security/polarssl CVE-2014-4911 (OPENBSD_5_6)

Mon, 18 Aug 2014 00:37:02 -0700 

(cc'ing Joachim since he may be interested)

Polarssl suffers from a DoS on both -current and 5.6.

For -current the easiest way would be to update to polarssl-1.3.8.
here's a diff for 5.6.  The code comes from the git repo, though
adjusted a bit because POLARSSL_CIPHERSUITE_SHORT_TAG is not present in
polarssl-1.3.6.

ok?  When should this go in?

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/polarssl/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- Makefile    18 Apr 2014 20:51:48 -0000      1.2
+++ Makefile    17 Aug 2014 18:40:03 -0000
@@ -5,7 +5,7 @@ BROKEN-sparc64= problems with mpi_mul_hl
 COMMENT=       SSL library with an intuitive API and readable source code
 
 DISTNAME=      polarssl-1.3.6
-REVISION=      0
+REVISION=      1
 EXTRACT_SUFX=  -gpl.tgz
 
 SHARED_LIBS += polarssl                  0.0 # 1.3
Index: patches/patch-library_ssl_tls_c
===================================================================
RCS file: patches/patch-library_ssl_tls_c
diff -N patches/patch-library_ssl_tls_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-library_ssl_tls_c     17 Aug 2014 22:13:50 -0000
@@ -0,0 +1,31 @@
+$OpenBSD$
+
+Fix for CVE-2014-4911.
+https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02
+https://github.com/polarssl/polarssl/commit/0bcc4e1df78fff6d15c3ecb521e3bd0bbee86e1c
+
+--- library/ssl_tls.c.orig     Fri Apr 11 15:33:59 2014
++++ library/ssl_tls.c  Mon Aug 18 00:06:25 2014
+@@ -1410,10 +1410,19 @@ static int ssl_decrypt_buf( ssl_context *ssl )
+         size_t dec_msglen, olen, totlen;
+         unsigned char add_data[13];
+         int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
++        unsigned char taglen = 16;
++        unsigned char explicit_iv_len = ssl->transform_in->ivlen -
++                                        ssl->transform_in->fixed_ivlen;
+ 
+-        dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
+-                                        ssl->transform_in->fixed_ivlen );
+-        dec_msglen -= 16;
++        if( ssl->in_msglen < explicit_iv_len + taglen )
++        {
++            SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
++                                "+ taglen (%d)", ssl->in_msglen,
++                                explicit_iv_len, taglen ) );
++            return( POLARSSL_ERR_SSL_INVALID_MAC );
++        }
++        dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
++
+         dec_msg = ssl->in_msg;
+         dec_msg_result = ssl->in_msg;
+         ssl->in_msglen = dec_msglen;

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to