wheezy: update for polarssl's CVE-2015-5291
Hi,
I've forward ported Thorsten's fix fow squeeze to wheezy and added some
autopkgtest (debdiff attached). Please find the debdiff attached. I'd be
happy to upload ths to security master.
Cheers,
-- Guido
diff --git a/debian/changelog b/debian/changelog
index b52643b..b6c42f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+polarssl (1.2.9-1~deb7u6) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2015-5291: Remote attack on clients using session tickets or SNI
+
+ -- Guido Günther <agx@sigxcpu.org> Sat, 23 Jan 2016 15:47:29 +0100
+
polarssl (1.2.9-1~deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git a/debian/patches/CVE-2015-5291-1.patch b/debian/patches/CVE-2015-5291-1.patch
new file mode 100644
index 0000000..f1dc35c
--- /dev/null
+++ b/debian/patches/CVE-2015-5291-1.patch
@@ -0,0 +1,27 @@
+Index: polarssl-1.2.9/include/polarssl/ssl.h
+===================================================================
+--- polarssl-1.2.9.orig/include/polarssl/ssl.h 2015-10-22 15:42:52.000000000 +0200
++++ polarssl-1.2.9/include/polarssl/ssl.h 2015-10-22 15:44:14.000000000 +0200
+@@ -123,6 +123,8 @@
+ #define SSL_LEGACY_ALLOW_RENEGOTIATION 1
+ #define SSL_LEGACY_BREAK_HANDSHAKE 2
+
++#define SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
++
+ /*
+ * Size of the input / output buffer.
+ * Note: the RFC defines the default size of SSL / TLS messages. If you
+Index: polarssl-1.2.9/library/ssl_tls.c
+===================================================================
+--- polarssl-1.2.9.orig/library/ssl_tls.c 2015-10-22 15:42:52.000000000 +0200
++++ polarssl-1.2.9/library/ssl_tls.c 2015-10-22 15:45:02.000000000 +0200
+@@ -3260,6 +3260,9 @@
+ if( ssl->hostname_len + 1 == 0 )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
++ if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
++ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
++
+ ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
+
+ if( ssl->hostname == NULL )
diff --git a/debian/patches/series b/debian/patches/series
index 929750e..06dd432 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,11 @@
CVE-2014-4911.patch
CVE-2014-8628.patch
CVE-2015-1182.patch
+
+# fix for CVE-2015-5291
+# -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5291
+CVE-2015-5291-1.patch
+# vulnerable code not present
+#CVE-2015-5291-2.patch
+#CVE-2015-5291-3.patch
+#CVE-2015-5291-4.patch
diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch
new file mode 100644
index 0000000..f4d43ee
--- /dev/null
+++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch
@@ -0,0 +1,323 @@
+diff --git a/library/ssl_cli.c b/library/ssl_cli.c
+index f603cff..deeee33 100644
+--- a/library/ssl_cli.c
++++ b/library/ssl_cli.c
+@@ -65,6 +65,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
+ size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+ *olen = 0;
+
+@@ -74,6 +75,12 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
+ SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
+ ssl->hostname ) );
+
++ if( (size_t)(end - p) < ssl->hostname_len + 9 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ /*
+ * struct {
+ * NameType name_type;
+@@ -117,6 +124,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
+ size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+ *olen = 0;
+
+@@ -125,6 +133,12 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
+
++ if( (size_t)(end - p) < 5 + ssl->verify_data_len )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ /*
+ * Secure renegotiation
+ */
+@@ -151,6 +165,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
+ size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+ size_t sig_alg_len = 0;
+ #if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
+ unsigned char *sig_alg_list = buf + 6;
+@@ -163,9 +178,54 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
+
++#if defined(POLARSSL_RSA_C)
++#if defined(POLARSSL_SHA512_C)
++ /* SHA512 + RSA signature, SHA384 + RSA signature */
++ sig_alg_len += 4;
++#endif
++#if defined(POLARSSL_SHA256_C)
++ /* SHA256 + RSA signature, SHA224 + RSA signature */
++ sig_alg_len += 4;
++#endif
++#if defined(POLARSSL_SHA1_C)
++ /* SHA1 + RSA signature */
++ sig_alg_len += 2;
++#endif
++#if defined(POLARSSL_MD5_C)
++ /* MD5 + RSA signature */
++ sig_alg_len += 2;
++#endif
++#endif /* POLARSSL_RSA_C */
++#if defined(POLARSSL_ECDSA_C)
++#if defined(POLARSSL_SHA512_C)
++ /* SHA512 + ECDSA signature, SHA384 + ECDSA signature */
++ sig_alg_len += 4;
++#endif
++#if defined(POLARSSL_SHA256_C)
++ /* SHA256 + ECDSA signature, SHA224 + ECDSA signature */
++ sig_alg_len += 4;
++#endif
++#if defined(POLARSSL_SHA1_C)
++ /* SHA1 + ECDSA signature */
++ sig_alg_len += 2;
++#endif
++#if defined(POLARSSL_MD5_C)
++ /* MD5 + ECDSA signature */
++ sig_alg_len += 2;
++#endif
++#endif /* POLARSSL_ECDSA_C */
++
++ if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ /*
+ * Prepare signature_algorithms extension (TLS 1.2)
+ */
++ sig_alg_len = 0;
++
+ #if defined(POLARSSL_RSA_C)
