diff options
author | Bernard Spil <brnrd@FreeBSD.org> | 2021-03-17 16:15:19 +0000 |
---|---|---|
committer | Bernard Spil <brnrd@FreeBSD.org> | 2021-03-17 16:15:19 +0000 |
commit | d779838e2ca2ada4a736f7a7256bd4a7255fe34b (patch) | |
tree | 4fc6599ed96468ff765c8abed4078ce8167d0ecb | |
parent | 118e991967cca3e5505f02f84644ea92b12475f8 (diff) | |
download | ports-d779838e2ca2ada4a736f7a7256bd4a7255fe34b.tar.gz ports-d779838e2ca2ada4a736f7a7256bd4a7255fe34b.zip |
MFH: r565117 r568572
security/libressl: Bugfix update to 3.2.4
* See errata 013 from OpenBSD 6.8
* Various interoperability issues and memory leaks were discovered in
libcrypto and libssl
security/libressl: Security fix for potential use-after-free
Security: eeca52dc-866c-11eb-b8d6-d4c9ef517024
Approved by: ports-secteam (blanket)
Notes
Notes:
svn path=/branches/2021Q1/; revision=568669
-rw-r--r-- | security/libressl/Makefile | 3 | ||||
-rw-r--r-- | security/libressl/distinfo | 6 | ||||
-rw-r--r-- | security/libressl/files/patch-OpenBSD-Errata-6.8-17 | 74 |
3 files changed, 79 insertions, 4 deletions
diff --git a/security/libressl/Makefile b/security/libressl/Makefile index ca63051dbee7..da6d7db18a34 100644 --- a/security/libressl/Makefile +++ b/security/libressl/Makefile @@ -2,7 +2,8 @@ # $FreeBSD$ PORTNAME= libressl -PORTVERSION= 3.2.3 +PORTVERSION= 3.2.4 +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= OPENBSD/LibreSSL diff --git a/security/libressl/distinfo b/security/libressl/distinfo index 77644f852148..6c76bcf7b32d 100644 --- a/security/libressl/distinfo +++ b/security/libressl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1607682279 -SHA256 (libressl-3.2.3.tar.gz) = 412dc2baa739228c7779e93eb07cd645d5c964d2f2d837a9fd56db7498463d73 -SIZE (libressl-3.2.3.tar.gz) = 3839953 +TIMESTAMP = 1613210493 +SHA256 (libressl-3.2.4.tar.gz) = ac1dbb9e05a64910856599b1ac61118fdec1b3d0c700e42444d81c0d5f507a5a +SIZE (libressl-3.2.4.tar.gz) = 3841822 diff --git a/security/libressl/files/patch-OpenBSD-Errata-6.8-17 b/security/libressl/files/patch-OpenBSD-Errata-6.8-17 new file mode 100644 index 000000000000..b22fbdcc3a6a --- /dev/null +++ b/security/libressl/files/patch-OpenBSD-Errata-6.8-17 @@ -0,0 +1,74 @@ +OpenBSD 6.8 errata 017, March 12, 2021: + +A TLS client using session resumption may cause a use-after-free. + +Apply by doing: + signify -Vep /etc/signify/openbsd-68-base.pub -x 017_libssl.patch.sig \ + -m - | (cd /usr/src && patch -p0) + +And then rebuild and install libssl and unwind: + cd /usr/src/lib/libssl + make obj + make + make install + cd /usr/src/sbin/unwind + make obj + make + make install + +Index: lib/libssl/s3_lib.c +=================================================================== +RCS file: /home/cvs/src/lib/libssl/s3_lib.c,v +retrieving revision 1.198 +diff -u -p -r1.198 s3_lib.c +--- ssl/s3_lib.c 17 Sep 2020 15:42:14 -0000 1.198 ++++ ssl/s3_lib.c 9 Mar 2021 18:50:53 -0000 +@@ -1577,6 +1577,10 @@ ssl3_free(SSL *s) + + free(S3I(s)->alpn_selected); + ++ /* Clear reference to sequence numbers. */ ++ tls12_record_layer_clear_read_state(s->internal->rl); ++ tls12_record_layer_clear_write_state(s->internal->rl); ++ + freezero(S3I(s), sizeof(*S3I(s))); + freezero(s->s3, sizeof(*s->s3)); + +@@ -1648,6 +1652,11 @@ ssl3_clear(SSL *s) + + s->internal->packet_length = 0; + s->version = TLS1_VERSION; ++ ++ tls12_record_layer_set_read_seq_num(s->internal->rl, ++ S3I(s)->read_sequence); ++ tls12_record_layer_set_write_seq_num(s->internal->rl, ++ S3I(s)->write_sequence); + + S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); + } +Index: lib/libssl/ssl_lib.c +=================================================================== +RCS file: /home/cvs/src/lib/libssl/ssl_lib.c,v +retrieving revision 1.234.4.1 +diff -u -p -r1.234.4.1 ssl_lib.c +--- ssl/ssl_lib.c 3 Feb 2021 07:06:13 -0000 1.234.4.1 ++++ ssl/ssl_lib.c 9 Mar 2021 18:50:53 -0000 +@@ -253,6 +253,8 @@ SSL_new(SSL_CTX *ctx) + goto err; + if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) + goto err; ++ if ((s->internal->rl = tls12_record_layer_new()) == NULL) ++ goto err; + + s->internal->min_version = ctx->internal->min_version; + s->internal->max_version = ctx->internal->max_version; +@@ -339,9 +341,6 @@ SSL_new(SSL_CTX *ctx) + s->method = ctx->method; + + if (!s->method->internal->ssl_new(s)) +- goto err; +- +- if ((s->internal->rl = tls12_record_layer_new()) == NULL) + goto err; + + s->references = 1; |