aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/openssl/Makefile1
-rw-r--r--security/openssl/files/patch-CVE-2009-137746
-rw-r--r--security/openssl/files/patch-CVE-2009-137822
3 files changed, 69 insertions, 0 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index f2730ad6b0d0..222d957a8bb2 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -7,6 +7,7 @@
PORTNAME= openssl
PORTVERSION= 0.9.8k
+PORTREVISION= 1
CATEGORIES= security devel
MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \
ftp://ftp.openssl.org/%SUBDIR%/ \
diff --git a/security/openssl/files/patch-CVE-2009-1377 b/security/openssl/files/patch-CVE-2009-1377
new file mode 100644
index 000000000000..9d0e941971d4
--- /dev/null
+++ b/security/openssl/files/patch-CVE-2009-1377
@@ -0,0 +1,46 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch
+
+--- crypto/pqueue/pqueue.c 2005-12-20 08:03:10.000000000 +0100
++++ crypto/pqueue/pqueue.c 2009-05-15 16:07:33.000000000 +0200
+@@ -237,3 +237,17 @@
+
+ return ret;
+ }
++
++int
++pqueue_size(pqueue_s *pq)
++{
++ pitem *item = pq->items;
++ int count = 0;
++
++ while(item != NULL)
++ {
++ count++;
++ item = item->next;
++ }
++ return count;
++}
+
+--- crypto/pqueue/pqueue.h 2005-06-08 00:21:14.000000000 +0200
++++ crypto/pqueue/pqueue.h 2009-05-15 16:07:03.000000000 +0200
+@@ -89,5 +89,6 @@
+ pitem *pqueue_next(piterator *iter);
+
+ void pqueue_print(pqueue pq);
++int pqueue_size(pqueue pq);
+
+ #endif /* ! HEADER_PQUEUE_H */
+
+--- ssl/d1_pkt.c 2009-04-23 18:32:40.000000000 +0200
++++ ssl/d1_pkt.c 2009-05-15 16:06:23.000000000 +0200
+@@ -207,6 +207,10 @@
+ DTLS1_RECORD_DATA *rdata;
+ pitem *item;
+
++ /* Limit the size of the queue to prevent DOS attacks */
++ if (pqueue_size(queue->q) >= 100)
++ return 0;
++
+ rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ item = pitem_new(priority, rdata);
+ if (rdata == NULL || item == NULL)
diff --git a/security/openssl/files/patch-CVE-2009-1378 b/security/openssl/files/patch-CVE-2009-1378
new file mode 100644
index 000000000000..9b00d550a64a
--- /dev/null
+++ b/security/openssl/files/patch-CVE-2009-1378
@@ -0,0 +1,22 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch
+
+--- ssl/d1_both.c 2009-05-18 09:57:08.000000000 +0200
++++ ssl/d1_both.c 2009-05-18 10:08:51.000000000 +0200
+@@ -561,7 +561,16 @@
+ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ goto err;
+
+- if (msg_hdr->seq <= s->d1->handshake_read_seq)
++ /* Try to find item in queue, to prevent duplicate entries */
++ pq_64bit_init(&seq64);
++ pq_64bit_assign_word(&seq64, msg_hdr->seq);
++ item = pqueue_find(s->d1->buffered_messages, seq64);
++ pq_64bit_free(&seq64);
++
++ /* Discard the message if sequence number was already there, is
++ * too far in the future or the fragment is already in the queue */
++ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ {
+ unsigned char devnull [256];
+