+ #if defined(POLARSSL_SHA512_C)
+ sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
+@@ -248,6 +308,7 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
+ size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+ unsigned char *elliptic_curve_list = p + 6;
+ size_t elliptic_curve_len = 0;
+ const ecp_curve_info *info;
+@@ -269,6 +330,25 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
+ for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
+ {
+ #endif
++ elliptic_curve_len += 2;
++ }
++
++ if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
++ elliptic_curve_len = 0;
++
++#if defined(POLARSSL_SSL_SET_CURVES)
++ for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
++ {
++ info = ecp_curve_info_from_grp_id( *grp_id );
++#else
++ for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
++ {
++#endif
+
+ elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
+ elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
+@@ -294,12 +374,18 @@ static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
+ size_t *olen )
+ {
+ unsigned char *p = buf;
+- ((void) ssl);
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+ *olen = 0;
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
+
++ if( end < p || (size_t)( end - p ) < 6 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
+
+@@ -319,14 +405,21 @@ static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
+ size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+
+- if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
+- *olen = 0;
++ *olen = 0;
++
++ if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE )
+ return;
+- }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
+
++ if( end < p || (size_t)( end - p ) < 5 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
+
+@@ -344,15 +437,21 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
+ unsigned char *buf, size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
++
++ *olen = 0;
+
+ if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
+- {
+- *olen = 0;
+ return;
+- }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+
++ if( end < p || (size_t)( end - p ) < 4 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
+
+@@ -368,17 +467,25 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
+ unsigned char *buf, size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
++
++ *olen = 0;
+
+ if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
+ ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
+ {
+- *olen = 0;
+ return;
+ }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
+ "extension" ) );
+
++ if( end < p || (size_t)( end - p ) < 4 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
+
+@@ -394,17 +501,25 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
+ unsigned char *buf, size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
++
++ *olen = 0;
+
+ if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
+ ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
+ {
+- *olen = 0;
+ return;
+ }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
+ "extension" ) );
+
++ if( end < p || (size_t)( end - p ) < 4 )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
+
+@@ -420,16 +535,22 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
+ unsigned char *buf, size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
+ size_t tlen = ssl->session_negotiate->ticket_len;
+
++ *olen = 0;
++
+ if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
+- {
+- *olen = 0;
+ return;
+- }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
+
++ if( end < p || (size_t)( end - p ) < 4 + tlen )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
+
+@@ -457,16 +578,26 @@ static void ssl_write_alpn_ext( ssl_context *ssl,
+ unsigned char *buf, size_t *olen )
+ {
+ unsigned char *p = buf;
++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
++ size_t alpnlen = 0;
+ const char **cur;
+
++ *olen = 0;
++
+ if( ssl->alpn_list == NULL )
+- {
+- *olen = 0;
+ return;
+- }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
+
++ for( cur = ssl->alpn_list; *cur != NULL; cur++ )
++ alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
++
++ if( end < p || (size_t)( end - p ) < 6 + alpnlen )
++ {
++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
++ return;
++ }
++
+ *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
+
diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch
new file mode 100644
index 0000000..52a0f4a
--- /dev/null
+++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch
@@ -0,0 +1,51 @@
+diff --git a/ChangeLog b/ChangeLog
+index 44f4408..ddba5c0 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,15 @@
+ mbed TLS ChangeLog (Sorted per branch, date)
+
++= mbed TLS 1.3.14 released 2015-10-xx
++
++Security
++ * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
++ overflow of the hostname or session ticket. (Found by Guido Vranken)
++
++Changes
++ * Added checking of hostname length in ssl_set_hostname() to ensure domain
++ names are compliant with RFC 1035.
