[Pkg-mysql-commits] r1130 - in branches/etch-5.0/debian: . patches

Norbert Tretkowski nobse at alioth.debian.org
Thu Jan 24 08:30:05 UTC 2008 

tags 460873 pending
thanks

Author: nobse
Date: 2008-01-24 08:30:05 +0000 (Thu, 24 Jan 2008)
New Revision: 1130

Added:
   branches/etch-5.0/debian/patches/96_SECURITY_CVE-2008-0226+0227.dpatch
Modified:
   branches/etch-5.0/debian/changelog
   branches/etch-5.0/debian/patches/00list
Log:
Fix CVE-2008-0226 and CVE-2008-0227 in etch.

Modified: branches/etch-5.0/debian/changelog
===================================================================
--- branches/etch-5.0/debian/changelog	2008-01-23 22:09:15 UTC (rev 1129)
+++ branches/etch-5.0/debian/changelog	2008-01-24 08:30:05 UTC (rev 1130)
@@ -1,3 +1,15 @@
+mysql-dfsg-5.0 (5.0.32-7etch5) stable-security; urgency=high
+
+  * SECURITY:
+    Fix for CVE-2008-0226 and CVE-2008-0227: Three vulnerabilities in yaSSL
+    versions 1.7.5 and earlier were discovered that could lead to a server
+    crash or execution of unauthorized code. The exploit requires a server
+    with yaSSL enabled and TCP/IP connections enabled, but does not require
+    valid MySQL account credentials. The exploit does not apply to OpenSSL.
+    (closes: #460873)
+
+ -- Norbert Tretkowski <nobse at debian.org>  Thu, 24 Jan 2008 09:22:03 +0100
+
 mysql-dfsg-5.0 (5.0.32-7etch4) stable-security; urgency=high
 
   * SECURITY:

Modified: branches/etch-5.0/debian/patches/00list
===================================================================
--- branches/etch-5.0/debian/patches/00list	2008-01-23 22:09:15 UTC (rev 1129)
+++ branches/etch-5.0/debian/patches/00list	2008-01-24 08:30:05 UTC (rev 1130)
@@ -27,3 +27,4 @@
 95_SECURITY_CVE-2007-3781.dpatch
 95_SECURITY_CVE-2007-5969.dpatch
 95_SECURITY_CVE-2007-6304.dpatch
+96_SECURITY_CVE-2008-0226+0227.dpatch

Added: branches/etch-5.0/debian/patches/96_SECURITY_CVE-2008-0226+0227.dpatch
===================================================================
--- branches/etch-5.0/debian/patches/96_SECURITY_CVE-2008-0226+0227.dpatch	                        (rev 0)
+++ branches/etch-5.0/debian/patches/96_SECURITY_CVE-2008-0226+0227.dpatch	2008-01-24 08:30:05 UTC (rev 1130)
@@ -0,0 +1,68 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 96_SECURITY_CVE-2008-0226+0227.dpatch by Norbert Tretkowski <nobse at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2008-0226 and CVE-2008-0227: Three vulnerabilities in yaSSL
+## DP: versions 1.7.5 and earlier were discovered that could lead to a server
+## DP: crash or execution of unauthorized code. The exploit requires a server
+## DP: with yaSSL enabled and TCP/IP connections enabled, but does not require
+## DP: valid MySQL account credentials. The exploit does not apply to OpenSSL.
+
+ at DPATCH@
+diff -Nrup a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
+--- a/extra/yassl/src/handshake.cpp	2007-01-25 19:34:38 +01:00
++++ b/extra/yassl/src/handshake.cpp	2008-01-11 13:07:51 +01:00
+@@ -527,6 +527,11 @@ void ProcessOldClientHello(input_buffer&
+     input.read(len, sizeof(len));
+     uint16 randomLen;
+     ato16(len, randomLen);
++    if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
++        randomLen > RAN_LEN) {
++        ssl.SetError(bad_input);
++        return;
++    }
+ 
+     int j = 0;
+     for (uint16 i = 0; i < ch.suite_len_; i += 3) {    
+diff -Nrup a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp
+--- a/extra/yassl/src/template_instnt.cpp	2006-09-27 14:27:49 +02:00
++++ b/extra/yassl/src/template_instnt.cpp	2008-01-11 13:19:24 +01:00
+@@ -101,6 +101,7 @@ template void ysArrayDelete<unsigned cha
+ template void ysArrayDelete<char>(char*);
+ 
+ template int min<int>(int, int);
++template uint16 min<uint16>(uint16, uint16);
+ template unsigned int min<unsigned int>(unsigned int, unsigned int);
+ template unsigned long min<unsigned long>(unsigned long, unsigned long);
+ }
+diff -Nrup a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
+--- a/extra/yassl/src/yassl_imp.cpp	2006-11-09 21:20:56 +01:00
++++ b/extra/yassl/src/yassl_imp.cpp	2008-01-11 13:08:06 +01:00
+@@ -621,6 +621,10 @@ void HandShakeHeader::Process(input_buff
+     }
+ 
+     uint len = c24to32(length_);
++    if (len > input.get_remaining()) {
++        ssl.SetError(bad_input);
++        return;
++    }
+     hashHandShake(ssl, input, len);
+ 
+     hs->set_length(len);
+@@ -1391,10 +1395,15 @@ input_buffer& operator>>(input_buffer& i
+     
+     // Suites
+     byte tmp[2];
++    uint16 len;
+     tmp[0] = input[AUTO];
+     tmp[1] = input[AUTO];
+-    ato16(tmp, hello.suite_len_);
++    ato16(tmp, len);
++
++    hello.suite_len_ = min(len, static_cast<uint16>(MAX_SUITE_SZ));
+     input.read(hello.cipher_suites_, hello.suite_len_);
++    if (len > hello.suite_len_) // ignore extra suites
++        input.set_current(input.get_current() + len -  hello.suite_len_);
+ 
+     // Compression
+     hello.comp_len_ = input[AUTO];

More information about the Pkg-mysql-commits mailing list