[Pkg-mysql-commits] r1124 - in trunk/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Tue Jan 22 18:48:14 UTC 2008
tags 460873 pending
thanks
Author: nobse
Date: 2008-01-22 18:48:14 +0000 (Tue, 22 Jan 2008)
New Revision: 1124
Added:
trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch
Removed:
trunk/debian/patches/94_SECURITY_CVE-2008-0226.dpatch
Modified:
trunk/debian/changelog
trunk/debian/patches/00list
Log:
Patch submitted yesterday fixes CVE-2008-0227 as well.
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2008-01-21 21:20:33 UTC (rev 1123)
+++ trunk/debian/changelog 2008-01-22 18:48:14 UTC (rev 1124)
@@ -1,16 +1,17 @@
mysql-dfsg-5.0 (5.0.51-3) UNRELEASED; urgency=high
* SECURITY:
- Fix for CVE-2008-0226: yaSSL was subject to a pre-authentication
- buffer-overflow exploit that could lead to remote code execution or a
- server crash. The exploit requires a server with yaSSL enabled and TCP/IP
- connections enabled. The exploit does not apply to OpenSSL.
+ Fix for CVE-2008-0226 and CVE-2008-0227: yaSSL was subject to a pre-
+ authentication buffer-overflow exploit that could lead to remote code
+ execution or a server crash. The exploit requires a server with yaSSL
+ enabled and TCP/IP connections enabled. The exploit does not apply to
+ OpenSSL. (closes: #460873)
* Fix LSB header in init scripts (patch from Petter Reinholdtsen).
(closes: #458798)
* Run testsuite on all archs, but ignore errors on alpha, arm, armel, hppa,
mipsel and sparc. (closes: #460402)
- -- Norbert Tretkowski <nobse at debian.org> Mon, 21 Jan 2008 21:56:54 +0100
+ -- Norbert Tretkowski <nobse at debian.org> Tue, 22 Jan 2008 19:46:10 +0100
mysql-dfsg-5.0 (5.0.51-2) unstable; urgency=low
Modified: trunk/debian/patches/00list
===================================================================
--- trunk/debian/patches/00list 2008-01-21 21:20:33 UTC (rev 1123)
+++ trunk/debian/patches/00list 2008-01-22 18:48:14 UTC (rev 1124)
@@ -18,4 +18,4 @@
91_SECURITY_CVE-2007-5925.dpatch
92_SECURITY_CVE-2007-6303.dpatch
93_SECURITY_CVE-2007-6304.dpatch
-94_SECURITY_CVE-2008-0226.dpatch
+94_SECURITY_CVE-2008-0226+0227.dpatch
Copied: trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch (from rev 1123, trunk/debian/patches/94_SECURITY_CVE-2008-0226.dpatch)
===================================================================
--- trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch (rev 0)
+++ trunk/debian/patches/94_SECURITY_CVE-2008-0226+0227.dpatch 2008-01-22 18:48:14 UTC (rev 1124)
@@ -0,0 +1,68 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 94_SECURITY_CVE-2008-0226+0227.dpatch by Norbert Tretkowski <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2008-0226 and CVE-2008-0227: yaSSL was subject to a
+## pre-authentication buffer-overflow exploit that could lead to remote
+## code execution or a server crash. The exploit requires a server with
+## yaSSL enabled and TCP/IP connections enabled. The exploit does not
+## apply to OpenSSL. (closes: #460873)
+
+ at DPATCH@
+diff -Nrup a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
+--- a/extra/yassl/src/handshake.cpp 2007-01-25 19:34:38 +01:00
++++ b/extra/yassl/src/handshake.cpp 2008-01-11 13:07:51 +01:00
+@@ -527,6 +527,11 @@ void ProcessOldClientHello(input_buffer&
+ input.read(len, sizeof(len));
+ uint16 randomLen;
+ ato16(len, randomLen);
++ if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
++ randomLen > RAN_LEN) {
++ ssl.SetError(bad_input);
++ return;
++ }
+
+ int j = 0;
+ for (uint16 i = 0; i < ch.suite_len_; i += 3) {
+diff -Nrup a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp
+--- a/extra/yassl/src/template_instnt.cpp 2006-09-27 14:27:49 +02:00
++++ b/extra/yassl/src/template_instnt.cpp 2008-01-11 13:19:24 +01:00
+@@ -101,6 +101,7 @@ template void ysArrayDelete<unsigned cha
+ template void ysArrayDelete<char>(char*);
+
+ template int min<int>(int, int);
++template uint16 min<uint16>(uint16, uint16);
