306.patch \
+ file://CVE-2016-8610.patch \
"
SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
