From 62c80056830ccdf576f2b1ecb753ce576968fc67 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mar 23 2012 22:26:30 +0000 Subject: new upstream release fixing CVE-2012-0884 - Bleichenbacher attack against PKCS#7 and CMS (#802725) and CVE-2012-1165 mime_param_cmp NULL dereference (#802489) Conflicts: openssl.spec --- diff --git a/.gitignore b/.gitignore index d0e8a97..12d27b8 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.0e-usa.tar.bz2 /openssl-1.0.0f-usa.tar.bz2 /openssl-1.0.0g-usa.tar.xz +/openssl-1.0.0h-usa.tar.xz diff --git a/openssl-0.9.8j-bad-mime.patch b/openssl-0.9.8j-bad-mime.patch deleted file mode 100644 index a990911..0000000 --- a/openssl-0.9.8j-bad-mime.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c ---- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200 -+++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100 -@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER - static int mime_hdr_cmp(const MIME_HEADER * const *a, - const MIME_HEADER * const *b) - { -+ if ((*a)->name == NULL || (*b)->name == NULL) -+ return (*a)->name - (*b)->name < 0 ? -1 : -+ (*a)->name - (*b)->name > 0 ? 1 : 0; -+ - return(strcmp((*a)->name, (*b)->name)); - } - diff --git a/openssl-1.0.0a-load-certs.patch b/openssl-1.0.0a-load-certs.patch deleted file mode 100644 index 4c03a44..0000000 --- a/openssl-1.0.0a-load-certs.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up openssl-1.0.0a/apps/apps.c.load-certs openssl-1.0.0a/apps/apps.c ---- openssl-1.0.0a/apps/apps.c.load-certs 2010-05-27 16:09:13.000000000 +0200 -+++ openssl-1.0.0a/apps/apps.c 2011-04-28 21:24:06.000000000 +0200 -@@ -1208,7 +1208,8 @@ STACK_OF(X509) *load_certs(BIO *err, con - const char *pass, ENGINE *e, const char *desc) - { - STACK_OF(X509) *certs; -- load_certs_crls(err, file, format, pass, e, desc, &certs, NULL); -+ if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL)) -+ return NULL; - return certs; - } - -@@ -1216,7 +1217,8 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, - const char *pass, ENGINE *e, const char *desc) - { - STACK_OF(X509_CRL) *crls; -- load_certs_crls(err, file, format, pass, e, desc, NULL, &crls); -+ if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls)) -+ return NULL; - return crls; - } - diff --git a/openssl-1.0.0e-pkgconfig-private.patch b/openssl-1.0.0e-pkgconfig-private.patch deleted file mode 100644 index a1f8878..0000000 --- a/openssl-1.0.0e-pkgconfig-private.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up openssl-1.0.0e/Makefile.org.private openssl-1.0.0e/Makefile.org ---- openssl-1.0.0e/Makefile.org.private 2011-11-03 10:01:53.000000000 +0100 -+++ openssl-1.0.0e/Makefile.org 2011-11-22 11:50:27.000000000 +0100 -@@ -326,7 +326,8 @@ libcrypto.pc: Makefile - echo 'Description: OpenSSL cryptography library'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ -- echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \ -+ echo 'Libs: -L$${libdir} -lcrypto'; \ -+ echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc - - libssl.pc: Makefile -@@ -339,7 +340,8 @@ libssl.pc: Makefile - echo 'Description: Secure Sockets Layer and cryptography libraries'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ -- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ -+ echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ -+ echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc - - openssl.pc: Makefile -@@ -352,7 +354,8 @@ openssl.pc: Makefile - echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ - echo 'Version: '$(VERSION); \ - echo 'Requires: '; \ -- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ -+ echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ -+ echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc - - Makefile: Makefile.org Configure config diff --git a/openssl-1.0.0g-version.patch b/openssl-1.0.0g-version.patch deleted file mode 100644 index 55aa0c0..0000000 --- a/openssl-1.0.0g-version.