~ubuntu-branches/ubuntu/lucid/openssl/lucid-security

Viewing changes to debian/patches/CVE-2009-3245.patch

Committer: Bazaar Package Importer
Author(s): Marc Deslauriers
Date: 2010-03-30 08:57:51 UTC
Revision ID: james.westby@ubuntu.com-20100330085751-psie5ihdbr6ywffg

Tags: 0.9.8k-7ubuntu8

* SECURITY UPDATE: denial of service and possible arbitrary code
  execution via unchecked return values
  - debian/patches/CVE-2009-3245.patch: check bn_wexpand return value in
    crypto/bn/{bn_div.c,bn_gf2m.c,bn_mul.c}, crypto/ec/ec2_smpl.c,
    engines/e_ubsec.c.
  - CVE-2009-3245
* SECURITY UPDATE: denial of service via "record of death"
  - debian/patches/CVE-2010-0740.patch: only send back minor version
    number in ssl/s3_pkt.c.
  - CVE-2010-0740

files added:
debian/patches/CVE-2009-3245.patch

debian/patches/CVE-2010-0740.patch

files modified:
debian/changelog

debian/patches/series

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2009-3245.patch

Description: fix denial of service and possible arbitrary code

execution via unchecked return values

Bug: http://rt.openssl.org/Ticket/Display.html?id=2111&user=guest&pass=guest

Origin: upstream, http://cvs.openssl.org/chngview?cn=18936

Origin: upstream, http://cvs.openssl.org/chngview?cn=19309

diff -Nur openssl-0.9.8k/crypto/bn/bn_div.c openssl-0.9.8k.new/crypto/bn/bn_div.c

--- openssl-0.9.8k/crypto/bn/bn_div.c 2008-09-14 09:42:40.000000000 -0400

+++ openssl-0.9.8k.new/crypto/bn/bn_div.c 2010-03-30 08:56:10.000000000 -0400

@@ -102,7 +102,7 @@

/* The next 2 are needed so we can do a dv->d[0]|=1 later

* since BN_lshift1 will only work once there is a value :-) */

BN_zero(dv);

- bn_wexpand(dv,1);

+ if(bn_wexpand(dv,1) == NULL) goto end;

dv->top=1;

if (!BN_lshift(D,D,nm-nd)) goto end;

diff -Nur openssl-0.9.8k/crypto/bn/bn_gf2m.c openssl-0.9.8k.new/crypto/bn/bn_gf2m.c

--- openssl-0.9.8k/crypto/bn/bn_gf2m.c 2008-06-23 16:46:28.000000000 -0400

+++ openssl-0.9.8k.new/crypto/bn/bn_gf2m.c 2010-03-30 08:56:10.000000000 -0400

@@ -294,7 +294,8 @@

if (a->top < b->top) { at = b; bt = a; }

else { at = a; bt = b; }

- bn_wexpand(r, at->top);

+ if(bn_wexpand(r, at->top) == NULL)

+ return 0;

for (i = 0; i < bt->top; i++)

{

diff -Nur openssl-0.9.8k/crypto/bn/bn_mul.c openssl-0.9.8k.new/crypto/bn/bn_mul.c

--- openssl-0.9.8k/crypto/bn/bn_mul.c 2007-11-03 16:09:29.000000000 -0400

+++ openssl-0.9.8k.new/crypto/bn/bn_mul.c 2010-03-30 08:56:06.000000000 -0400

@@ -1030,15 +1030,15 @@

t = BN_CTX_get(ctx);

if (al > j || bl > j)

{

- bn_wexpand(t,k*4);

- bn_wexpand(rr,k*4);

+ if (bn_wexpand(t,k*4) == NULL) goto err;

+ if (bn_wexpand(rr,k*4) == NULL) goto err;

bn_mul_part_recursive(rr->d,a->d,b->d,

j,al-j,bl-j,t->d);

}

else /* al <= j || bl <= j */

{

- bn_wexpand(t,k*2);

- bn_wexpand(rr,k*2);

+ if (bn_wexpand(t,k*2) == NULL) goto err;

+ if (bn_wexpand(rr,k*2) == NULL) goto err;

bn_mul_recursive(rr->d,a->d,b->d,

j,al-j,bl-j,t->d);

}

diff -Nur openssl-0.9.8k/crypto/ec/ec2_smpl.c openssl-0.9.8k.new/crypto/ec/ec2_smpl.c

--- openssl-0.9.8k/crypto/ec/ec2_smpl.c 2006-03-13 18:12:07.000000000 -0500

+++ openssl-0.9.8k.new/crypto/ec/ec2_smpl.c 2010-03-30 08:56:10.000000000 -0400

@@ -174,8 +174,10 @@

dest->poly[2] = src->poly[2];

dest->poly[3] = src->poly[3];

dest->poly[4] = src->poly[4];

- bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);

- bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);

+ if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)

+ return 0;

+ if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)

+ return 0;

for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;

for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;

return 1;

@@ -199,12 +201,12 @@

/* group->a */

if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;

- bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);

+ if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;

for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;

/* group->b */

if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;

- bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);

+ if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;

for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;

ret = 1;

diff -Nur openssl-0.9.8k/engines/e_ubsec.c openssl-0.9.8k.new/engines/e_ubsec.c

--- openssl-0.9.8k/engines/e_ubsec.c 2007-09-06 08:43:53.000000000 -0400

+++ openssl-0.9.8k.new/engines/e_ubsec.c 2010-03-30 08:56:10.000000000 -0400

@@ -934,7 +934,7 @@

priv_key = BN_new();

if (priv_key == NULL) goto err;

priv_key_len = BN_num_bits(dh->p);

- bn_wexpand(priv_key, dh->p->top);

+ if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;

if (!BN_rand_range(priv_key, dh->p)) goto err;

while (BN_is_zero(priv_key));

@@ -949,7 +949,7 @@

{

100

pub_key = BN_new();

101

pub_key_len = BN_num_bits(dh->p);

102

- bn_wexpand(pub_key, dh->p->top);

103

+ if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;

104

if(pub_key == NULL) goto err;

105

}

106

else

Older »