ports/core (2.3): [notify] openssl: added patch for CVE-2007-3108

crux at crux.nu crux at crux.nu
Wed Aug 15 13:31:23 UTC 2007


commit 71ea01fd4b43e4eb89c048427ed2ef8b0e75066f
Author: Juergen Daubert <jue at jue.li>
Date:   Wed Aug 15 15:30:53 2007 +0200

    [notify] openssl: added patch for CVE-2007-3108
    
    References:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
      http://www.securityfocus.com/bid/25163

diff --git a/openssl/.md5sum b/openssl/.md5sum
index 1e9a478..a9a40d3 100644
--- a/openssl/.md5sum
+++ b/openssl/.md5sum
@@ -1,3 +1,4 @@
+30ad2995a2668db16ae3083c11a42307  CVE-2007-3108.patch
 9d0df57845af8acd1027a7df5c18d017  mksslcert.sh
 58daa890c3bc19bd6ce3451b2e5e335c  openssl-0.9.8b-parallel-build.patch
 3a7ff24f6ea5cd711984722ad654b927  openssl-0.9.8e.tar.gz
diff --git a/openssl/CVE-2007-3108.patch b/openssl/CVE-2007-3108.patch
new file mode 100644
index 0000000..abf0196
--- /dev/null
+++ b/openssl/CVE-2007-3108.patch
@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+- --- openssl-0.9.8e/crypto/bn/bn_mont.c	2006-06-16 03:01:14.000000000 +0200
++++ openssl-0.9.8-cvs/crypto/bn/bn_mont.c	2007-06-29 10:13:25.000000000 +0200
+@@ -176,7 +176,6 @@
+ 
+ 	max=(nl+al+1); /* allow for overflow (no?) XXX */
+ 	if (bn_wexpand(r,max) == NULL) goto err;
+- -	if (bn_wexpand(ret,max) == NULL) goto err;
+ 
+ 	r->neg=a->neg^n->neg;
+ 	np=n->d;
+@@ -228,19 +227,70 @@
+ 		}
+ 	bn_correct_top(r);
+ 	
+- -	/* mont->ri will be a multiple of the word size */
+- -#if 0
+- -	BN_rshift(ret,r,mont->ri);
+- -#else
+- -	ret->neg = r->neg;
+- -	x=ri;
++	/* mont->ri will be a multiple of the word size and below code
++	 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
++	if (r->top <= ri)
++		{
++		ret->top=0;
++		retn=1;
++		goto err;
++		}
++	al=r->top-ri;
++
++# define BRANCH_FREE 1
++# if BRANCH_FREE
++	if (bn_wexpand(ret,ri) == NULL) goto err;
++	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
++	ret->top=x=(ri&~x)|(al&x);	/* min(ri,al) */
++	ret->neg=r->neg;
++
+ 	rp=ret->d;
+- -	ap= &(r->d[x]);
+- -	if (r->top < x)
+- -		al=0;
+- -	else
+- -		al=r->top-x;
++	ap=&(r->d[ri]);
++
++	{
++	size_t m1,m2;
++
++	v=bn_sub_words(rp,ap,np,ri);
++	/* this ----------------^^ works even in al<ri case
++	 * thanks to zealous zeroing of top of the vector in the
++	 * beginning. */
++
++	/* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
++	/* in other words if subtraction result is real, then
++	 * trick unconditional memcpy below to perform in-place
++	 * "refresh" instead of actual copy. */
++	m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);	/* al<ri */
++	m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);	/* al>ri */
++	m1|=m2;			/* (al!=ri) */
++	m1|=(0-(size_t)v);	/* (al!=ri || v) */
++	m1&=~m2;		/* (al!=ri || v) && !al>ri */
++	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
++	}
++
++	/* 'i<ri' is chosen to eliminate dependency on input data, even
++	 * though it results in redundant copy in al<ri case. */
++	for (i=0,ri-=4; i<ri; i+=4)
++		{
++		BN_ULONG t1,t2,t3,t4;
++		
++		t1=nrp[i+0];
++		t2=nrp[i+1];
++		t3=nrp[i+2];	ap[i+0]=0;
++		t4=nrp[i+3];	ap[i+1]=0;
++		rp[i+0]=t1;	ap[i+2]=0;
++		rp[i+1]=t2;	ap[i+3]=0;
++		rp[i+2]=t3;
++		rp[i+3]=t4;
++		}
++	for (ri+=4; i<ri; i++)
++		rp[i]=nrp[i], ap[i]=0;
++# else
++	if (bn_wexpand(ret,al) == NULL) goto err;
+ 	ret->top=al;
++	ret->neg=r->neg;
++
++	rp=ret->d;
++	ap=&(r->d[ri]);
+ 	al-=4;
+ 	for (i=0; i<al; i+=4)
+ 		{
+@@ -258,7 +308,7 @@
+ 	al+=4;
+ 	for (; i<al; i++)
+ 		rp[i]=ap[i];
+- -#endif
++# endif
+ #else /* !MONT_WORD */ 
+ 	BIGNUM *t1,*t2;
+ 
+@@ -278,10 +328,12 @@
+ 	if (!BN_rshift(ret,t2,mont->ri)) goto err;
+ #endif /* MONT_WORD */
+ 
++#if !defined(BRANCH_FREE) || BRANCH_FREE==0
+ 	if (BN_ucmp(ret, &(mont->N)) >= 0)
+ 		{
+ 		if (!BN_usub(ret,ret,&(mont->N))) goto err;
+ 		}
++#endif
+ 	retn=1;
+ 	bn_check_top(ret);
+  err:
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+iQCVAwUBRrGk++6tTP1JpWPZAQJbjwP/W/6mROtxOVU1gvvq/uFHCytNWHVaJfKA
+7zh+v4OPQEIYekIBkEpNFgTJbHcyIZoyDNnwOetkRXvI4LDqvV1V5/pA5bzrKqDj
+zv7Hj8R7DGqG8ad0Esf3l7SqqirI3curkIzm5/cALJBJxz/Pp7qyXNzzQgp55UPz
+iBDdynBpa+s=
+=aquq
+-----END PGP SIGNATURE-----
diff --git a/openssl/Pkgfile b/openssl/Pkgfile
index 752362f..10c23da 100644
--- a/openssl/Pkgfile
+++ b/openssl/Pkgfile
@@ -4,13 +4,15 @@
 
 name=openssl
 version=0.9.8e
-release=1
+release=2
 source=(http://www.openssl.org/source/$name-$version.tar.gz \
-	mksslcert.sh openssl-0.9.8b-parallel-build.patch)
+	mksslcert.sh openssl-0.9.8b-parallel-build.patch \
+	CVE-2007-3108.patch)
 
 build() {
     cd $name-$version
-    patch -p1 < $SRC/openssl-0.9.8b-parallel-build.patch
+    patch -p1 -i $SRC/CVE-2007-3108.patch
+    patch -p1 -i $SRC/openssl-0.9.8b-parallel-build.patch
     ./config --prefix=/usr --openssldir=/etc/ssl shared
     make
     make INSTALL_PREFIX=$PKG MANDIR=/usr/man MANSUFFIX=ssl install



More information about the CRUX mailing list