+ template unsigned int min<unsigned int>(unsigned int, unsigned int);
+ template unsigned long min<unsigned long>(unsigned long, unsigned long);
+ }
+diff -Nrup a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
+--- a/extra/yassl/src/yassl_imp.cpp 2006-11-09 21:20:56 +01:00
++++ b/extra/yassl/src/yassl_imp.cpp 2008-01-11 13:08:06 +01:00
+@@ -621,6 +621,10 @@ void HandShakeHeader::Process(input_buff
+ }
+
+ uint len = c24to32(length_);
++ if (len > input.get_remaining()) {
++ ssl.SetError(bad_input);
++ return;
++ }
+ hashHandShake(ssl, input, len);
+
+ hs->set_length(len);
+@@ -1391,10 +1395,15 @@ input_buffer& operator>>(input_buffer& i
+
+ // Suites
+ byte tmp[2];
++ uint16 len;
+ tmp[0] = input[AUTO];
+ tmp[1] = input[AUTO];
+- ato16(tmp, hello.suite_len_);
++ ato16(tmp, len);
++
++ hello.suite_len_ = min(len, static_cast<uint16>(MAX_SUITE_SZ));
+ input.read(hello.cipher_suites_, hello.suite_len_);
++ if (len > hello.suite_len_) // ignore extra suites
++ input.set_current(input.get_current() + len - hello.suite_len_);
+
+ // Compression
+ hello.comp_len_ = input[AUTO];
Deleted: trunk/debian/patches/94_SECURITY_CVE-2008-0226.dpatch
===================================================================
--- trunk/debian/patches/94_SECURITY_CVE-2008-0226.dpatch 2008-01-21 21:20:33 UTC (rev 1123)
+++ trunk/debian/patches/94_SECURITY_CVE-2008-0226.dpatch 2008-01-22 18:48:14 UTC (rev 1124)
@@ -1,67 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 94_SECURITY_CVE-2008-0226.dpatch by Norbert Tretkowski <nobse at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix for CVE-2008-0226: yaSSL was subject to a pre-authentication
-## buffer-overflow exploit that could lead to remote code execution or a server
-## crash. The exploit requires a server with yaSSL enabled and TCP/IP
-## connections enabled. The exploit does not apply to OpenSSL.
-
- at DPATCH@
-diff -Nrup a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
---- a/extra/yassl/src/handshake.cpp 2007-01-25 19:34:38 +01:00
-+++ b/extra/yassl/src/handshake.cpp 2008-01-11 13:07:51 +01:00
-@@ -527,6 +527,11 @@ void ProcessOldClientHello(input_buffer&
- input.read(len, sizeof(len));
- uint16 randomLen;
- ato16(len, randomLen);
-+ if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
-+ randomLen > RAN_LEN) {
-+ ssl.SetError(bad_input);
-+ return;
-+ }
-
- int j = 0;
- for (uint16 i = 0; i < ch.suite_len_; i += 3) {
-diff -Nrup a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp
---- a/extra/yassl/src/template_instnt.cpp 2006-09-27 14:27:49 +02:00
-+++ b/extra/yassl/src/template_instnt.cpp 2008-01-11 13:19:24 +01:00
-@@ -101,6 +101,7 @@ template void ysArrayDelete<unsigned cha
- template void ysArrayDelete<char>(char*);
-
- template int min<int>(int, int);
-+template uint16 min<uint16>(uint16, uint16);
- template unsigned int min<unsigned int>(unsigned int, unsigned int);
- template unsigned long min<unsigned long>(unsigned long, unsigned long);
- }
-diff -Nrup a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
---- a/extra/yassl/src/yassl_imp.cpp 2006-11-09 21:20:56 +01:00
-+++ b/extra/yassl/src/yassl_imp.cpp 2008-01-11 13:08:06 +01:00
-@@ -621,6 +621,10 @@ void HandShakeHeader::Process(input_buff
- }
-
- uint len = c24to32(length_);
-+ if (len > input.get_remaining()) {
-+ ssl.SetError(bad_input);
-+ return;
-+ }
- hashHandShake(ssl, input, len);
-
- hs->set_length(len);
-@@ -1391,10 +1395,15 @@ input_buffer& operator>>(input_buffer& i
-
- // Suites
- byte tmp[2];
-+ uint16 len;
- tmp[0] = input[AUTO];
- tmp[1] = input[AUTO];
-- ato16(tmp, hello.suite_len_);
-+ ato16(tmp, len);
-+
-+ hello.suite_len_ = min(len, static_cast<uint16>(MAX_SUITE_SZ));
- input.read(hello.cipher_suites_, hello.suite_len_);
-+ if (len > hello.suite_len_) // ignore extra suites
-+ input.set_current(input.get_current() + len - hello.suite_len_);
-
- // Compression
- hello.comp_len_ = input[AUTO];
More information about the Pkg-mysql-commits
mailing list