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up openssl-1.0.0g/crypto/opensslv.h.version openssl-1.0.0g/crypto/opensslv.h ---- openssl-1.0.0g/crypto/opensslv.h.version 2012-01-19 14:50:50.094028047 +0100 -+++ openssl-1.0.0g/crypto/opensslv.h 2012-01-19 14:51:48.655529671 +0100 -@@ -25,7 +25,8 @@ - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ --#define OPENSSL_VERSION_NUMBER 0x1000007fL -+/* we have to keep the version number to not break the abi */ -+#define OPENSSL_VERSION_NUMBER 0x10000003 - #ifdef OPENSSL_FIPS - #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0g-fips 18 Jan 2012" - #else -@@ -83,7 +84,7 @@ - * should only keep the versions that are binary compatible with the current. - */ - #define SHLIB_VERSION_HISTORY "" --#define SHLIB_VERSION_NUMBER "1.0.0" -+#define SHLIB_VERSION_NUMBER "1.0.0g" - - - #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl-1.0.0h-version.patch b/openssl-1.0.0h-version.patch new file mode 100644 index 0000000..6dbfb1d --- /dev/null +++ b/openssl-1.0.0h-version.patch @@ -0,0 +1,21 @@ +diff -up openssl-1.0.0h/crypto/opensslv.h.version openssl-1.0.0h/crypto/opensslv.h +--- openssl-1.0.0h/crypto/opensslv.h.version 2012-03-23 18:28:55.204891622 +0100 ++++ openssl-1.0.0h/crypto/opensslv.h 2012-03-23 18:29:24.233500886 +0100 +@@ -25,7 +25,7 @@ + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-#define OPENSSL_VERSION_NUMBER 0x1000008fL ++#define OPENSSL_VERSION_NUMBER 0x10000003 + #ifdef OPENSSL_FIPS + #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0h-fips 12 Mar 2012" + #else +@@ -83,7 +83,7 @@ + * should only keep the versions that are binary compatible with the current. + */ + #define SHLIB_VERSION_HISTORY "" +-#define SHLIB_VERSION_NUMBER "1.0.0" ++#define SHLIB_VERSION_NUMBER "1.0.0g" + + + #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl.spec b/openssl.spec index 95ee2b8..ef88166 100644 --- a/openssl.spec +++ b/openssl.spec @@ -20,7 +20,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl -Version: 1.0.0g +Version: 1.0.0h Release: 1%{?dist} # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -43,9 +43,7 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch Patch7: openssl-1.0.0-timezone.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch -Patch24: openssl-0.9.8j-bad-mime.patch Patch25: openssl-1.0.0a-manfix.patch -Patch26: openssl-1.0.0a-load-certs.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch @@ -61,7 +59,7 @@ Patch45: openssl-0.9.8j-env-nozlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.0-beta4-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch -Patch51: openssl-1.0.0g-version.patch +Patch51: openssl-1.0.0h-version.patch Patch52: openssl-1.0.0b-aesni.patch Patch53: openssl-1.0.0-name-hash.patch Patch54: openssl-1.0.0c-speed-fips.patch @@ -77,7 +75,6 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch64: openssl-1.0.0d-intelopts.patch Patch65: openssl-1.0.0e-chil-fixes.patch Patch66: openssl-1.0.0-sha2test.patch -Patch67: openssl-1.0.0e-pkgconfig-private.patch # Backported fixes including security fixes Patch81: openssl-1.0.0d-padlock64.patch @@ -143,9 +140,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch7 -p1 -b .timezone %patch23 -p1 -b .default-paths -%patch24 -p1 -b .bad-mime %patch25 -p1 -b .manfix -%patch26 -p1 -b .load-certs %patch32 -p1 -b .ia64 %patch33 -p1 -b .ca-dir @@ -177,7 +172,6 @@ from other formats to the formats used by the OpenSSL toolkit. %patch64 -p1 -b .intelopts %patch65 -p1 -b .chil %patch66 -p1 -b .sha2test -%patch67 -p1 -b .private %patch81 -p1 -b .padlock64 @@ -429,6 +423,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Fri Mar 23 2012 Tomas Mraz 1.0.0h-1 +- new upstream release fixing CVE-2012-0884 - Bleichenbacher attack + against PKCS#7 and CMS (#802725) and CVE-2012-1165 mime_param_cmp + NULL dereference (#802489) + * Thu Jan 19 2012 Tomas Mraz 1.0.0g-1 - new upstream release fixing CVE-2012-0050 - DoS regression in DTLS support introduced by the previous release (#782795) diff --git a/sources b/sources index 45e0449..4da4ff2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -9d7281bdc7ec0845c240eb6c0adc8dc3 openssl-1.0.0g-usa.tar.xz +909886cae52acc459225ff056f0bec1f openssl-1.0.0h-usa.tar.xz