summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/openssl-CVE-2010-5298.patch27
-rw-r--r--gnu/packages/patches/openssl-extension-checking-fixes.patch40
2 files changed, 67 insertions, 0 deletions
diff --git a/gnu/packages/patches/openssl-CVE-2010-5298.patch b/gnu/packages/patches/openssl-CVE-2010-5298.patch
new file mode 100644
index 0000000000..707a24dff0
--- /dev/null
+++ b/gnu/packages/patches/openssl-CVE-2010-5298.patch
@@ -0,0 +1,27 @@
+From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 13 Apr 2014 15:05:30 +0200
+Subject: [PATCH] Don't release the buffer when there still is data in it
+
+RT: 2167, 3265
+---
+ ssl/s3_pkt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index b9e45c7..32e9207 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+ 				{
+ 				s->rstate=SSL_ST_READ_HEADER;
+ 				rr->off=0;
+-				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
++				if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
++					s->s3->rbuf.left == 0)
+ 					ssl3_release_read_buffer(s);
+ 				}
+ 			}
+-- 
+1.9.1
+
diff --git a/gnu/packages/patches/openssl-extension-checking-fixes.patch b/gnu/packages/patches/openssl-extension-checking-fixes.patch
new file mode 100644
index 0000000000..3fdd893563
--- /dev/null
+++ b/gnu/packages/patches/openssl-extension-checking-fixes.patch
@@ -0,0 +1,40 @@
+From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 15 Apr 2014 18:48:54 +0100
+Subject: [PATCH] Extension checking fixes.
+
+When looking for an extension we need to set the last found
+position to -1 to properly search all extensions.
+
+PR#3309.
+---
+ crypto/x509v3/v3_purp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 6c40c7d..5f931db 100644
+--- a/crypto/x509v3/v3_purp.c
++++ b/crypto/x509v3/v3_purp.c
+@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
+ 	/* Handle proxy certificates */
+ 	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+ 		if (x->ex_flags & EXFLAG_CA
+-		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+-		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
++		    || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
++		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
+ 			x->ex_flags |= EXFLAG_INVALID;
+ 		}
+ 		if (pci->pcPathLengthConstraint) {
+@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
+ 		return 0;
+ 
+ 	/* Extended Key Usage MUST be critical */
+-	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
++	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
+ 	if (i_ext >= 0)
+ 		{
+ 		X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
+-- 
+1.9.1
+