Hi Guido, thanks for the debdiff. It looks OK, so feel free to upload it. Once that's done, I'll release the DSA.
Cheers, --Seb On Jan/23, Guido Günther wrote: > Hi, > I've forward ported Thorsten's fix fow squeeze to wheezy and added some > autopkgtest (debdiff attached). Please find the debdiff attached. I'd be > happy to upload ths to security master. > Cheers, > -- Guido > diff --git a/debian/changelog b/debian/changelog > index b52643b..b6c42f0 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +polarssl (1.2.9-1~deb7u6) wheezy-security; urgency=high > + > + * Non-maintainer upload by the LTS Security Team. > + * CVE-2015-5291: Remote attack on clients using session tickets or SNI > + > + -- Guido Günther <a...@sigxcpu.org> Sat, 23 Jan 2016 15:47:29 +0100 > + > polarssl (1.2.9-1~deb7u5) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > diff --git a/debian/patches/CVE-2015-5291-1.patch > b/debian/patches/CVE-2015-5291-1.patch > new file mode 100644 > index 0000000..f1dc35c > --- /dev/null > +++ b/debian/patches/CVE-2015-5291-1.patch > @@ -0,0 +1,27 @@ > +Index: polarssl-1.2.9/include/polarssl/ssl.h > +=================================================================== > +--- polarssl-1.2.9.orig/include/polarssl/ssl.h 2015-10-22 > 15:42:52.000000000 +0200 > ++++ polarssl-1.2.9/include/polarssl/ssl.h 2015-10-22 15:44:14.000000000 > +0200 > +@@ -123,6 +123,8 @@ > + #define SSL_LEGACY_ALLOW_RENEGOTIATION 1 > + #define SSL_LEGACY_BREAK_HANDSHAKE 2 > + > ++#define SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined > in RFC 1035 */ > ++ > + /* > + * Size of the input / output buffer. > + * Note: the RFC defines the default size of SSL / TLS messages. If you > +Index: polarssl-1.2.9/library/ssl_tls.c > +=================================================================== > +--- polarssl-1.2.9.orig/library/ssl_tls.c 2015-10-22 15:42:52.000000000 > +0200 > ++++ polarssl-1.2.9/library/ssl_tls.c 2015-10-22 15:45:02.000000000 +0200 > +@@ -3260,6 +3260,9 @@ > + if( ssl->hostname_len + 1 == 0 ) > + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); > + > ++ if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN ) > ++ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); > ++ > + ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 ); > + > + if( ssl->hostname == NULL ) > diff --git a/debian/patches/series b/debian/patches/series > index 929750e..06dd432 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -5,3 +5,11 @@ > CVE-2014-4911.patch > CVE-2014-8628.patch > CVE-2015-1182.patch > + > +# fix for CVE-2015-5291 > +# -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5291 > +CVE-2015-5291-1.patch > +# vulnerable code not present > +#CVE-2015-5291-2.patch > +#CVE-2015-5291-3.patch > +#CVE-2015-5291-4.patch > diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch > b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch > new file mode 100644 > index 0000000..f4d43ee > --- /dev/null > +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch > @@ -0,0 +1,323 @@ > +diff --git a/library/ssl_cli.c b/library/ssl_cli.c > +index f603cff..deeee33 100644 > +--- a/library/ssl_cli.c > ++++ b/library/ssl_cli.c > +@@ -65,6 +65,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl, > + size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + > + *olen = 0; > + > +@@ -74,6 +75,12 @@ static void ssl_write_hostname_ext( ssl_context *ssl, > + SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", > + ssl->hostname ) ); > + > ++ if( (size_t)(end - p) < ssl->hostname_len + 9 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + /* > + * struct { > + * NameType name_type; > +@@ -117,6 +124,7 @@ static void ssl_write_renegotiation_ext( ssl_context > *ssl, > + size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + > + *olen = 0; > + > +@@ -125,6 +133,12 @@ static void ssl_write_renegotiation_ext( ssl_context > *ssl, > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); > + > ++ if( (size_t)(end - p) < 5 + ssl->verify_data_len ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + /* > + * Secure renegotiation > + */ > +@@ -151,6 +165,7 @@ static void ssl_write_signature_algorithms_ext( > ssl_context *ssl, > + size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + size_t sig_alg_len = 0; > + #if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C) > + unsigned char *sig_alg_list = buf + 6; > +@@ -163,9 +178,54 @@ static void ssl_write_signature_algorithms_ext( > ssl_context *ssl, > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms > extension" ) ); > + > ++#if defined(POLARSSL_RSA_C) > ++#if defined(POLARSSL_SHA512_C) > ++ /* SHA512 + RSA signature, SHA384 + RSA signature */ > ++ sig_alg_len += 4; > ++#endif > ++#if defined(POLARSSL_SHA256_C) > ++ /* SHA256 + RSA signature, SHA224 + RSA signature */ > ++ sig_alg_len += 4; > ++#endif > ++#if defined(POLARSSL_SHA1_C) > ++ /* SHA1 + RSA signature */ > ++ sig_alg_len += 2; > ++#endif > ++#if defined(POLARSSL_MD5_C) > ++ /* MD5 + RSA signature */ > ++ sig_alg_len += 2; > ++#endif > ++#endif /* POLARSSL_RSA_C */ > ++#if defined(POLARSSL_ECDSA_C) > ++#if defined(POLARSSL_SHA512_C) > ++ /* SHA512 + ECDSA signature, SHA384 + ECDSA signature */ > ++ sig_alg_len += 4; > ++#endif > ++#if defined(POLARSSL_SHA256_C) > ++ /* SHA256 + ECDSA signature, SHA224 + ECDSA signature */ > ++ sig_alg_len += 4; > ++#endif > ++#if defined(POLARSSL_SHA1_C) > ++ /* SHA1 + ECDSA signature */ > ++ sig_alg_len += 2; > ++#endif > ++#if defined(POLARSSL_MD5_C) > ++ /* MD5 + ECDSA signature */ > ++ sig_alg_len += 2; > ++#endif > ++#endif /* POLARSSL_ECDSA_C */ > ++ > ++ if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + /* > + * Prepare signature_algorithms extension (TLS 1.2) > + */ > ++ sig_alg_len = 0; > ++ > + #if defined(POLARSSL_RSA_C) > + #if defined(POLARSSL_SHA512_C) > + sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512; > +@@ -248,6 +308,7 @@ static void ssl_write_supported_elliptic_curves_ext( > ssl_context *ssl, > + size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + unsigned char *elliptic_curve_list = p + 6; > + size_t elliptic_curve_len = 0; > + const ecp_curve_info *info; > +@@ -269,6 +330,25 @@ static void ssl_write_supported_elliptic_curves_ext( > ssl_context *ssl, > + for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; > info++ ) > + { > + #endif > ++ elliptic_curve_len += 2; > ++ } > ++ > ++ if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > ++ elliptic_curve_len = 0; > ++ > ++#if defined(POLARSSL_SSL_SET_CURVES) > ++ for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; > grp_id++ ) > ++ { > ++ info = ecp_curve_info_from_grp_id( *grp_id ); > ++#else > ++ for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; > info++ ) > ++ { > ++#endif > + > + elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; > + elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; > +@@ -294,12 +374,18 @@ static void ssl_write_supported_point_formats_ext( > ssl_context *ssl, > + size_t *olen ) > + { > + unsigned char *p = buf; > +- ((void) ssl); > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + > + *olen = 0; > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats > extension" ) ); > + > ++ if( end < p || (size_t)( end - p ) < 6 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF > ); > + *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF > ); > + > +@@ -319,14 +405,21 @@ static void ssl_write_max_fragment_length_ext( > ssl_context *ssl, > + size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + > +- if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) { > +- *olen = 0; > ++ *olen = 0; > ++ > ++ if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) > + return; > +- } > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length > extension" ) ); > + > ++ if( end < p || (size_t)( end - p ) < 5 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); > + *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); > + > +@@ -344,15 +437,21 @@ static void ssl_write_truncated_hmac_ext( ssl_context > *ssl, > + unsigned char *buf, size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > ++ > ++ *olen = 0; > + > + if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) > +- { > +- *olen = 0; > + return; > +- } > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); > + > ++ if( end < p || (size_t)( end - p ) < 4 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); > + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); > + > +@@ -368,17 +467,25 @@ static void ssl_write_encrypt_then_mac_ext( > ssl_context *ssl, > + unsigned char *buf, size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > ++ > ++ *olen = 0; > + > + if( ssl->encrypt_then_mac == SSL_ETM_DISABLED || > + ssl->max_minor_ver == SSL_MINOR_VERSION_0 ) > + { > +- *olen = 0; > + return; > + } > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " > + "extension" ) ); > + > ++ if( end < p || (size_t)( end - p ) < 4 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); > + *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); > + > +@@ -394,17 +501,25 @@ static void ssl_write_extended_ms_ext( ssl_context > *ssl, > + unsigned char *buf, size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > ++ > ++ *olen = 0; > + > + if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED || > + ssl->max_minor_ver == SSL_MINOR_VERSION_0 ) > + { > +- *olen = 0; > + return; > + } > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " > + "extension" ) ); > + > ++ if( end < p || (size_t)( end - p ) < 4 ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF > ); > + *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF > ); > + > +@@ -420,16 +535,22 @@ static void ssl_write_session_ticket_ext( ssl_context > *ssl, > + unsigned char *buf, size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > + size_t tlen = ssl->session_negotiate->ticket_len; > + > ++ *olen = 0; > ++ > + if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ) > +- { > +- *olen = 