- Security Fix

Security: CVE-2009-1377 Security: CVE-2009-1378 Security: http://article.gmane.org/gmane.comp.security.oss.general/1769 PR: 134653
svn path=/head/; revision=234274
2024-10-19 19:59:43 +00:00 · 2009-05-20 12:56:26 +00:00 · 2009-05-20 12:56:26 +00:00 · 315e28571a · 2021-03-31 03:12:20 +00:00
commit 315e28571a
parent cbb06659f8
3 changed files with 69 additions and 0 deletions
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	openssl
 PORTVERSION=	0.9.8k
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/%SUBDIR%/ \
 		ftp://ftp.openssl.org/%SUBDIR%/ \
--- a/security/openssl/files/patch-CVE-2009-1377
+++ b/security/openssl/files/patch-CVE-2009-1377
@ -0,0 +1,46 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch
+
+--- crypto/pqueue/pqueue.c	2005-12-20 08:03:10.000000000 +0100
+++ crypto/pqueue/pqueue.c	2009-05-15 16:07:33.000000000 +0200
+@@ -237,3 +237,17 @@
+ 
+ 	return ret;
+ 	}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+	pitem *item = pq->items;
+	int count = 0;
+	
+	while(item != NULL)
+	{
+		count++;
+		item = item->next;
+	}
+	return count;
+}
+
+--- crypto/pqueue/pqueue.h	2005-06-08 00:21:14.000000000 +0200
+++ crypto/pqueue/pqueue.h	2009-05-15 16:07:03.000000000 +0200
+@@ -89,5 +89,6 @@
+ pitem *pqueue_next(piterator *iter);
+ 
+ void   pqueue_print(pqueue pq);
+int	   pqueue_size(pqueue pq);
+ 
+ #endif /* ! HEADER_PQUEUE_H */
+
+--- ssl/d1_pkt.c	2009-04-23 18:32:40.000000000 +0200
+++ ssl/d1_pkt.c	2009-05-15 16:06:23.000000000 +0200
+@@ -207,6 +207,10 @@
+ 	DTLS1_RECORD_DATA *rdata;
+ 	pitem *item;
+ 
+	/* Limit the size of the queue to prevent DOS attacks */
+	if (pqueue_size(queue->q) >= 100)
+		return 0;
+		
+ 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ 	item = pitem_new(priority, rdata);
+ 	if (rdata == NULL || item == NULL)
--- a/security/openssl/files/patch-CVE-2009-1378
+++ b/security/openssl/files/patch-CVE-2009-1378
@ -0,0 +1,22 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch
+
+--- ssl/d1_both.c	2009-05-18 09:57:08.000000000 +0200
+++ ssl/d1_both.c	2009-05-18 10:08:51.000000000 +0200
+@@ -561,7 +561,16 @@
+ 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ 		goto err;
+ 
+-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
+	/* Try to find item in queue, to prevent duplicate entries */
+	pq_64bit_init(&seq64);
+	pq_64bit_assign_word(&seq64, msg_hdr->seq);
+	item = pqueue_find(s->d1->buffered_messages, seq64);
+	pq_64bit_free(&seq64);
+	
+	/* Discard the message if sequence number was already there, is
+	 * too far in the future or the fragment is already in the queue */
+	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ 		{
+ 		unsigned char devnull [256];
+