Browse code
openssl: Fix for CVE-2018-0732
Added a patch to fix CVE-2018-0732
Change-Id: I8f27f31296111d1422c126f3a07b5430c53a8aa2
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5479
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
Ankit Jain authored on 2018/08/13 23:18:06Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,42 @@ |
| 0 |
+From 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Guido Vranken <guidovranken@gmail.com> |
|
| 2 |
+Date: Mon, 11 Jun 2018 19:38:54 +0200 |
|
| 3 |
+Subject: [PATCH] Reject excessively large primes in DH key generation. |
|
| 4 |
+ |
|
| 5 |
+CVE-2018-0732 |
|
| 6 |
+ |
|
| 7 |
+Signed-off-by: Guido Vranken <guidovranken@gmail.com> |
|
| 8 |
+ |
|
| 9 |
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> |
|
| 10 |
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org> |
|
| 11 |
+Reviewed-by: Rich Salz <rsalz@openssl.org> |
|
| 12 |
+Reviewed-by: Matt Caswell <matt@openssl.org> |
|
| 13 |
+(Merged from https://github.com/openssl/openssl/pull/6457) |
|
| 14 |
+--- |
|
| 15 |
+ crypto/dh/dh_key.c | 7 ++++++- |
|
| 16 |
+ 1 file changed, 6 insertions(+), 1 deletion(-) |
|
| 17 |
+ |
|
| 18 |
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c |
|
| 19 |
+index 6901548..752542b 100644 |
|
| 20 |
+--- a/crypto/dh/dh_key.c |
|
| 21 |
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh) |
|
| 22 |
+ int ok = 0; |
|
| 23 |
+ int generate_new_key = 0; |
|
| 24 |
+ unsigned l; |
|
| 25 |
+- BN_CTX *ctx; |
|
| 26 |
++ BN_CTX *ctx = NULL; |
|
| 27 |
+ BN_MONT_CTX *mont = NULL; |
|
| 28 |
+ BIGNUM *pub_key = NULL, *priv_key = NULL; |
|
| 29 |
+ |
|
| 30 |
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
| 31 |
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); |
|
| 32 |
++ return 0; |
|
| 33 |
++ } |
|
| 34 |
++ |
|
| 35 |
+ ctx = BN_CTX_new(); |
|
| 36 |
+ if (ctx == NULL) |
|
| 37 |
+ goto err; |
|
| 38 |
+-- |
|
| 39 |
+2.7.4 |
|
| 40 |
+ |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Management tools and libraries relating to cryptography |
| 2 | 2 |
Name: openssl |
| 3 | 3 |
Version: 1.0.2o |
| 4 |
-Release: 2%{?dist}
|
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 | 5 |
License: OpenSSL |
| 6 | 6 |
URL: http://www.openssl.org |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -15,6 +15,7 @@ Patch1: openssl-1.0.2n-ipv6apps.patch |
| 15 | 15 |
Patch2: openssl-init-conslidate.patch |
| 16 | 16 |
Patch3: openssl-drbg-default-read-system-fips.patch |
| 17 | 17 |
Patch4: CVE-2018-0737.patch |
| 18 |
+Patch5: CVE-2018-0732.patch |
|
| 18 | 19 |
%if %{with_check}
|
| 19 | 20 |
BuildRequires: zlib-devel |
| 20 | 21 |
%endif |
| ... | ... |
@@ -59,6 +60,7 @@ Perl scripts that convert certificates and keys to various formats. |
| 59 | 59 |
%patch2 -p1 |
| 60 | 60 |
%patch3 -p1 |
| 61 | 61 |
%patch4 -p1 |
| 62 |
+%patch5 -p1 |
|
| 62 | 63 |
|
| 63 | 64 |
%build |
| 64 | 65 |
export CFLAGS="%{optflags}"
|
| ... | ... |
@@ -120,6 +122,8 @@ rm -rf %{buildroot}/*
|
| 120 | 120 |
/%{_bindir}/rehash_ca_certificates.sh
|
| 121 | 121 |
|
| 122 | 122 |
%changelog |
| 123 |
+* Mon Aug 13 2018 Ankit Jain <ankitja@vmware.com> 1.0.2o-3 |
|
| 124 |
+- Fix of CVE-2018-0732 |
|
| 123 | 125 |
* Wed Jul 25 2018 Ankit Jain <ankitja@vmware.com> 1.0.2o-2 |
| 124 | 126 |
- Fix of CVE-2018-0737 |
| 125 | 127 |
* Tue Apr 03 2018 Anish Swaminathan <anishs@vmware.com> 1.0.2o-1 |