2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch
new file mode 100644
index 0000000000..0c43919427
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
+commit 208d54db20d58c9a5e45e856a0650caadd7d9612
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Tue May 13 18:48:31 2014 +0100
+    Fix for CVE-2014-0195
+    
+    A buffer overrun attack can be triggered by sending invalid DTLS fragments
+    to an OpenSSL DTLS client or server. This is potentially exploitable to
+    run arbitrary code on a vulnerable client or server.
+    
+    Fixed by adding consistency check for DTLS fragments.
+    
+    Thanks to Jüri Aedla for reporting this issue.
+Patch borrowed from Fedora
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 2e8cf68..07f67f8 100644
+--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
+@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+                frag->msg_header.frag_off = 0;
+                }
+        else
+               {
+                frag = (hm_fragment*) item->data;
+               if (frag->msg_header.msg_len != msg_hdr->msg_len)
+                       {
+                       item = NULL;
+                       frag = NULL;
+                       goto err;
+                       }
+               }
+
+ 
+        /* If message is already reassembled, this must be a
+         * retransmit and can be dropped.
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index 579cf0376e..d4fc91d851 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://configure-targets.patch \
            file://find.pl \
            file://openssl-fix-des.pod-error.patch \
            file://openssl-CVE-2014-0198-fix.patch \
+            file://openssl-1.0.1e-cve-2014-0195.patch \
            file://openssl-CVE-2010-5298.patch \
           "

diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch new file mode 100644 index 0000000000..0c43919427 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-1.0.1e-cve-2014-0195.patch
@@ -0,0 +1,40 @@
		1	commit 208d54db20d58c9a5e45e856a0650caadd7d9612
		2	Author: Dr. Stephen Henson <steve@openssl.org>
		3	Date: Tue May 13 18:48:31 2014 +0100
		4
		5	Fix for CVE-2014-0195
		6
		7	A buffer overrun attack can be triggered by sending invalid DTLS fragments
		8	to an OpenSSL DTLS client or server. This is potentially exploitable to
		9	run arbitrary code on a vulnerable client or server.
		10
		11	Fixed by adding consistency check for DTLS fragments.
		12
		13	Thanks to Jüri Aedla for reporting this issue.
		14
		15	Patch borrowed from Fedora
		16	Upstream-Status: Backport
		17	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		18
		19	diff --git a/ssl/d1_both.c b/ssl/d1_both.c
		20	index 2e8cf68..07f67f8 100644
		21	--- a/ssl/d1_both.c
		22	+++ b/ssl/d1_both.c
		23	@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
		24	frag->msg_header.frag_off = 0;
		25	}
		26	else
		27	+ {
		28	frag = (hm_fragment*) item->data;
		29	+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
		30	+ {
		31	+ item = NULL;
		32	+ frag = NULL;
		33	+ goto err;
		34	+ }
		35	+ }
		36	+
		37
		38	/* If message is already reassembled, this must be a
		39	* retransmit and can be dropped.
		40


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb index 579cf0376e..d4fc91d851 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://configure-targets.patch \
35	file://find.pl \	35	file://find.pl \
36	file://openssl-fix-des.pod-error.patch \	36	file://openssl-fix-des.pod-error.patch \
37	file://openssl-CVE-2014-0198-fix.patch \	37	file://openssl-CVE-2014-0198-fix.patch \
		38	file://openssl-1.0.1e-cve-2014-0195.patch \
38	file://openssl-CVE-2010-5298.patch \	39	file://openssl-CVE-2010-5298.patch \
39	"	40	"
40		41