openssl: fix CVE-2014-0195

http://www.openssl.org/news/secadv_20140605.txt DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. (Patch borrowed from Fedora.) (From OE-Core rev: c707b3ea9e1fbff2c6a82670e4b1af2b4f53d5e2) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-06-09 16:53:43 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-10 17:12:23 +0100
commit: c5d81c3386b945293580ed87fcecc0c80851ef0e (patch)
tree: e7af70521a8c03d0d9c2325defb6e2045aaad752 /meta
parent: ad2c79b0fd8c9cf5d68c158ebe83e5a0b09656c7 (diff)
download: poky-c5d81c3386b945293580ed87fcecc0c80851ef0e.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch
new file mode 100644
index 0000000000..0c43919427
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
+commit 208d54db20d58c9a5e45e856a0650caadd7d9612
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Tue May 13 18:48:31 2014 +0100
+    Fix for CVE-2014-0195
+    
+    A buffer overrun attack can be triggered by sending invalid DTLS fragments
+    to an OpenSSL DTLS client or server. This is potentially exploitable to
+    run arbitrary code on a vulnerable client or server.
+    
+    Fixed by adding consistency check for DTLS fragments.
+    
+    Thanks to Jüri Aedla for reporting this issue.
+Patch borrowed from Fedora
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 2e8cf68..07f67f8 100644
+--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
+@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+                frag->msg_header.frag_off = 0;
+                }
+        else
+               {
+                frag = (hm_fragment*) item->data;
+               if (frag->msg_header.msg_len != msg_hdr->msg_len)
+                       {
+                       item = NULL;
+                       frag = NULL;
+                       goto err;
+                       }
+               }
+
+ 
+        /* If message is already reassembled, this must be a
+         * retransmit and can be dropped.
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index 842a903332..7783206a4b 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -39,6 +39,7 @@ SRC_URI += "file://configure-targets.patch \
            file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
            file://CVE-2014-0160.patch \
            file://openssl-CVE-2014-0198-fix.patch \
+            file://openssl-1.0.1e-cve-2014-0195.patch \
           "
 SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-06-09 16:53:43 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-06-10 17:12:23 +0100
commit	c5d81c3386b945293580ed87fcecc0c80851ef0e (patch)
tree	e7af70521a8c03d0d9c2325defb6e2045aaad752 /meta
parent	ad2c79b0fd8c9cf5d68c158ebe83e5a0b09656c7 (diff)
download	poky-c5d81c3386b945293580ed87fcecc0c80851ef0e.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch new file mode 100644 index 0000000000..0c43919427 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
		1	commit 208d54db20d58c9a5e45e856a0650caadd7d9612
		2	Author: Dr. Stephen Henson <steve@openssl.org>
		3	Date: Tue May 13 18:48:31 2014 +0100
		4
		5	Fix for CVE-2014-0195
		6
		7	A buffer overrun attack can be triggered by sending invalid DTLS fragments
		8	to an OpenSSL DTLS client or server. This is potentially exploitable to
		9	run arbitrary code on a vulnerable client or server.
		10
		11	Fixed by adding consistency check for DTLS fragments.
		12
		13	Thanks to Jüri Aedla for reporting this issue.
		14
		15	Patch borrowed from Fedora
		16	Upstream-Status: Backport
		17	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		18
		19	diff --git a/ssl/d1_both.c b/ssl/d1_both.c
		20	index 2e8cf68..07f67f8 100644
		21	--- a/ssl/d1_both.c
		22	+++ b/ssl/d1_both.c
		23	@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
		24	frag->msg_header.frag_off = 0;
		25	}
		26	else
		27	+ {
		28	frag = (hm_fragment*) item->data;
		29	+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
		30	+ {
		31	+ item = NULL;
		32	+ frag = NULL;
		33	+ goto err;
		34	+ }
		35	+ }
		36	+
		37
		38	/* If message is already reassembled, this must be a
		39	* retransmit and can be dropped.
		40


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index 842a903332..7783206a4b 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -39,6 +39,7 @@ SRC_URI += "file://configure-targets.patch \
39	file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \	39	file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
40	file://CVE-2014-0160.patch \	40	file://CVE-2014-0160.patch \
41	file://openssl-CVE-2014-0198-fix.patch \	41	file://openssl-CVE-2014-0198-fix.patch \
		42	file://openssl-1.0.1e-cve-2014-0195.patch \
42	"	43	"
43		44
44	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"	45	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"