0; > + return; > +- } > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); > + > ++ if( end < p || (size_t)( end - p ) < 4 + tlen ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); > + *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF ); > + > +@@ -457,16 +578,26 @@ static void ssl_write_alpn_ext( ssl_context *ssl, > + unsigned char *buf, size_t *olen ) > + { > + unsigned char *p = buf; > ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN; > ++ size_t alpnlen = 0; > + const char **cur; > + > ++ *olen = 0; > ++ > + if( ssl->alpn_list == NULL ) > +- { > +- *olen = 0; > + return; > +- } > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); > + > ++ for( cur = ssl->alpn_list; *cur != NULL; cur++ ) > ++ alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; > ++ > ++ if( end < p || (size_t)( end - p ) < 6 + alpnlen ) > ++ { > ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > ++ return; > ++ } > ++ > + *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF ); > + *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF ); > + > diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch > b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch > new file mode 100644 > index 0000000..52a0f4a > --- /dev/null > +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch > @@ -0,0 +1,51 @@ > +diff --git a/ChangeLog b/ChangeLog > +index 44f4408..ddba5c0 100644 > +--- a/ChangeLog > ++++ b/ChangeLog > +@@ -1,5 +1,15 @@ > + mbed TLS ChangeLog (Sorted per branch, date) > + > ++= mbed TLS 1.3.14 released 2015-10-xx > ++ > ++Security > ++ * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer > ++ overflow of the hostname or session ticket. (Found by Guido Vranken) > ++ > ++Changes > ++ * Added checking of hostname length in ssl_set_hostname() to ensure > domain > ++ names are compliant with RFC 1035. > ++ > + = mbed TLS 1.3.13 reladsed 2015-09-17 > + > + Security > +diff --git a/library/ssl_cli.c b/library/ssl_cli.c > +index deeee33..ef86cd2 100644 > +--- a/library/ssl_cli.c > ++++ b/library/ssl_cli.c > +@@ -75,7 +75,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl, > + SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", > + ssl->hostname ) ); > + > +- if( (size_t)(end - p) < ssl->hostname_len + 9 ) > ++ if( end < p || (size_t)( end - p ) < ssl->hostname_len + 9 ) > + { > + SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > + return; > +@@ -877,13 +877,13 @@ static int ssl_write_client_hello( ssl_context *ssl ) > + ext_len += olen; > + #endif > + > +-#if defined(POLARSSL_SSL_SESSION_TICKETS) > +- ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); > ++#if defined(POLARSSL_SSL_ALPN) > ++ ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); > + ext_len += olen; > + #endif > + > +-#if defined(POLARSSL_SSL_ALPN) > +- ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); > ++#if defined(POLARSSL_SSL_SESSION_TICKETS) > ++ ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); > + ext_len += olen; > + #endif > + > diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch > b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch > new file mode 100644 > index 0000000..2019491 > --- /dev/null > +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch > @@ -0,0 +1,13 @@ > +diff --git a/library/ssl_cli.c b/library/ssl_cli.c > +index 39dc02e..ef86cd2 100644 > +--- a/library/ssl_cli.c > ++++ b/library/ssl_cli.c > +@@ -133,7 +133,7 @@ static void ssl_write_renegotiation_ext( ssl_context > *ssl, > + > + SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); > + > +- if( end < p || (size_t)(end - p) < 5 + ssl->verify_data_len ) > ++ if( (size_t)(end - p) < 5 + ssl->verify_data_len ) > + { > + SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); > + return; > diff --git a/debian/tests/build-test b/debian/tests/build-test > new file mode 100755 > index 0000000..42b7127 > --- /dev/null > +++ b/debian/tests/build-test > @@ -0,0 +1,10 @@ > +#!/usr/bin/make -f > + > +CFLAGS = -O2 -D_FILE_OFFSET_BITS=64 -Wall > +LDFLAGS += -lpolarssl > + > +a.out: programs/hash/hello.c > + $(CC) $(CFLAGS) $(OFLAGS) $< $(LDFLAGS) > + @echo "Build test of $< succeeded" > + ./a.out > + @rm -f a.out > diff --git a/debian/tests/control b/debian/tests/control > new file mode 100644 > index 0000000..9b777fd > --- /dev/null > +++ b/debian/tests/control > @@ -0,0 +1,5 @@ > +Tests: smoke > +Depends: libpolarssl-runtime > + > +Tests: build-test > +Depends: libpolarssl-dev > diff --git a/debian/tests/smoke b/debian/tests/smoke > new file mode 100755 > index 0000000..03df087 > --- /dev/null > +++ b/debian/tests/smoke > @@ -0,0 +1,17 @@ > +#!/bin/sh > + > +set -e > + > +# Excercise some of the demos > +polarssl_hello > +polarssl_mpi_demo > + > +# Make sure output is identical to coreutil versions > +[ "$(polarssl_sha1sum /etc/passwd)" = "$(sha1sum /etc/passwd)" ] > +[ "$(polarssl_md5sum /etc/passwd)" = "$(md5sum /etc/passwd)" ] > + > +# Run the selftest > +polarssl_selftest > + > +echo 'Smoke test of polarssl succesful' > +exit 0
