Re: wheezy: update for polarssl's CVE-2015-5291
Hi Guido,
thanks for the debdiff. It looks OK, so feel free to upload it. Once
that's done, I'll release the DSA.
Cheers,
--Seb
On Jan/23, Guido Günther wrote:
> Hi,
> I've forward ported Thorsten's fix fow squeeze to wheezy and added some
> autopkgtest (debdiff attached). Please find the debdiff attached. I'd be
> happy to upload ths to security master.
> Cheers,
> -- Guido
> diff --git a/debian/changelog b/debian/changelog
> index b52643b..b6c42f0 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +polarssl (1.2.9-1~deb7u6) wheezy-security; urgency=high
> +
> + * Non-maintainer upload by the LTS Security Team.
> + * CVE-2015-5291: Remote attack on clients using session tickets or SNI
> +
> + -- Guido Günther <agx@sigxcpu.org> Sat, 23 Jan 2016 15:47:29 +0100
> +
> polarssl (1.2.9-1~deb7u5) wheezy-security; urgency=high
>
> * Non-maintainer upload by the Security Team.
> diff --git a/debian/patches/CVE-2015-5291-1.patch b/debian/patches/CVE-2015-5291-1.patch
> new file mode 100644
> index 0000000..f1dc35c
> --- /dev/null
> +++ b/debian/patches/CVE-2015-5291-1.patch
> @@ -0,0 +1,27 @@
> +Index: polarssl-1.2.9/include/polarssl/ssl.h
> +===================================================================
> +--- polarssl-1.2.9.orig/include/polarssl/ssl.h 2015-10-22 15:42:52.000000000 +0200
> ++++ polarssl-1.2.9/include/polarssl/ssl.h 2015-10-22 15:44:14.000000000 +0200
> +@@ -123,6 +123,8 @@
> + #define SSL_LEGACY_ALLOW_RENEGOTIATION 1
> + #define SSL_LEGACY_BREAK_HANDSHAKE 2
> +
> ++#define SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
> ++
> + /*
> + * Size of the input / output buffer.
> + * Note: the RFC defines the default size of SSL / TLS messages. If you
> +Index: polarssl-1.2.9/library/ssl_tls.c
> +===================================================================
> +--- polarssl-1.2.9.orig/library/ssl_tls.c 2015-10-22 15:42:52.000000000 +0200
> ++++ polarssl-1.2.9/library/ssl_tls.c 2015-10-22 15:45:02.000000000 +0200
> +@@ -3260,6 +3260,9 @@
> + if( ssl->hostname_len + 1 == 0 )
> + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
> +
> ++ if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
> ++ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
> ++
> + ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
> +
> + if( ssl->hostname == NULL )
> diff --git a/debian/patches/series b/debian/patches/series
> index 929750e..06dd432 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -5,3 +5,11 @@
> CVE-2014-4911.patch
> CVE-2014-8628.patch
> CVE-2015-1182.patch
> +
> +# fix for CVE-2015-5291
> +# -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5291
> +CVE-2015-5291-1.patch
> +# vulnerable code not present
> +#CVE-2015-5291-2.patch
> +#CVE-2015-5291-3.patch
> +#CVE-2015-5291-4.patch
> diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch
> new file mode 100644
> index 0000000..f4d43ee
> --- /dev/null
> +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch
> @@ -0,0 +1,323 @@
> +diff --git a/library/ssl_cli.c b/library/ssl_cli.c
> +index f603cff..deeee33 100644
> +--- a/library/ssl_cli.c
> ++++ b/library/ssl_cli.c
> +@@ -65,6 +65,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
> + size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +
> + *olen = 0;
> +
> +@@ -74,6 +75,12 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
> + SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
> + ssl->hostname ) );
> +
> ++ if( (size_t)(end - p) < ssl->hostname_len + 9 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + /*
> + * struct {
> + * NameType name_type;
> +@@ -117,6 +124,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
> + size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +
> + *olen = 0;
> +
> +@@ -125,6 +133,12 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
> +
> ++ if( (size_t)(end - p) < 5 + ssl->verify_data_len )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + /*
> + * Secure renegotiation
> + */
> +@@ -151,6 +165,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
> + size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + size_t sig_alg_len = 0;
> + #if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
> + unsigned char *sig_alg_list = buf + 6;
> +@@ -163,9 +178,54 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
> +
> ++#if defined(POLARSSL_RSA_C)
> ++#if defined(POLARSSL_SHA512_C)
> ++ /* SHA512 + RSA signature, SHA384 + RSA signature */
> ++ sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA256_C)
> ++ /* SHA256 + RSA signature, SHA224 + RSA signature */
> ++ sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA1_C)
> ++ /* SHA1 + RSA signature */
> ++ sig_alg_len += 2;
> ++#endif
> ++#if defined(POLARSSL_MD5_C)
> ++ /* MD5 + RSA signature */
> ++ sig_alg_len += 2;
> ++#endif
> ++#endif /* POLARSSL_RSA_C */
> ++#if defined(POLARSSL_ECDSA_C)
> ++#if defined(POLARSSL_SHA512_C)
> ++ /* SHA512 + ECDSA signature, SHA384 + ECDSA signature */
> ++ sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA256_C)
> ++ /* SHA256 + ECDSA signature, SHA224 + ECDSA signature */
> ++ sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA1_C)
> ++ /* SHA1 + ECDSA signature */
> ++ sig_alg_len += 2;
> ++#endif
> ++#if defined(POLARSSL_MD5_C)
> ++ /* MD5 + ECDSA signature */
> ++ sig_alg_len += 2;
> ++#endif
> ++#endif /* POLARSSL_ECDSA_C */
> ++
> ++ if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + /*
> + * Prepare signature_algorithms extension (TLS 1.2)
