Author: simon
Date: Mon Nov 29 20:43:06 2010
New Revision: 216063
URL: http://svn.freebsd.org/changeset/base/216063
Log:
Fix a race condition exists in the OpenSSL TLS server extension code and
a double free in the SSL client ECDH handling code.
Approved by: so (simon)
Security: CVE-2010-2939, CVE-2010-3864
Security: FreeBSD-SA-10:10.openssl
Modified:
releng/7.1/UPDATING
releng/7.1/crypto/openssl/ssl/s3_clnt.c
releng/7.1/sys/conf/newvers.sh
releng/7.3/UPDATING
releng/7.3/crypto/openssl/ssl/s3_clnt.c
releng/7.3/sys/conf/newvers.sh
releng/8.0/UPDATING
releng/8.0/crypto/openssl/ssl/s3_clnt.c
releng/8.0/crypto/openssl/ssl/t1_lib.c
releng/8.0/sys/conf/newvers.sh
releng/8.1/UPDATING
releng/8.1/crypto/openssl/ssl/s3_clnt.c
releng/8.1/crypto/openssl/ssl/t1_lib.c
releng/8.1/sys/conf/newvers.sh
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Mon Nov 29 18:33:20 2010 (r216062)
+++ releng/7.1/UPDATING Mon Nov 29 20:43:06 2010 (r216063)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20101129: p16 FreeBSD-SA-10:10.openssl
+ Fix OpenSSL multiple vulnerabilities.
+
20101110: p15 FreeBSD-SA-10:09.pseudofs
Don't unlock a mutex which wasn't locked.
Modified: releng/7.1/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/7.1/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/7.1/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 20:43:06 2010
(r216063)
@@ -1289,6 +1289,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/7.1/sys/conf/newvers.sh Mon Nov 29 20:43:06 2010
(r216063)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.1"
-BRANCH="RELEASE-p15"
+BRANCH="RELEASE-p16"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.3/UPDATING
==============================================================================
--- releng/7.3/UPDATING Mon Nov 29 18:33:20 2010 (r216062)
+++ releng/7.3/UPDATING Mon Nov 29 20:43:06 2010 (r216063)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20101129: p4 FreeBSD-SA-10:10.openssl
+ Fix OpenSSL multiple vulnerabilities.
+
20100920: p3 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
Modified: releng/7.3/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/7.3/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/7.3/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 20:43:06 2010
(r216063)
@@ -1289,6 +1289,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
Modified: releng/7.3/sys/conf/newvers.sh
==============================================================================
--- releng/7.3/sys/conf/newvers.sh Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/7.3/sys/conf/newvers.sh Mon Nov 29 20:43:06 2010
(r216063)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.3"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.0/UPDATING
==============================================================================
--- releng/8.0/UPDATING Mon Nov 29 18:33:20 2010 (r216062)
+++ releng/8.0/UPDATING Mon Nov 29 20:43:06 2010 (r216063)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20101129: p6 FreeBSD-SA-10:10.openssl
+ Fix OpenSSL multiple vulnerabilities.
+
20100920: p5 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
Modified: releng/8.0/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/8.0/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/8.0/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 20:43:06 2010
(r216063)
@@ -1378,6 +1378,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
Modified: releng/8.0/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- releng/8.0/crypto/openssl/ssl/t1_lib.c Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/8.0/crypto/openssl/ssl/t1_lib.c Mon Nov 29 20:43:06 2010
(r216063)
@@ -369,14 +369,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len >
TLSEXT_MAXLEN_host_name ||
-
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al =
SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len >
TLSEXT_MAXLEN_host_name)
{
*al =
TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al =
TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if
(strlen(s->session->tlsext_hostname) != len) {
@@ -389,7 +398,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
else
- s->servername_done =
strlen(s->session->tlsext_hostname) == len
+ s->servername_done =
s->session->tlsext_hostname
+ &&
strlen(s->session->tlsext_hostname) == len
&&
strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
Modified: releng/8.0/sys/conf/newvers.sh
==============================================================================
--- releng/8.0/sys/conf/newvers.sh Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/8.0/sys/conf/newvers.sh Mon Nov 29 20:43:06 2010
(r216063)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.0"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.1/UPDATING
==============================================================================
--- releng/8.1/UPDATING Mon Nov 29 18:33:20 2010 (r216062)
+++ releng/8.1/UPDATING Mon Nov 29 20:43:06 2010 (r216063)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20101129: p2 FreeBSD-SA-10:10.openssl
+ Fix OpenSSL multiple vulnerabilities.
+
20100920: p1 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
Modified: releng/8.1/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/8.1/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/8.1/crypto/openssl/ssl/s3_clnt.c Mon Nov 29 20:43:06 2010
(r216063)
@@ -1377,6 +1377,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
Modified: releng/8.1/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- releng/8.1/crypto/openssl/ssl/t1_lib.c Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/8.1/crypto/openssl/ssl/t1_lib.c Mon Nov 29 20:43:06 2010
(r216063)
@@ -432,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len >
TLSEXT_MAXLEN_host_name ||
-
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al =
SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len >
TLSEXT_MAXLEN_host_name)
{
*al =
TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al =
TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if
(strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
else
- s->servername_done =
strlen(s->session->tlsext_hostname) == len
+ s->servername_done =
s->session->tlsext_hostname
+ &&
strlen(s->session->tlsext_hostname) == len
&&
strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
Modified: releng/8.1/sys/conf/newvers.sh
==============================================================================
--- releng/8.1/sys/conf/newvers.sh Mon Nov 29 18:33:20 2010
(r216062)
+++ releng/8.1/sys/conf/newvers.sh Mon Nov 29 20:43:06 2010
(r216063)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
