diff options
Diffstat (limited to 'recipes-connectivity')
-rw-r--r-- | recipes-connectivity/openssl/openssl/CVE-2017-3735.patch | 43 | ||||
-rw-r--r-- | recipes-connectivity/openssl/openssl/CVE-2017-3737.patch | 49 | ||||
-rw-r--r-- | recipes-connectivity/openssl/openssl_%.bbappend | 5 |
3 files changed, 0 insertions, 97 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2017-3735.patch b/recipes-connectivity/openssl/openssl/CVE-2017-3735.patch deleted file mode 100644 index b0f8189..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2017-3735.patch +++ /dev/null | |||
@@ -1,43 +0,0 @@ | |||
1 | From 31c8b265591a0aaa462a1f3eb5770661aaac67db Mon Sep 17 00:00:00 2001 | ||
2 | From: Rich Salz <rsalz@openssl.org> | ||
3 | Date: Tue, 22 Aug 2017 11:44:41 -0400 | ||
4 | Subject: [PATCH] Avoid out-of-bounds read | ||
5 | |||
6 | Fixes CVE-2017-3735 | ||
7 | |||
8 | CVE: CVE-2017-3735 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> | ||
12 | (Merged from https://github.com/openssl/openssl/pull/4276) | ||
13 | |||
14 | (cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd) | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | --- | ||
17 | crypto/x509v3/v3_addr.c | 10 ++++++---- | ||
18 | 1 file changed, 6 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c | ||
21 | index 1290dec..af080a0 100644 | ||
22 | --- a/crypto/x509v3/v3_addr.c | ||
23 | +++ b/crypto/x509v3/v3_addr.c | ||
24 | @@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi) | ||
25 | */ | ||
26 | unsigned int v3_addr_get_afi(const IPAddressFamily *f) | ||
27 | { | ||
28 | - return ((f != NULL && | ||
29 | - f->addressFamily != NULL && f->addressFamily->data != NULL) | ||
30 | - ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) | ||
31 | - : 0); | ||
32 | + if (f == NULL | ||
33 | + || f->addressFamily == NULL | ||
34 | + || f->addressFamily->data == NULL | ||
35 | + || f->addressFamily->length < 2) | ||
36 | + return 0; | ||
37 | + return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; | ||
38 | } | ||
39 | |||
40 | /* | ||
41 | -- | ||
42 | 1.9.1 | ||
43 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2017-3737.patch b/recipes-connectivity/openssl/openssl/CVE-2017-3737.patch deleted file mode 100644 index 3a7b5b2..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2017-3737.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From 898fb884b706aaeb283de4812340bb0bde8476dc Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Wed, 29 Nov 2017 14:04:01 +0000 | ||
4 | Subject: [PATCH] Don't allow read/write after fatal error | ||
5 | |||
6 | OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" | ||
7 | mechanism. The intent was that if a fatal error occurred during a handshake | ||
8 | then OpenSSL would move into the error state and would immediately fail if | ||
9 | you attempted to continue the handshake. This works as designed for the | ||
10 | explicit handshake functions (SSL_do_handshake(), SSL_accept() and | ||
11 | SSL_connect()), however due to a bug it does not work correctly if | ||
12 | SSL_read() or SSL_write() is called directly. In that scenario, if the | ||
13 | handshake fails then a fatal error will be returned in the initial function | ||
14 | call. If SSL_read()/SSL_write() is subsequently called by the application | ||
15 | for the same SSL object then it will succeed and the data is passed without | ||
16 | being decrypted/encrypted directly from the SSL/TLS record layer. | ||
17 | |||
18 | In order to exploit this issue an attacker would have to trick an | ||
19 | application into behaving incorrectly by issuing an SSL_read()/SSL_write() | ||
20 | after having already received a fatal error. | ||
21 | |||
22 | Thanks to David Benjamin (Google) for reporting this issue and suggesting | ||
23 | this fix. | ||
24 | |||
25 | CVE: CVE-2017-3737 | ||
26 | Upstream-Status: Backport | ||
27 | |||
28 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | ssl/ssl.h | 2 +- | ||
32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/ssl/ssl.h b/ssl/ssl.h | ||
35 | index 90aeb0c..3cf96a2 100644 | ||
36 | --- a/ssl/ssl.h | ||
37 | +++ b/ssl/ssl.h | ||
38 | @@ -1727,7 +1727,7 @@ extern "C" { | ||
39 | # define SSL_ST_BEFORE 0x4000 | ||
40 | # define SSL_ST_OK 0x03 | ||
41 | # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) | ||
42 | -# define SSL_ST_ERR 0x05 | ||
43 | +# define SSL_ST_ERR (0x05|SSL_ST_INIT) | ||
44 | |||
45 | # define SSL_CB_LOOP 0x01 | ||
46 | # define SSL_CB_EXIT 0x02 | ||
47 | -- | ||
48 | 1.9.1 | ||
49 | |||
diff --git a/recipes-connectivity/openssl/openssl_%.bbappend b/recipes-connectivity/openssl/openssl_%.bbappend deleted file mode 100644 index 7e81042..0000000 --- a/recipes-connectivity/openssl/openssl_%.bbappend +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
2 | |||
3 | SRC_URI += "file://CVE-2017-3735.patch \ | ||
4 | file://CVE-2017-3737.patch \ | ||
5 | " | ||