Hi Kurt,
I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I have
done some smoke testing on it and it seems fine, but I haven't been able to
verify the three fixes as I can't find exploits for them (there is mention of
one for CVE-2016-8610 in [1] but I can't find the actual file).
Do you have any suggestion for how to verify / test the update?
Do you want to upload this or should I take care of it?
Test packages at https://people.debian.org/~pochu/lts/openssl/ in case someone
can give them a try.
Thanks,
Emilio
[1] http://www.openwall.com/lists/oss-security/2016/10/24/3
diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
--- openssl-1.0.1t/debian/changelog 2016-09-25 11:19:14.000000000 +0200
+++ openssl-1.0.1t/debian/changelog 2017-01-31 22:04:44.000000000 +0100
@@ -1,3 +1,13 @@
+openssl (1.0.1t-1+deb7u2) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Backport changes from 1.0.1t-1+deb8u6:
+ * Fix CVE-2016-8610
+ * Fix CVE-2017-3731
+ * Fix CVE-2016-7056
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Tue, 31 Jan 2017 22:04:44 +0100
+
openssl (1.0.1t-1+deb7u1) wheezy-security; urgency=medium
* New upstream version, based on the version in jessie.
diff -Nru openssl-1.0.1t/debian/patches/CVE-2016-7056.patch
openssl-1.0.1t/debian/patches/CVE-2016-7056.patch
--- openssl-1.0.1t/debian/patches/CVE-2016-7056.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssl-1.0.1t/debian/patches/CVE-2016-7056.patch 2017-01-31
22:03:37.000000000 +0100
@@ -0,0 +1,12 @@
+--- a/crypto/ecdsa/ecs_ossl.c
++++ b/crypto/ecdsa/ecs_ossl.c
+@@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp,
+ if (!BN_add(k, k, order))
+ goto err;
+
++ BN_set_flags(k, BN_FLG_CONSTTIME);
++
+ /* compute r the x-coordinate of generator * k */
+ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
+ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
+
diff -Nru openssl-1.0.1t/debian/patches/CVE-2016-8610.patch
openssl-1.0.1t/debian/patches/CVE-2016-8610.patch
--- openssl-1.0.1t/debian/patches/CVE-2016-8610.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssl-1.0.1t/debian/patches/CVE-2016-8610.patch 2017-01-31
22:03:37.000000000 +0100
@@ -0,0 +1,128 @@
+Subject: CVE-2016-8610
+
+This is a combination of commit 22646a075e75991b4e8f5d67171e45a6aead5b48 and
+f1185392189641014dca94f3fe7834bccb5f4c16
+
+index 7e3a7b480e..cb74d467bb 100644
+Index: openssl-1.0.1t/ssl/s3_pkt.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_pkt.c
++++ openssl-1.0.1t/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@ int ssl3_read_bytes(SSL *s, int type, un
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->cert->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@ int ssl3_read_bytes(SSL *s, int type, un
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->cert->alert_count++;
++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+@@ -1406,16 +1421,13 @@ int ssl3_read_bytes(SSL *s, int type, un
+
+ switch (rr->type) {
+ default:
+-#ifndef OPENSSL_NO_TLS
+ /*
+- * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
+- * an unexpected message alert.
++ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types,
but
++ * TLS 1.2 says you MUST send an unexpected message alert. We use the
++ * TLS 1.2 behaviour for all protocol versions to prevent issues where
++ * no progress is being made and the peer continually sends
unrecognised
++ * record types, using up resources processing them.
+ */
+- if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
+- rr->length = 0;
+- goto start;
+- }
+-#endif
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+ goto f_err;
+Index: openssl-1.0.1t/ssl/d1_pkt.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/d1_pkt.c
++++ openssl-1.0.1t/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@ int dtls1_read_bytes(SSL *s, int type, u
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->cert->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@ int dtls1_read_bytes(SSL *s, int type, u
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->cert->alert_count++;
++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+ /*
+Index: openssl-1.0.1t/ssl/ssl.h
+===================================================================
+--- openssl-1.0.1t.orig/ssl/ssl.h
++++ openssl-1.0.1t/ssl/ssl.h
+@@ -2719,6 +2719,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+ # define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
+ # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
+Index: openssl-1.0.1t/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.1t.orig/ssl/ssl_locl.h
++++ openssl-1.0.1t/ssl/ssl_locl.h
+@@ -492,6 +492,8 @@
+ #define CERT_PRIVATE_KEY 2
+ */
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ # ifndef OPENSSL_NO_EC
+ /*
+ * From ECC-TLS draft, used in encoding the curve type in ECParameters
+@@ -540,6 +542,8 @@ typedef struct cert_st {
+ # endif
+ CERT_PKEY pkeys[SSL_PKEY_NUM];
+ int references; /* >1 only if SSL_copy_session_id is used */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } CERT;
+
+ typedef struct sess_cert_st {
diff -Nru openssl-1.0.1t/debian/patches/CVE-2017-3731.patch
openssl-1.0.1t/debian/patches/CVE-2017-3731.patch
--- openssl-1.0.1t/debian/patches/CVE-2017-3731.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssl-1.0.1t/debian/patches/CVE-2017-3731.patch 2017-01-31
22:03:37.000000000 +0100
@@ -0,0 +1,40 @@
+From 51d009043670a627d6abe66894126851cf3690e9 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <ap...@openssl.org>
+Date: Thu, 19 Jan 2017 00:17:30 +0100
+Subject: [PATCH] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Reviewed-by: Rich Salz <rs...@openssl.org>
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855dfd..93cfe3f107 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
++++ b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++ return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.11.0
+
diff -Nru openssl-1.0.1t/debian/patches/series
openssl-1.0.1t/debian/patches/series
--- openssl-1.0.1t/debian/patches/series 2016-09-25 11:47:03.000000000
+0200
+++ openssl-1.0.1t/debian/patches/series 2017-01-31 22:03:37.000000000
+0100
@@ -31,3 +31,6 @@
CVE-2016-6303.patch
CVE-2016-6304.patch
CVE-2016-6306.patch
+CVE-2016-8610.patch
+CVE-2017-3731.patch
+CVE-2016-7056.patch