> + */
> ++ sig_alg_len = 0;
> ++
> + #if defined(POLARSSL_RSA_C)
> + #if defined(POLARSSL_SHA512_C)
> + sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
> +@@ -248,6 +308,7 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
> + size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + unsigned char *elliptic_curve_list = p + 6;
> + size_t elliptic_curve_len = 0;
> + const ecp_curve_info *info;
> +@@ -269,6 +330,25 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
> + for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
> + {
> + #endif
> ++ elliptic_curve_len += 2;
> ++ }
> ++
> ++ if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> ++ elliptic_curve_len = 0;
> ++
> ++#if defined(POLARSSL_SSL_SET_CURVES)
> ++ for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
> ++ {
> ++ info = ecp_curve_info_from_grp_id( *grp_id );
> ++#else
> ++ for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
> ++ {
> ++#endif
> +
> + elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
> + elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
> +@@ -294,12 +374,18 @@ static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
> + size_t *olen )
> + {
> + unsigned char *p = buf;
> +- ((void) ssl);
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +
> + *olen = 0;
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
> +
> ++ if( end < p || (size_t)( end - p ) < 6 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
> +
> +@@ -319,14 +405,21 @@ static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
> + size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +
> +- if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
> +- *olen = 0;
> ++ *olen = 0;
> ++
> ++ if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE )
> + return;
> +- }
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
> +
> ++ if( end < p || (size_t)( end - p ) < 5 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
> +
> +@@ -344,15 +437,21 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
> + unsigned char *buf, size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++
> ++ *olen = 0;
> +
> + if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
> +- {
> +- *olen = 0;
> + return;
> +- }
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
> +
> ++ if( end < p || (size_t)( end - p ) < 4 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
> +
> +@@ -368,17 +467,25 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
> + unsigned char *buf, size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++
> ++ *olen = 0;
> +
> + if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
> + ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
> + {
> +- *olen = 0;
> + return;
> + }
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
> + "extension" ) );
> +
> ++ if( end < p || (size_t)( end - p ) < 4 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
> +
> +@@ -394,17 +501,25 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
> + unsigned char *buf, size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++
> ++ *olen = 0;
> +
> + if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
> + ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
> + {
> +- *olen = 0;
> + return;
> + }
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
> + "extension" ) );
> +
> ++ if( end < p || (size_t)( end - p ) < 4 )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
> +
> +@@ -420,16 +535,22 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
> + unsigned char *buf, size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + size_t tlen = ssl->session_negotiate->ticket_len;
> +
> ++ *olen = 0;
> ++
> + if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
> +- {
> +- *olen = 0;
> + return;
> +- }
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
> +
> ++ if( end < p || (size_t)( end - p ) < 4 + tlen )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
> +
> +@@ -457,16 +578,26 @@ static void ssl_write_alpn_ext( ssl_context *ssl,
> + unsigned char *buf, size_t *olen )
> + {
> + unsigned char *p = buf;
> ++ const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++ size_t alpnlen = 0;
> + const char **cur;
> +
> ++ *olen = 0;
> ++
> + if( ssl->alpn_list == NULL )
> +- {
> +- *olen = 0;
> + return;
> +- }
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
> +
> ++ for( cur = ssl->alpn_list; *cur != NULL; cur++ )
> ++ alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
> ++
> ++ if( end < p || (size_t)( end - p ) < 6 + alpnlen )
> ++ {
> ++ SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++ return;
> ++ }
> ++
> + *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
> + *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
> +
> diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch
> new file mode 100644
> index 0000000..52a0f4a
> --- /dev/null
> +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch
> @@ -0,0 +1,51 @@
> +diff --git a/ChangeLog b/ChangeLog
> +index 44f4408..ddba5c0 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,5 +1,15 @@
> + mbed TLS ChangeLog (Sorted per branch, date)
> +
> ++= mbed TLS 1.3.14 released 2015-10-xx
> ++
> ++Security
> ++ * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
> ++ overflow of the hostname or session ticket. (Found by Guido Vranken)
> ++
> ++Changes
> ++ * Added checking of hostname length in ssl_set_hostname() to ensure domain
> ++ names are compliant with RFC 1035.
