Security fix for CVE-2008-0891 & CVE-2008-1672. bug #223429

(Portage version: 2.1.5.2)

4 files changed, 232 insertions, 2 deletions

diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog
index 86c201d940cf..d122cd722d9a 100644
--- a/dev-libs/openssl/ChangeLog
+++ b/dev-libs/openssl/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-libs/openssl
 # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.260 2008/05/28 16:30:40 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.261 2008/05/30 21:30:29 cardoe Exp $
+
+*openssl-0.9.8g-r2 (30 May 2008)
+
+  30 May 2008; Doug Goldstein <cardoe@gentoo.org>
+  +files/openssl-0.9.8g-CVE-2008-0891.patch,
+  +files/openssl-0.9.8g-CVE-2008-1672.patch, +openssl-0.9.8g-r2.ebuild:
+  Security fix for CVE-2008-0891 & CVE-2008-1672. bug #223429
 
 *openssl-0.9.8h (28 May 2008)
 
@@ -29,7 +36,7 @@
   19 Nov 2007; Joshua Kinard <kumba@gentoo.org> openssl-0.9.8g.ebuild:
   Stable on mips, per #198370.
 
-  16 Nov 2007; Doug Klima <cardoe@gentoo.org> openssl-0.9.8g.ebuild:
+  16 Nov 2007; Doug Goldstein <cardoe@gentoo.org> openssl-0.9.8g.ebuild:
   change depend to mit-krb5 since openssl's Configure script specifically
   states they don't support building against heimdal and it will break. Which
   results in a die during the ebuild
diff --git a/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch
new file mode 100644
index 000000000000..840bfb02ebd5
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-0891.patch
@@ -0,0 +1,15 @@
+Index: ssl/t1_lib.c
+===================================================================
+RCS file: /e/openssl/cvs/openssl/ssl/t1_lib.c,v
+retrieving revision 1.13.2.8
+diff -u -r1.13.2.8 t1_lib.c
+--- ssl/t1_lib.c	18 Oct 2007 11:39:11 -0000	1.13.2.8
++++ ssl/t1_lib.c	18 Mar 2008 12:06:58 -0000
+@@ -381,6 +381,7 @@
+ 						s->session->tlsext_hostname[len]='\0';
+ 						if (strlen(s->session->tlsext_hostname) != len) {
+ 							OPENSSL_free(s->session->tlsext_hostname);
++							s->session->tlsext_hostname = NULL;
+ 							*al = TLS1_AD_UNRECOGNIZED_NAME;
+ 							return 0;
+ 						}
diff --git a/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch
new file mode 100644
index 000000000000..9aa07e97e631
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8g-CVE-2008-1672.patch
@@ -0,0 +1,21 @@
+Index: ssl/s3_clnt.c
+===================================================================
+RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v
+retrieving revision 1.88.2.12
+diff -u -r1.88.2.12 s3_clnt.c
+--- ssl/s3_clnt.c	3 Nov 2007 13:07:39 -0000	1.88.2.12
++++ ssl/s3_clnt.c	22 May 2008 09:19:30 -0000
+@@ -2061,6 +2061,13 @@
+ 			{
+ 			DH *dh_srvr,*dh_clnt;
+ 
++                        if (s->session->sess_cert == NULL) 
++                                {
++                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++                                goto err;
++                                }
++
+ 			if (s->session->sess_cert->peer_dh_tmp != NULL)
+ 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
+ 			else
diff --git a/dev-libs/openssl/openssl-0.9.8g-r2.ebuild b/dev-libs/openssl/openssl-0.9.8g-r2.ebuild
new file mode 100644
index 000000000000..34b06d728d69
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8g-r2.ebuild
@@ -0,0 +1,187 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8g-r2.ebuild,v 1.1 2008/05/30 21:30:29 cardoe Exp $
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="-* ~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="bindist gmp kerberos sse2 test zlib"
+
+RDEPEND="gmp? ( dev-libs/gmp )
+	zlib? ( sys-libs/zlib )
+	kerberos? ( app-crypt/mit-krb5 )"
+DEPEND="${RDEPEND}
+	sys-apps/diffutils
+	>=dev-lang/perl-5
+	test? ( sys-devel/bc )"
+PDEPEND="app-misc/ca-certificates"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch
+	epatch "${FILESDIR}"/${PN}-0.9.7-alpha-default-gcc.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8b-parallel-build.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8-toolchain.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583
+	epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316
+	epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch
+
+	# Security Fixes
+	epatch "${FILESDIR}"/${PN}-0.9.8g-CVE-2008-0891.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8g-CVE-2008-1672.patch
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+	chmod a+rx gentoo.config
+
+	# Don't build manpages if we don't want them
+	has noman FEATURES \
+		&& sed -i '/^install:/s:install_docs::' Makefile.org \
+		|| sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org
+
+	# Try to derice users and work around broken ass toolchains
+	if [[ $(gcc-major-version) == "3" ]] ; then
+		filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops
+		[[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O
+	fi
+	[[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing
+	append-flags -Wa,--noexecstack
+
+	# using a library directory other than lib requires some magic
+	sed -i \
+		-e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \
+		-e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \
+		Makefile.org engines/Makefile \
+		|| die "sed failed"
+	./config --test-sanity || die "I AM NOT SANE"
+}
+
+src_compile() {
+	unset APPS #197996
+
+	tc-export CC AR RANLIB
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     5,214,703 25/05/2010    http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		$(use_ssl !bindist idea) \
+		enable-mdc2 \
+		$(use_ssl !bindist rc5) \
+		enable-tlsext \
+		$(use_ssl gmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl zlib) \
+		$(use_ssl zlib zlib-dynamic) \
+		--prefix=/usr \
+		--openssldir=/etc/ssl \
+		shared threads \
+		|| die "Configure failed"
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \
+		-e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \
+		Makefile || die
+
+	# depend is needed to use $confopts
+	# rehash is needed to prep the certs/ dir
+	emake -j1 depend || die "depend failed"
+	emake all rehash || die "make all failed"
+}
+
+src_test() {
+	# make sure sandbox doesnt die on *BSD
+	addpredict /dev/crypto
+
+	emake -j1 test || die "make test failed"
+}
+
+src_install() {
+	emake -j1 INSTALL_PREFIX="${D}" install || die
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+	dohtml doc/*
+
+	# create the certs directory
+	dodir /etc/ssl/certs
+	cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs"
+	rm -r "${D}"/etc/ssl/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${D}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	diropts -m0700
+	keepdir /etc/ssl/private
+}
+
+pkg_preinst() {
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7}
+}
+
+pkg_postinst() {
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7}
+
+	if [[ ${CHOST} == i686* ]] ; then
+		ewarn "Due to the way openssl is architected, you cannot"
+		ewarn "switch between optimized versions without breaking"
+		ewarn "ABI.  The default i686 0.9.8 ABI was an unoptimized"
+		ewarn "version with horrible performance.  This version uses"
+		ewarn "the optimized ABI.  If you experience segfaults when"
+		ewarn "using ssl apps (like openssh), just re-emerge the"
+		ewarn "offending package."
+	fi
+}