~ubuntu-branches/ubuntu/lucid/openssl/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-3511.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-08-07 08:48:43 UTC
  • Revision ID: package-import@ubuntu.com-20140807084843-tdiyho5w4ps784yx
Tags: 0.9.8k-7ubuntu8.20
* SECURITY UPDATE: double free when processing DTLS packets
  - debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c.
  - CVE-2014-3505
* SECURITY UPDATE: DTLS memory exhaustion
  - debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size
    checks in ssl/d1_both.c.
  - CVE-2014-3506
* SECURITY UPDATE: information leak in pretty printing functions
  - debian/patches/CVE-2014-3508.patch: fix OID handling in
    crypto/asn1/a_object.c, crypto/objects/obj_dat.c, crypto/asn1/asn1.h,
    crypto/asn1/asn1_err.c.
  - CVE-2014-3508
* SECURITY UPDATE: DTLS anonymous EC(DH) denial of service
  - debian/patches/CVE-2014-3510.patch: check for server certs in
    ssl/d1_clnt.c, ssl/s3_clnt.c.
  - CVE-2014-3510
* SECURITY UPDATE: TLS protocol downgrade attack
  - debian/patches/CVE-2014-3511.patch: properly handle fragments in
    ssl/s23_srvr.c.
  - CVE-2014-3511

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
From fc4bd2f287582c5f51f9549727fd5a49e9fc3012 Mon Sep 17 00:00:00 2001
 
2
From: David Benjamin <davidben@google.com>
 
3
Date: Wed, 23 Jul 2014 22:32:21 +0200
 
4
Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets
 
5
MIME-Version: 1.0
 
6
Content-Type: text/plain; charset=utf8
 
7
Content-Transfer-Encoding: 8bit
 
8
 
 
9
CVE-2014-3511
 
10
 
 
11
Reviewed-by: Emilia Käsper <emilia@openssl.org>
 
12
Reviewed-by: Bodo Möller <bodo@openssl.org>
 
13
---
 
14
 ssl/s23_srvr.c |   30 +++++++++++++++++++++++-------
 
15
 1 file changed, 23 insertions(+), 7 deletions(-)
 
16
 
 
17
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
 
18
index be05911..e544853 100644
 
19
--- a/ssl/s23_srvr.c
 
20
+++ b/ssl/s23_srvr.c
 
21
@@ -328,23 +328,19 @@ int ssl23_get_client_hello(SSL *s)
 
22
                         * Client Hello message, this would be difficult, and we'd have
 
23
                         * to read more records to find out.
 
24
                         * No known SSL 3.0 client fragments ClientHello like this,
 
25
-                        * so we simply assume TLS 1.0 to avoid protocol version downgrade
 
26
-                        * attacks. */
 
27
+                        * so we simply reject such connections to avoid
 
28
+                        * protocol version downgrade attacks. */
 
29
                        if (p[3] == 0 && p[4] < 6)
 
30
                                {
 
31
-#if 0
 
32
                                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
 
33
                                goto err;
 
34
-#else
 
35
-                               v[1] = TLS1_VERSION_MINOR;
 
36
-#endif
 
37
                                }
 
38
                        /* if major version number > 3 set minor to a value
 
39
                         * which will use the highest version 3 we support.
 
40
                         * If TLS 2.0 ever appears we will need to revise
 
41
                         * this....
 
42
                         */
 
43
-                       else if (p[9] > SSL3_VERSION_MAJOR)
 
44
+                       if (p[9] > SSL3_VERSION_MAJOR)
 
45
                                v[1]=0xff;
 
46
                        else
 
47
                                v[1]=p[10]; /* minor version according to client_version */
 
48
@@ -412,14 +408,34 @@ int ssl23_get_client_hello(SSL *s)
 
49
                v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
 
50
                v[1] = p[4];
 
51
 
 
52
+               /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
 
53
+                * header is sent directly on the wire, not wrapped as a TLS
 
54
+                * record. It's format is:
 
55
+                * Byte  Content
 
56
+                * 0-1   msg_length
 
57
+                * 2     msg_type
 
58
+                * 3-4   version
 
59
+                * 5-6   cipher_spec_length
 
60
+                * 7-8   session_id_length
 
61
+                * 9-10  challenge_length
 
62
+                * ...   ...
 
63
+                */
 
64
                n=((p[0]&0x7f)<<8)|p[1];
 
65
                if (n > (1024*4))
 
66
                        {
 
67
                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
 
68
                        goto err;
 
69
                        }
 
70
+               if (n < 9)
 
71
+                       {
 
72
+                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
 
73
+                       goto err;
 
74
+                       }
 
75
 
 
76
                j=ssl23_read_bytes(s,n+2);
 
77
+               /* We previously read 11 bytes, so if j > 0, we must have
 
78
+                * j == n+2 == s->packet_length. We have at least 11 valid
 
79
+                * packet bytes. */
 
80
                if (j <= 0) return(j);
 
81
 
 
82
                ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
 
83
-- 
 
84
1.7.9.5
 
85