> ++
> + = mbed TLS 1.3.13 reladsed 2015-09-17
> +
> + Security
> +diff --git a/library/ssl_cli.c b/library/ssl_cli.c
> +index deeee33..ef86cd2 100644
> +--- a/library/ssl_cli.c
> ++++ b/library/ssl_cli.c
> +@@ -75,7 +75,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
> + SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
> + ssl->hostname ) );
> +
> +- if( (size_t)(end - p) < ssl->hostname_len + 9 )
> ++ if( end < p || (size_t)( end - p ) < ssl->hostname_len + 9 )
> + {
> + SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> + return;
> +@@ -877,13 +877,13 @@ static int ssl_write_client_hello( ssl_context *ssl )
> + ext_len += olen;
> + #endif
> +
> +-#if defined(POLARSSL_SSL_SESSION_TICKETS)
> +- ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
> ++#if defined(POLARSSL_SSL_ALPN)
> ++ ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
> + ext_len += olen;
> + #endif
> +
> +-#if defined(POLARSSL_SSL_ALPN)
> +- ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
> ++#if defined(POLARSSL_SSL_SESSION_TICKETS)
> ++ ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
> + ext_len += olen;
> + #endif
> +
> diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch
> new file mode 100644
> index 0000000..2019491
> --- /dev/null
> +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch
> @@ -0,0 +1,13 @@
> +diff --git a/library/ssl_cli.c b/library/ssl_cli.c
> +index 39dc02e..ef86cd2 100644
> +--- a/library/ssl_cli.c
> ++++ b/library/ssl_cli.c
> +@@ -133,7 +133,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
> +
> + SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
> +
> +- if( end < p || (size_t)(end - p) < 5 + ssl->verify_data_len )
> ++ if( (size_t)(end - p) < 5 + ssl->verify_data_len )
> + {
> + SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> + return;
> diff --git a/debian/tests/build-test b/debian/tests/build-test
> new file mode 100755
> index 0000000..42b7127
> --- /dev/null
> +++ b/debian/tests/build-test
> @@ -0,0 +1,10 @@
> +#!/usr/bin/make -f
> +
> +CFLAGS = -O2 -D_FILE_OFFSET_BITS=64 -Wall
> +LDFLAGS += -lpolarssl
> +
> +a.out: programs/hash/hello.c
> + $(CC) $(CFLAGS) $(OFLAGS) $< $(LDFLAGS)
> + @echo "Build test of $< succeeded"
> + ./a.out
> + @rm -f a.out
> diff --git a/debian/tests/control b/debian/tests/control
> new file mode 100644
> index 0000000..9b777fd
> --- /dev/null
> +++ b/debian/tests/control
> @@ -0,0 +1,5 @@
> +Tests: smoke
> +Depends: libpolarssl-runtime
> +
> +Tests: build-test
> +Depends: libpolarssl-dev
> diff --git a/debian/tests/smoke b/debian/tests/smoke
> new file mode 100755
> index 0000000..03df087
> --- /dev/null
> +++ b/debian/tests/smoke
> @@ -0,0 +1,17 @@
> +#!/bin/sh
> +
> +set -e
> +
> +# Excercise some of the demos
> +polarssl_hello
> +polarssl_mpi_demo
> +
> +# Make sure output is identical to coreutil versions
> +[ "$(polarssl_sha1sum /etc/passwd)" = "$(sha1sum /etc/passwd)" ]
> +[ "$(polarssl_md5sum /etc/passwd)" = "$(md5sum /etc/passwd)" ]
> +
> +# Run the selftest
> +polarssl_selftest
> +
> +echo 'Smoke test of polarssl succesful'
> +exit 0
Reply to: