Please backport current CVEs for Precise LTS openssl098

debdiff of missing CVE's taken from Lucid

Thanks for taking on this update; I have a few questions:

The changelog references a patch that isn't included:

+ - debian/patches/fix_renegotiation.patch: add upstream commit to fix
+ renegotiation in ssl/s3_clnt.c, ssl/t1_lib.c.

Why was this patch dropped? It feels accidental, since it's still in the changelog.

The modifications to the file crypto/cms/cms_smime.c appear to have been dropped from debian/patches/CVE-2012-0884.patch. Was this intentional?

Thanks

Seth, thanks for looking at this.

The mention of debian/patches/fix_renegotiation.patch in the changelog is a cut and paste mistake from my part. I only backported the CVEs from Lucid, not the other patches. If you think that the other patches are required let me know and I'll see what I can do.

Regarding crypto/cms/cms_smime.c, it comes from iteration mistakes between my environments. I fixed it and the new debdiff includes the missing match.

The package builds fine on precise with the added patch.

The fix_renegotiation patch is most probably needed.

@mdeslaur:

Not that I was aware of that, but after trying to import the patch, it turns out that that fix_renegotiation patch is already present in the upstream tarball. So I think that removing that mention out of the changelog remains valid.

Loius, thanks for taking another stab at this, but it still doesn't seem right: cms_smime.c had 37 added lines in the upstream patch, but this includes only three new added lines and no actual functional changes:

+Index: openssl098-0.9.8o/crypto/cms/cms_smime.c
+===================================================================
+--- openssl098-0.9.8o.orig/crypto/cms/cms_smime.c 2014-06-19 09:23:47.888194057 +0200
++++ openssl098-0.9.8o/crypto/cms/cms_smime.c 2014-06-19 09:27:53.552200347 +0200
+@@ -684,7 +684,10 @@
+ STACK_OF(CMS_RecipientInfo) *ris;
+ CMS_RecipientInfo *ri;
+ int i, r;
++ int debug = 0;
+ ris = CMS_get0_RecipientInfos(cms);
++ if (ris)
++ debug = cms->d.envelopedData->encryptedContentInfo->debug;
+ for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
+ {
+ ri = sk_CMS_RecipientInfo_value(ris, i);
diff -Nru openssl098-0.9.8o/debian/patches/CVE-2012-2333.patch openssl098-0.9.8o/debian/patches/CVE-2012-2333.patc

I think it's still missing some important changes.

Thanks

Hi Seth,

Sorry for all those back & forth. I was sure I had imported the patch straight from the Lucid source package. I must have messed up somewhere.

Here is another stab at it. Let's hope that it is ok this time & once again sorry.

There is a regression fix that got published upstream which I'll release an update for on monday. I suspect you're going to need to add it. Here is the upstream commit:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=70d923fb0359ed68e59b8c59d1687ebff6f8d952

And here is my planned lucid debdiff:

Thanks for the updated debdiff Marc.

Here is the new debdiff with this last regression patch included.

It appears one of the patches added some new errors to the build logs:

...
./testssl: 128: [: SSLv3: unexpected operator
Testing AES256-SHA
Available compression methods:
  1: zlib compression
TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 1024 bit RSA
1 handshakes of 256 bytes done
./testssl: 128: [: SSLv3: unexpected operator
...

Thankfully the fix was simple (change == to = in debian/patches/CVE-2013-0169.patch for testssl), and once fixed didn't itself indicate any new errors.

However now I'm at a loss how to test this package; my first shot, using "LD_PRELOAD=/path/to/libssl.so.0.9.8 openssl" didn't actually work. How did you test it and is there something I can do to at least smoke-test it?

Thanks

OK, I have managed to test this by installing the openssl tools from lucid, and running a slightly modified QRT script.

Looks good, I'm going to release it now. Thanks!

This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu3.2

---------------
openssl098 (0.9.8o-7ubuntu3.2) precise-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - CVE-2012-0884
  * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    - errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
 -- Louis Bouchard <email address hidden> Wed, 18 Jun 2014 12:22:48 +0200

This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu3.2.13.10.1

---------------
openssl098 (0.9.8o-7ubuntu3.2.13.10.1) saucy-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - CVE-2012-0884
  * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    - errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
 -- Louis Bouchard <email address hidden> Wed, 18 Jun 2014 12:22:48 +0200

This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu3.2.14.04.1

---------------
openssl098 (0.9.8o-7ubuntu3.2.14.04.1) trusty-security; urgency=medium

  [ Louis Bouchard ]
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
      errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
    - CVE-2012-0884

  [ Marc Deslauriers ]
  * debian/patches/rehash_pod.patch: updated to fix FTBFS.
  * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.
 -- Marc Deslauriers <email address hidden> Wed, 02 Jul 2014 09:13:28 -0400

This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu4

---------------
openssl098 (0.9.8o-7ubuntu4) utopic; urgency=medium

  [ Louis Bouchard ]
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
      errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
    - CVE-2012-0884

  [ Marc Deslauriers ]
  * debian/patches/rehash_pod.patch: updated to fix FTBFS.
  * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.
 -- Marc Deslauriers <email address hidden> Wed, 02 Jul 2014 09:16:49 -0400