++
+ = mbed TLS 1.3.13 reladsed 2015-09-17
+
+ Security
+diff --git a/library/ssl_cli.c b/library/ssl_cli.c
+index deeee33..ef86cd2 100644
+--- a/library/ssl_cli.c
++++ b/library/ssl_cli.c
+@@ -75,7 +75,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
+ SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
+ ssl->hostname ) );
+
+- if( (size_t)(end - p) < ssl->hostname_len + 9 )
++ if( end < p || (size_t)( end - p ) < ssl->hostname_len + 9 )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+@@ -877,13 +877,13 @@ static int ssl_write_client_hello( ssl_context *ssl )
+ ext_len += olen;
+ #endif
+
+-#if defined(POLARSSL_SSL_SESSION_TICKETS)
+- ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
++#if defined(POLARSSL_SSL_ALPN)
++ ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+ ext_len += olen;
+ #endif
+
+-#if defined(POLARSSL_SSL_ALPN)
+- ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
++#if defined(POLARSSL_SSL_SESSION_TICKETS)
++ ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+ ext_len += olen;
+ #endif
+
diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch
new file mode 100644
index 0000000..2019491
--- /dev/null
+++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch
@@ -0,0 +1,13 @@
+diff --git a/library/ssl_cli.c b/library/ssl_cli.c
+index 39dc02e..ef86cd2 100644
+--- a/library/ssl_cli.c
++++ b/library/ssl_cli.c
+@@ -133,7 +133,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
+
+- if( end < p || (size_t)(end - p) < 5 + ssl->verify_data_len )
++ if( (size_t)(end - p) < 5 + ssl->verify_data_len )
+ {
+ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
diff --git a/debian/tests/build-test b/debian/tests/build-test
new file mode 100755
index 0000000..42b7127
--- /dev/null
+++ b/debian/tests/build-test
@@ -0,0 +1,10 @@
+#!/usr/bin/make -f
+
+CFLAGS = -O2 -D_FILE_OFFSET_BITS=64 -Wall
+LDFLAGS += -lpolarssl
+
+a.out: programs/hash/hello.c
+ $(CC) $(CFLAGS) $(OFLAGS) $< $(LDFLAGS)
+ @echo "Build test of $< succeeded"
+ ./a.out
+ @rm -f a.out
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..9b777fd
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,5 @@
+Tests: smoke
+Depends: libpolarssl-runtime
+
+Tests: build-test
+Depends: libpolarssl-dev
diff --git a/debian/tests/smoke b/debian/tests/smoke
new file mode 100755
index 0000000..03df087
--- /dev/null
+++ b/debian/tests/smoke
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+# Excercise some of the demos
+polarssl_hello
+polarssl_mpi_demo
+
+# Make sure output is identical to coreutil versions
+[ "$(polarssl_sha1sum /etc/passwd)" = "$(sha1sum /etc/passwd)" ]
+[ "$(polarssl_md5sum /etc/passwd)" = "$(md5sum /etc/passwd)" ]
+
+# Run the selftest
+polarssl_selftest
+
+echo 'Smoke test of polarssl succesful'
+exit 0
Reply to: