openssl: fix for CVE-2007-5135

openssl/.md5sum

@@ -1,4 +1,5 @@
 30ad2995a2668db16ae3083c11a42307  CVE-2007-3108.patch
+21119cb0b942c835395d7f57530ba14a  CVE-2007-5135.patch
 9d0df57845af8acd1027a7df5c18d017  mksslcert.sh
 3cbccf8f5d7ce488a306fb9029512b80  openssl-0.9.8-gcc42.patch
 58daa890c3bc19bd6ce3451b2e5e335c  openssl-0.9.8b-parallel-build.patch

openssl/CVE-2007-5135.patch

@@ -0,0 +1,46 @@
+openssl/ssl/ssl_lib.c     1.133.2.9 -> 1.133.2.10
+
+--- ssl_lib.c	2007/08/12 18:59:02	1.133.2.9
++++ ssl_lib.c	2007/09/19 12:16:21	1.133.2.10
+@@ -1210,7 +1210,6 @@
+ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
+ 	{
+ 	char *p;
+-	const char *cp;
+ 	STACK_OF(SSL_CIPHER) *sk;
+ 	SSL_CIPHER *c;
+ 	int i;
+@@ -1223,20 +1222,21 @@
+ 	sk=s->session->ciphers;
+ 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+ 		{
+-		/* Decrement for either the ':' or a '\0' */
+-		len--;
++		int n;
++
+ 		c=sk_SSL_CIPHER_value(sk,i);
+-		for (cp=c->name; *cp; )
++		n=strlen(c->name);
++		if (n+1 > len)
+ 			{
+-			if (len-- <= 0)
+-				{
+-				*p='\0';
+-				return(buf);
+-				}
+-			else
+-				*(p++)= *(cp++);
++			if (p != buf)
++				--p;
++			*p='\0';
++			return buf;
+ 			}
++		strcpy(p,c->name);
++		p+=n;
+ 		*(p++)=':';
++		len-=n+1;
+ 		}
+ 	p[-1]='\0';
+ 	return(buf);
+
+

openssl/Pkgfile

@@ -6,12 +6,14 @@ name=openssl
 version=0.9.8e
 release=3
 source=(http://www.openssl.org/source/$name-$version.tar.gz \
-	mksslcert.sh openssl-0.9.8b-parallel-build.patch \
-	CVE-2007-3108.patch openssl-0.9.8-gcc42.patch)
+        mksslcert.sh openssl-0.9.8b-parallel-build.patch \
+        CVE-2007-3108.patch CVE-2007-5135.patch \
+        openssl-0.9.8-gcc42.patch)
 
 build() {
     cd $name-$version
     patch -p1 -i $SRC/CVE-2007-3108.patch
+    patch -p0 -d ssl -i $SRC/CVE-2007-5135.patch
     patch -p1 -i $SRC/openssl-0.9.8b-parallel-build.patch
     patch -p0 -i $SRC/openssl-0.9.8-gcc42.patch
     ./config --prefix=/usr --openssldir=/etc/ssl shared