aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2010-11-29 20:43:06 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2010-11-29 20:43:06 +0000
commit5381b89e043e6a4c0316344f7fe8272596d3011c (patch)
tree01d2123772ebd99f648157d45807babe7b80be84
parent3a68eb81a01613c9a6552bea8ddf211b474be68f (diff)
downloadsrc-releng/8.0.tar.gz
src-releng/8.0.zip
Fix a race condition exists in the OpenSSL TLS server extension code andreleng/8.0
a double free in the SSL client ECDH handling code. Approved by: so (simon) Security: CVE-2010-2939, CVE-2010-3864 Security: FreeBSD-SA-10:10.openssl
Notes
Notes: svn path=/releng/8.0/; revision=216063
-rw-r--r--UPDATING3
-rw-r--r--crypto/openssl/ssl/s3_clnt.c1
-rw-r--r--crypto/openssl/ssl/t1_lib.c18
-rw-r--r--sys/conf/newvers.sh2
4 files changed, 19 insertions, 5 deletions
diff --git a/UPDATING b/UPDATING
index 8f1ff6f85e57..f39770b3fb8f 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20101129: p6 FreeBSD-SA-10:10.openssl
+ Fix OpenSSL multiple vulnerabilities.
+
20100920: p5 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index 50308487aa57..48b3bbb6eeb9 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -1378,6 +1378,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index 9ce726996d9d..5d401c357240 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -369,14 +369,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -389,7 +398,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ec0cc9fa8188..d1433f659867 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.0"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi