openssl: fix CVE-2014-3569

author Steven Barth <cyrus@openwrt.org>

Tue, 6 Jan 2015 09:59:55 +0000 (09:59 +0000)

committer Steven Barth <cyrus@openwrt.org>

Tue, 6 Jan 2015 09:59:55 +0000 (09:59 +0000)
author Steven Barth <cyrus@openwrt.org>
Tue, 6 Jan 2015 09:59:55 +0000 (09:59 +0000)
committer Steven Barth <cyrus@openwrt.org>
Tue, 6 Jan 2015 09:59:55 +0000 (09:59 +0000)
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile

index bb91e47dccdfd6b2ce00b073251a284938cc3fe8..36f0adb15a18b68c2a1128bdad664a87628d4036 100644 (file)
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -1,5 +1,5 @@
  #
  #
-# Copyright (C) 2006-2014 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
  #
  # This is free software, licensed under the GNU General Public License v2.
  # See /LICENSE for more information.
  #
  # This is free software, licensed under the GNU General Public License v2.
  # See /LICENSE for more information.
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
  
  PKG_NAME:=openssl
  PKG_VERSION:=1.0.1j
  
  PKG_NAME:=openssl
  PKG_VERSION:=1.0.1j
-PKG_RELEASE:=3
+PKG_RELEASE:=4
  PKG_USE_MIPS16:=0
  
  PKG_BUILD_PARALLEL:=1
  PKG_USE_MIPS16:=0
  
  PKG_BUILD_PARALLEL:=1
diff --git a/package/libs/openssl/patches/001-fix-CVE-2014-3569.patch b/package/libs/openssl/patches/001-fix-CVE-2014-3569.patch

new file mode 100644 (file)

index 0000000..26dfb29
--- /dev/null
+++ b/package/libs/openssl/patches/001-fix-CVE-2014-3569.patch
@@ -0,0 +1,38 @@
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Tue, 21 Oct 2014 18:45:15 +0000 (+0200)
+Subject: Keep old method in case of an unsupported protocol
+X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=392fa7a952e97d82eac6958c81ed1e256e6b8ca5
+
+Keep old method in case of an unsupported protocol
+
+When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
+the method to NULL.  We didn't used to do that, and it breaks things.  This is a
+regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
+method since the code is not able to deal with a NULL method at this time.
+
+CVE-2014-3569, PR#3571
+
+Reviewed-by: Emilia Käsper <emilia@openssl.org>
+---
+
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 38960ba..858420d 100644
+--- a/ssl/s23_srvr.c
++++ b/ssl/s23_srvr.c
+@@ -615,12 +615,14 @@ int ssl23_get_client_hello(SSL *s)
+       if ((type == 2) || (type == 3))
+               {
+               /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+-                s->method = ssl23_get_server_method(s->version);
+-              if (s->method == NULL)
++              const SSL_METHOD *new_method;
++              new_method = ssl23_get_server_method(s->version);
++              if (new_method == NULL)
+                       {
+                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+                       goto err;
+                       }
++              s->method = new_method;
+ 
+               if (!ssl_init_wbio_buffer(s,1)) goto err;
+
author	Steven Barth <cyrus@openwrt.org>
	Tue, 6 Jan 2015 09:59:55 +0000 (09:59 +0000)
committer	Steven Barth <cyrus@openwrt.org>
	Tue, 6 Jan 2015 09:59:55 +0000 (09:59 +0000)
package/libs/openssl/Makefile		patch \| blob \| history
package/libs/openssl/patches/001-fix-CVE-2014-3569.patch	[new file with mode: 0644]	patch \| blob