openssl: fix CVE-2014-0195

From the OpenSSL Security Advisory [05 Jun 2014] http://www.openssl.org/news/secadv_20140605.txt DTLS invalid fragment vulnerability (CVE-2014-0195) A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. (Patch borrowed from Fedora.) (From OE-Core rev: 5bcb997663a6bd7a4d7395dcdb5e027d7f2bab81) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-06-09 16:51:16 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-10 17:12:20 +0100
commit: 6101dd2b4c9cdd7b3805e3c9d899e934263561ed (patch)
tree: 037eb3e914568ccbc43ef2c5f3543032da484f55 /meta
parent: ebf62ba85d6ecd44e8b602bb514b7eed20169501 (diff)
download: poky-6101dd2b4c9cdd7b3805e3c9d899e934263561ed.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch
new file mode 100644
index 0000000000..0c43919427
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
+commit 208d54db20d58c9a5e45e856a0650caadd7d9612
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Tue May 13 18:48:31 2014 +0100
+    Fix for CVE-2014-0195
+    
+    A buffer overrun attack can be triggered by sending invalid DTLS fragments
+    to an OpenSSL DTLS client or server. This is potentially exploitable to
+    run arbitrary code on a vulnerable client or server.
+    
+    Fixed by adding consistency check for DTLS fragments.
+    
+    Thanks to Jüri Aedla for reporting this issue.
+Patch borrowed from Fedora
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 2e8cf68..07f67f8 100644
+--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
+@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+                frag->msg_header.frag_off = 0;
+                }
+        else
+               {
+                frag = (hm_fragment*) item->data;
+               if (frag->msg_header.msg_len != msg_hdr->msg_len)
+                       {
+                       item = NULL;
+                       frag = NULL;
+                       goto err;
+                       }
+               }
+
+ 
+        /* If message is already reassembled, this must be a
+         * retransmit and can be dropped.
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index 579cf0376e..d4fc91d851 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://configure-targets.patch \
            file://find.pl \
            file://openssl-fix-des.pod-error.patch \
            file://openssl-CVE-2014-0198-fix.patch \
+            file://openssl-1.0.1e-cve-2014-0195.patch \
            file://openssl-CVE-2010-5298.patch \
           "
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-06-09 16:51:16 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-06-10 17:12:20 +0100
commit	6101dd2b4c9cdd7b3805e3c9d899e934263561ed (patch)
tree	037eb3e914568ccbc43ef2c5f3543032da484f55 /meta
parent	ebf62ba85d6ecd44e8b602bb514b7eed20169501 (diff)
download	poky-6101dd2b4c9cdd7b3805e3c9d899e934263561ed.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch new file mode 100644 index 0000000000..0c43919427 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
		1	commit 208d54db20d58c9a5e45e856a0650caadd7d9612
		2	Author: Dr. Stephen Henson <steve@openssl.org>
		3	Date: Tue May 13 18:48:31 2014 +0100
		4
		5	Fix for CVE-2014-0195
		6
		7	A buffer overrun attack can be triggered by sending invalid DTLS fragments
		8	to an OpenSSL DTLS client or server. This is potentially exploitable to
		9	run arbitrary code on a vulnerable client or server.
		10
		11	Fixed by adding consistency check for DTLS fragments.
		12
		13	Thanks to Jüri Aedla for reporting this issue.
		14
		15	Patch borrowed from Fedora
		16	Upstream-Status: Backport
		17	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		18
		19	diff --git a/ssl/d1_both.c b/ssl/d1_both.c
		20	index 2e8cf68..07f67f8 100644
		21	--- a/ssl/d1_both.c
		22	+++ b/ssl/d1_both.c
		23	@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
		24	frag->msg_header.frag_off = 0;
		25	}
		26	else
		27	+ {
		28	frag = (hm_fragment*) item->data;
		29	+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
		30	+ {
		31	+ item = NULL;
		32	+ frag = NULL;
		33	+ goto err;
		34	+ }
		35	+ }
		36	+
		37
		38	/* If message is already reassembled, this must be a
		39	* retransmit and can be dropped.
		40


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb index 579cf0376e..d4fc91d851 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://configure-targets.patch \
35	file://find.pl \	35	file://find.pl \
36	file://openssl-fix-des.pod-error.patch \	36	file://openssl-fix-des.pod-error.patch \
37	file://openssl-CVE-2014-0198-fix.patch \	37	file://openssl-CVE-2014-0198-fix.patch \
		38	file://openssl-1.0.1e-cve-2014-0195.patch \
38	file://openssl-CVE-2010-5298.patch \	39	file://openssl-CVE-2010-5298.patch \
39	"	40	"
40		41