diff options
author | Tobias Geerinckx-Rice <me@tobias.gr> | 2019-02-28 23:53:26 +0100 |
---|---|---|
committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2019-03-01 00:00:16 +0100 |
commit | a92c6b1a2b5b8b69f248c732db4a11ddf130f0f1 (patch) | |
tree | 0e0c390d4eb7c7013d333ca1a98971d43f999c2e /gnu/packages | |
parent | 884910970332c92f77bd9e079b413e5683870f27 (diff) | |
download | guix-a92c6b1a2b5b8b69f248c732db4a11ddf130f0f1.tar.gz guix-a92c6b1a2b5b8b69f248c732db4a11ddf130f0f1.zip |
gnu: openssl: Fix CVE-2019-1559.
* gnu/packages/tls.scm (openssl)[replacement]: New field.
(openssl/fixed): New variable.
(openssl-next)[inherit]: Inherit from it instead.
* gnu/packages/patches/openssl-CVE-2019-1559.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/patches/openssl-CVE-2019-1559.patch | 60 | ||||
-rw-r--r-- | gnu/packages/tls.scm | 14 |
2 files changed, 72 insertions, 2 deletions
diff --git a/gnu/packages/patches/openssl-CVE-2019-1559.patch b/gnu/packages/patches/openssl-CVE-2019-1559.patch new file mode 100644 index 0000000000..3e630037b5 --- /dev/null +++ b/gnu/packages/patches/openssl-CVE-2019-1559.patch @@ -0,0 +1,60 @@ +From e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 14 Dec 2018 07:28:30 +0000 +Subject: [PATCH] Go into the error state if a fatal alert is sent or received + +If an application calls SSL_shutdown after a fatal alert has occured and +then behaves different based on error codes from that function then the +application may be vulnerable to a padding oracle. + +CVE-2019-1559 + +Reviewed-by: Richard Levitte <levitte@openssl.org> +--- + ssl/d1_pkt.c | 1 + + ssl/s3_pkt.c | 10 +++++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c +index 23aa9db..c7fe977 100644 +--- a/ssl/d1_pkt.c ++++ b/ssl/d1_pkt.c +@@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL_CTX_remove_session(s->session_ctx, s->session); ++ s->state = SSL_ST_ERR; + return (0); + } else { + al = SSL_AD_ILLEGAL_PARAMETER; +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 6527df8..830b723 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL_CTX_remove_session(s->session_ctx, s->session); ++ s->state = SSL_ST_ERR; + return (0); + } else { + al = SSL_AD_ILLEGAL_PARAMETER; +@@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, int desc) + * protocol_version alerts */ + if (desc < 0) + return -1; +- /* If a fatal one, remove from cache */ +- if ((level == 2) && (s->session != NULL)) +- SSL_CTX_remove_session(s->session_ctx, s->session); ++ /* If a fatal one, remove from cache and go into the error state */ ++ if (level == SSL3_AL_FATAL) { ++ if (s->session != NULL) ++ SSL_CTX_remove_session(s->session_ctx, s->session); ++ s->state = SSL_ST_ERR; ++ } + + s->s3->alert_dispatch = 1; + s->s3->send_alert[0] = level; +-- +2.7.4 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index c10b1a5320..6e91a46608 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -10,7 +10,7 @@ ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com> -;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org> ;;; @@ -271,6 +271,7 @@ required structures.") (define-public openssl (package (name "openssl") + (replacement openssl/fixed) (version "1.0.2p") (source (origin (method url-fetch) @@ -399,9 +400,18 @@ required structures.") (license license:openssl) (home-page "https://www.openssl.org/"))) +(define-public openssl/fixed + (hidden-package + (package + (inherit openssl) + (source (origin + (inherit (package-source openssl)) + (patches (append (origin-patches (package-source openssl)) + (search-patches "openssl-CVE-2019-1559.patch")))))))) + (define-public openssl-next (package - (inherit openssl) + (inherit openssl/fixed) (name "openssl") (version "1.1.1a") (source (origin |