Mageia Bugzilla – Attachment 1448 Details for
Bug 4307
curl new security issues CVE-2012-0036 and CVE-2011-3389
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
re-diffed curl-dont-insert-empty-fragments.patch
curl-7.21.5-dont-insert-empty-fragments.patch (text/plain), 1.54 KB, created by
David Walser
on 2012-01-28 04:30:03 CET
(
hide
)
Description:
re-diffed curl-dont-insert-empty-fragments.patch
Filename:
MIME Type:
Creator:
David Walser
Created:
2012-01-28 04:30:03 CET
Size:
1.54 KB
patch
obsolete
>--- lib/ssluse.c~ 2011-04-14 17:02:29.000000000 -0400 >+++ lib/ssluse.c 2012-01-27 22:26:21.100765497 -0500 >@@ -1422,6 +1422,7 @@ > X509_LOOKUP *lookup=NULL; > curl_socket_t sockfd = conn->sock[sockindex]; > struct ssl_connect_data *connssl = &conn->ssl[sockindex]; >+ long ctx_options; > #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME > bool sni; > #ifdef ENABLE_IPV6 >@@ -1522,16 +1523,27 @@ > If someone writes an application with libcurl and openssl who wants to > enable the feature, one can do this in the SSL callback. > >+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability >+ (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to >+ SSL_OP_ALL that _disables_ that work-around despite the fact that >+ SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to >+ keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit >+ must not be set. >+ > */ >+ >+ ctx_options = SSL_OP_ALL; >+ > #ifdef SSL_OP_NO_TICKET > /* expect older openssl releases to not have this define so only use it if > present */ >-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET >-#else >-#define CURL_CTX_OPTIONS SSL_OP_ALL >+ ctx_options |= SSL_OP_NO_TICKET; >+#endif >+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS >+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; > #endif > >- SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); >+ SSL_CTX_set_options(connssl->ctx, ctx_options); > > /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ > if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
--- lib/ssluse.c~ 2011-04-14 17:02:29.000000000 -0400 +++ lib/ssluse.c 2012-01-27 22:26:21.100765497 -0500 @@ -1422,6 +1422,7 @@ X509_LOOKUP *lookup=NULL; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + long ctx_options; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME bool sni; #ifdef ENABLE_IPV6 @@ -1522,16 +1523,27 @@ If someone writes an application with libcurl and openssl who wants to enable the feature, one can do this in the SSL callback. + OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability + (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to + SSL_OP_ALL that _disables_ that work-around despite the fact that + SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to + keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit + must not be set. + */ + + ctx_options = SSL_OP_ALL; + #ifdef SSL_OP_NO_TICKET /* expect older openssl releases to not have this define so only use it if present */ -#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET -#else -#define CURL_CTX_OPTIONS SSL_OP_ALL + ctx_options |= SSL_OP_NO_TICKET; +#endif +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif - SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); + SSL_CTX_set_options(connssl->ctx, ctx_options); /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 4307
:
1447
| 1448 |
1449