openssl: fix CVE-2014-0195

From the OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. (Patch borrowed from Fedora.) (From OE-Core rev: aac6d15448e9a471a8d4ce086538b39f0b928518) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-06-09 11:21:20 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-10 17:36:43 +0100
commit: f3df1c7e77b04af41c5f9c0ad5868d67c0644467 (patch)
tree: c1d68c1e3a1d612e8c99c085e7b54568d54a53f8
parent: 32ed21cc099f3afb498cb0dcb7552348869564ea (diff)
download: poky-f3df1c7e77b04af41c5f9c0ad5868d67c0644467.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch
new file mode 100644
index 0000000000..0c43919427
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
+commit 208d54db20d58c9a5e45e856a0650caadd7d9612
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Tue May 13 18:48:31 2014 +0100
+    Fix for CVE-2014-0195
+    
+    A buffer overrun attack can be triggered by sending invalid DTLS fragments
+    to an OpenSSL DTLS client or server. This is potentially exploitable to
+    run arbitrary code on a vulnerable client or server.
+    
+    Fixed by adding consistency check for DTLS fragments.
+    
+    Thanks to Jüri Aedla for reporting this issue.
+Patch borrowed from Fedora
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 2e8cf68..07f67f8 100644
+--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
+@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+                frag->msg_header.frag_off = 0;
+                }
+        else
+               {
+                frag = (hm_fragment*) item->data;
+               if (frag->msg_header.msg_len != msg_hdr->msg_len)
+                       {
+                       item = NULL;
+                       frag = NULL;
+                       goto err;
+                       }
+               }
+
+ 
+        /* If message is already reassembled, this must be a
+         * retransmit and can be dropped.
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index bc1b944839..7b1dad1f22 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
            file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
            file://CVE-2014-0160.patch \
            file://openssl-CVE-2014-0198-fix.patch \
+            file://openssl-1.0.1e-cve-2014-0195.patch \
           "
 SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-06-09 11:21:20 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-06-10 17:36:43 +0100
commit	f3df1c7e77b04af41c5f9c0ad5868d67c0644467 (patch)
tree	c1d68c1e3a1d612e8c99c085e7b54568d54a53f8
parent	32ed21cc099f3afb498cb0dcb7552348869564ea (diff)
download	poky-f3df1c7e77b04af41c5f9c0ad5868d67c0644467.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch new file mode 100644 index 0000000000..0c43919427 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
		1	commit 208d54db20d58c9a5e45e856a0650caadd7d9612
		2	Author: Dr. Stephen Henson <steve@openssl.org>
		3	Date: Tue May 13 18:48:31 2014 +0100
		4
		5	Fix for CVE-2014-0195
		6
		7	A buffer overrun attack can be triggered by sending invalid DTLS fragments
		8	to an OpenSSL DTLS client or server. This is potentially exploitable to
		9	run arbitrary code on a vulnerable client or server.
		10
		11	Fixed by adding consistency check for DTLS fragments.
		12
		13	Thanks to Jüri Aedla for reporting this issue.
		14
		15	Patch borrowed from Fedora
		16	Upstream-Status: Backport
		17	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		18
		19	diff --git a/ssl/d1_both.c b/ssl/d1_both.c
		20	index 2e8cf68..07f67f8 100644
		21	--- a/ssl/d1_both.c
		22	+++ b/ssl/d1_both.c
		23	@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
		24	frag->msg_header.frag_off = 0;
		25	}
		26	else
		27	+ {
		28	frag = (hm_fragment*) item->data;
		29	+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
		30	+ {
		31	+ item = NULL;
		32	+ frag = NULL;
		33	+ goto err;
		34	+ }
		35	+ }
		36	+
		37
		38	/* If message is already reassembled, this must be a
		39	* retransmit and can be dropped.
		40


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index bc1b944839..7b1dad1f22 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
37	file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \	37	file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
38	file://CVE-2014-0160.patch \	38	file://CVE-2014-0160.patch \
39	file://openssl-CVE-2014-0198-fix.patch \	39	file://openssl-CVE-2014-0198-fix.patch \
		40	file://openssl-1.0.1e-cve-2014-0195.patch \
40	"	41	"
41		42
42	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"	43	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"