ports/core (2.3): [notify] openssl: added patch for CVE-2007-3108
commit 71ea01fd4b43e4eb89c048427ed2ef8b0e75066f Author: Juergen Daubert <jue@jue.li> Date: Wed Aug 15 15:30:53 2007 +0200 [notify] openssl: added patch for CVE-2007-3108 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108 http://www.securityfocus.com/bid/25163 diff --git a/openssl/.md5sum b/openssl/.md5sum index 1e9a478..a9a40d3 100644 --- a/openssl/.md5sum +++ b/openssl/.md5sum @@ -1,3 +1,4 @@ +30ad2995a2668db16ae3083c11a42307 CVE-2007-3108.patch 9d0df57845af8acd1027a7df5c18d017 mksslcert.sh 58daa890c3bc19bd6ce3451b2e5e335c openssl-0.9.8b-parallel-build.patch 3a7ff24f6ea5cd711984722ad654b927 openssl-0.9.8e.tar.gz diff --git a/openssl/CVE-2007-3108.patch b/openssl/CVE-2007-3108.patch new file mode 100644 index 0000000..abf0196 --- /dev/null +++ b/openssl/CVE-2007-3108.patch @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +- --- openssl-0.9.8e/crypto/bn/bn_mont.c 2006-06-16 03:01:14.000000000 +0200 ++++ openssl-0.9.8-cvs/crypto/bn/bn_mont.c 2007-06-29 10:13:25.000000000 +0200 +@@ -176,7 +176,6 @@ + + max=(nl+al+1); /* allow for overflow (no?) XXX */ + if (bn_wexpand(r,max) == NULL) goto err; +- - if (bn_wexpand(ret,max) == NULL) goto err; + + r->neg=a->neg^n->neg; + np=n->d; +@@ -228,19 +227,70 @@ + } + bn_correct_top(r); + +- - /* mont->ri will be a multiple of the word size */ +- -#if 0 +- - BN_rshift(ret,r,mont->ri); +- -#else +- - ret->neg = r->neg; +- - x=ri; ++ /* mont->ri will be a multiple of the word size and below code ++ * is kind of BN_rshift(ret,r,mont->ri) equivalent */ ++ if (r->top <= ri) ++ { ++ ret->top=0; ++ retn=1; ++ goto err; ++ } ++ al=r->top-ri; ++ ++# define BRANCH_FREE 1 ++# if BRANCH_FREE ++ if (bn_wexpand(ret,ri) == NULL) goto err; ++ x=0-(((al-ri)>>(sizeof(al)*8-1))&1); ++ ret->top=x=(ri&~x)|(al&x); /* min(ri,al) */ ++ ret->neg=r->neg; ++ + rp=ret->d; +- - ap= &(r->d[x]); +- - if (r->top < x) +- - al=0; +- - else +- - al=r->top-x; ++ ap=&(r->d[ri]); ++ ++ { ++ size_t m1,m2; ++ ++ v=bn_sub_words(rp,ap,np,ri); ++ /* this ----------------^^ works even in al<ri case ++ * thanks to zealous zeroing of top of the vector in the ++ * beginning. */ ++ ++ /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */ ++ /* in other words if subtraction result is real, then ++ * trick unconditional memcpy below to perform in-place ++ * "refresh" instead of actual copy. */ ++ m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1); /* al<ri */ ++ m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1); /* al>ri */ ++ m1|=m2; /* (al!=ri) */ ++ m1|=(0-(size_t)v); /* (al!=ri || v) */ ++ m1&=~m2; /* (al!=ri || v) && !al>ri */ ++ nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1)); ++ } ++ ++ /* 'i<ri' is chosen to eliminate dependency on input data, even ++ * though it results in redundant copy in al<ri case. */ ++ for (i=0,ri-=4; i<ri; i+=4) ++ { ++ BN_ULONG t1,t2,t3,t4; ++ ++ t1=nrp[i+0]; ++ t2=nrp[i+1]; ++ t3=nrp[i+2]; ap[i+0]=0; ++ t4=nrp[i+3]; ap[i+1]=0; ++ rp[i+0]=t1; ap[i+2]=0; ++ rp[i+1]=t2; ap[i+3]=0; ++ rp[i+2]=t3; ++ rp[i+3]=t4; ++ } ++ for (ri+=4; i<ri; i++) ++ rp[i]=nrp[i], ap[i]=0; ++# else ++ if (bn_wexpand(ret,al) == NULL) goto err; + ret->top=al; ++ ret->neg=r->neg; ++ ++ rp=ret->d; ++ ap=&(r->d[ri]); + al-=4; + for (i=0; i<al; i+=4) + { +@@ -258,7 +308,7 @@ + al+=4; + for (; i<al; i++) + rp[i]=ap[i]; +- -#endif ++# endif + #else /* !MONT_WORD */ + BIGNUM *t1,*t2; + +@@ -278,10 +328,12 @@ + if (!BN_rshift(ret,t2,mont->ri)) goto err; + #endif /* MONT_WORD */ + ++#if !defined(BRANCH_FREE) || BRANCH_FREE==0 + if (BN_ucmp(ret, &(mont->N)) >= 0) + { + if (!BN_usub(ret,ret,&(mont->N))) goto err; + } ++#endif + retn=1; + bn_check_top(ret); + err: +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.5 (GNU/Linux) + +iQCVAwUBRrGk++6tTP1JpWPZAQJbjwP/W/6mROtxOVU1gvvq/uFHCytNWHVaJfKA +7zh+v4OPQEIYekIBkEpNFgTJbHcyIZoyDNnwOetkRXvI4LDqvV1V5/pA5bzrKqDj +zv7Hj8R7DGqG8ad0Esf3l7SqqirI3curkIzm5/cALJBJxz/Pp7qyXNzzQgp55UPz +iBDdynBpa+s= +=aquq +-----END PGP SIGNATURE----- diff --git a/openssl/Pkgfile b/openssl/Pkgfile index 752362f..10c23da 100644 --- a/openssl/Pkgfile +++ b/openssl/Pkgfile @@ -4,13 +4,15 @@ name=openssl version=0.9.8e -release=1 +release=2 source=(http://www.openssl.org/source/$name-$version.tar.gz \ - mksslcert.sh openssl-0.9.8b-parallel-build.patch) + mksslcert.sh openssl-0.9.8b-parallel-build.patch \ + CVE-2007-3108.patch) build() { cd $name-$version - patch -p1 < $SRC/openssl-0.9.8b-parallel-build.patch + patch -p1 -i $SRC/CVE-2007-3108.patch + patch -p1 -i $SRC/openssl-0.9.8b-parallel-build.patch ./config --prefix=/usr --openssldir=/etc/ssl shared make make INSTALL_PREFIX=$PKG MANDIR=/usr/man MANSUFFIX=ssl install
participants (1)
-
crux@crux.nu