Browse code
openssl: Fix for CVE-2018-0732
Added a patch to fix CVE-2018-0732
Change-Id: I6e89e45ddf68f68c46761c12a0c048e9e0c1f780
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5480
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
Ankit Jain authored on 2018/08/13 23:24:49Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,42 @@ |
| 0 |
+From 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Guido Vranken <guidovranken@gmail.com> |
|
| 2 |
+Date: Mon, 11 Jun 2018 19:38:54 +0200 |
|
| 3 |
+Subject: [PATCH] Reject excessively large primes in DH key generation. |
|
| 4 |
+ |
|
| 5 |
+CVE-2018-0732 |
|
| 6 |
+ |
|
| 7 |
+Signed-off-by: Guido Vranken <guidovranken@gmail.com> |
|
| 8 |
+ |
|
| 9 |
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> |
|
| 10 |
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org> |
|
| 11 |
+Reviewed-by: Rich Salz <rsalz@openssl.org> |
|
| 12 |
+Reviewed-by: Matt Caswell <matt@openssl.org> |
|
| 13 |
+(Merged from https://github.com/openssl/openssl/pull/6457) |
|
| 14 |
+--- |
|
| 15 |
+ crypto/dh/dh_key.c | 7 ++++++- |
|
| 16 |
+ 1 file changed, 6 insertions(+), 1 deletion(-) |
|
| 17 |
+ |
|
| 18 |
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c |
|
| 19 |
+index 6901548..752542b 100644 |
|
| 20 |
+--- a/crypto/dh/dh_key.c |
|
| 21 |
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh) |
|
| 22 |
+ int ok = 0; |
|
| 23 |
+ int generate_new_key = 0; |
|
| 24 |
+ unsigned l; |
|
| 25 |
+- BN_CTX *ctx; |
|
| 26 |
++ BN_CTX *ctx = NULL; |
|
| 27 |
+ BN_MONT_CTX *mont = NULL; |
|
| 28 |
+ BIGNUM *pub_key = NULL, *priv_key = NULL; |
|
| 29 |
+ |
|
| 30 |
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
| 31 |
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); |
|
| 32 |
++ return 0; |
|
| 33 |
++ } |
|
| 34 |
++ |
|
| 35 |
+ ctx = BN_CTX_new(); |
|
| 36 |
+ if (ctx == NULL) |
|
| 37 |
+ goto err; |
|
| 38 |
+-- |
|
| 39 |
+2.7.4 |
|
| 40 |
+ |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Management tools and libraries relating to cryptography |
| 2 | 2 |
Name: openssl |
| 3 | 3 |
Version: 1.0.2o |
| 4 |
-Release: 2%{?dist}
|
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 | 5 |
License: OpenSSL |
| 6 | 6 |
URL: http://www.openssl.org |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -14,6 +14,7 @@ Patch1: openssl-1.0.2n-ipv6apps.patch |
| 14 | 14 |
Patch2: openssl-init-conslidate.patch |
| 15 | 15 |
Patch3: openssl-drbg-default-read-system-fips.patch |
| 16 | 16 |
Patch4: CVE-2018-0737.patch |
| 17 |
+Patch5: CVE-2018-0732.patch |
|
| 17 | 18 |
Requires: bash glibc libgcc |
| 18 | 19 |
|
| 19 | 20 |
%description |
| ... | ... |
@@ -55,6 +56,7 @@ Perl scripts that convert certificates and keys to various formats. |
| 55 | 55 |
%patch2 -p1 |
| 56 | 56 |
%patch3 -p1 |
| 57 | 57 |
%patch4 -p1 |
| 58 |
+%patch5 -p1 |
|
| 58 | 59 |
|
| 59 | 60 |
%build |
| 60 | 61 |
export CFLAGS="%{optflags}"
|
| ... | ... |
@@ -114,6 +116,8 @@ rm -rf %{buildroot}/*
|
| 114 | 114 |
/%{_bindir}/c_rehash
|
| 115 | 115 |
|
| 116 | 116 |
%changelog |
| 117 |
+* Mon Aug 13 2018 Ankit Jain <ankitja@vmware.com> 1.0.2o-3 |
|
| 118 |
+- Fix of CVE-2018-0732 |
|
| 117 | 119 |
* Wed Jun 13 2018 Dweep Advani <dadvani@vmware.com> 1.0.2o-2 |
| 118 | 120 |
- Fix of CVE CVE-2018-0737 |
| 119 | 121 |
* Tue Apr 03 2018 Anish Swaminathan <anishs@vmware.com> 1.0.2o-1 |