[OE-core] [PATCH 1/2] openssl: Security fix CVE-2015-3197
Armin Kuster
akuster808 at gmail.com
Fri Jan 29 22:57:07 UTC 2016
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../openssl/openssl/CVE-2015-3197.patch | 63 ++++++++++++++++++++++
.../recipes-connectivity/openssl/openssl_1.0.2d.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
new file mode 100644
index 0000000..dd288c9
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
@@ -0,0 +1,63 @@
+From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users at dukhovni.org>
+Date: Wed, 30 Dec 2015 22:44:51 -0500
+Subject: [PATCH] Better SSLv2 cipher-suite enforcement
+
+Based on patch by: Nimrod Aviram <nimrod.aviram at gmail.com>
+
+CVE-2015-3197
+
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+
+Upstream-Status: Backport
+https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
+
+CVE: CVE-2015-3197
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ssl/s2_srvr.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+Index: openssl-1.0.2d/ssl/s2_srvr.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s2_srvr.c
++++ openssl-1.0.2d/ssl/s2_srvr.c
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp = ssl2_get_cipher_by_char(p);
+- if (cp == NULL) {
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+ return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
++
++ /* Generate list of SSLv2 ciphers shared between client and server */
+ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0) {
+ (void)sk_SSL_CIPHER_delete(prio, z);
+ z--;
+ }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /*
+ * s->session->ciphers should now have a list of ciphers that are on
+ * both the client and server. This list is ordered by the order the
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 60d5676..07bdf4b 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \
file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
file://0001-Add-test-for-CVE-2015-3194.patch \
file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
+ file://CVE-2015-3197.patch \
"
SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
--
2.3.5
More information about the Openembedded-core
mailing list