diff options
-rw-r--r-- | debian/changelog | 12 | ||||
-rw-r--r-- | debian/control | 4 | ||||
-rw-r--r-- | debian/files | 1 | ||||
-rw-r--r-- | debian/patches/0120-openssl1.1.patch | 150 | ||||
-rw-r--r-- | debian/patches/series | 1 |
5 files changed, 165 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 229a8c2..e9b1ddb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +ipmitool (1.8.18-4) UNRELEASED; urgency=medium + + * Migrate to openssl1.1 (Closes_# 853782): + - New debina/patches/0120-openssl1.1.patch: + + Cherry-picked from upstream. + - debian/control: + + Switch Build-Depeds from libssl1.0-dev to libssl-dev + to use libssl 1.1. + * Declare compliance with Debian Policy 4.0.0. (No changes needed). + + -- Jörg Frings-Fürst <debian@jff-webhosting.net> Sun, 13 Aug 2017 08:07:37 +0200 + ipmitool (1.8.18-3) unstable; urgency=medium * debian/rules: diff --git a/debian/control b/debian/control index 82207f9..a5b3b1b 100644 --- a/debian/control +++ b/debian/control @@ -7,8 +7,8 @@ Build-Depends: libncurses-dev, libfreeipmi-dev [!hurd-i386], libreadline-dev, - libssl1.0-dev -Standards-Version: 3.9.8 + libssl-dev +Standards-Version: 4.0.0 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ipmitool.git Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/ipmitool.git Homepage: https://sourceforge.net/projects/ipmitool/ diff --git a/debian/files b/debian/files deleted file mode 100644 index 58d13ec..0000000 --- a/debian/files +++ /dev/null @@ -1 +0,0 @@ -ipmitool_1.8.18-3_source.buildinfo utils optional diff --git a/debian/patches/0120-openssl1.1.patch b/debian/patches/0120-openssl1.1.patch new file mode 100644 index 0000000..a7523fd --- /dev/null +++ b/debian/patches/0120-openssl1.1.patch @@ -0,0 +1,150 @@ +Description: Migrate to openssl 1.1 + Cherry-picked from upstream +Author: Jörg Frings-Fürst <debian@jff-webhosting.net> +Origin: upstream https://sourceforge.net/p/ipmitool/source/ci/1664902525a1c3771b4d8b3ccab7ea1ba6b2bdd1/ +Bug: https://sourceforge.net/p/ipmitool/bugs/461/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853782 +Forwarded: not-needed +Last-Update: 2017-08-13 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/src/plugins/lanplus/lanplus_crypt_impl.c +=================================================================== +--- trunk.orig/src/plugins/lanplus/lanplus_crypt_impl.c ++++ trunk/src/plugins/lanplus/lanplus_crypt_impl.c +@@ -164,11 +164,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + uint8_t * output, + uint32_t * bytes_written) + { +- EVP_CIPHER_CTX ctx; +- EVP_CIPHER_CTX_init(&ctx); +- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); +- EVP_CIPHER_CTX_set_padding(&ctx, 0); +- ++ EVP_CIPHER_CTX *ctx = NULL; + + *bytes_written = 0; + +@@ -182,6 +178,14 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + printbuf(input, input_length, "encrypting this data"); + } + ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); ++ return; ++ } ++ EVP_CIPHER_CTX_init(ctx); ++ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); ++ EVP_CIPHER_CTX_set_padding(ctx, 0); + + /* + * The default implementation adds a whole block of padding if the input +@@ -191,28 +195,28 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); + + +- if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) ++ if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) + { + /* Error */ + *bytes_written = 0; +- return; + } + else + { + uint32_t tmplen; + +- if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) ++ if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) + { ++ /* Error */ + *bytes_written = 0; +- return; /* Error */ + } + else + { + /* Success */ + *bytes_written += tmplen; +- EVP_CIPHER_CTX_cleanup(&ctx); + } + } ++ /* performs cleanup and free */ ++ EVP_CIPHER_CTX_free(ctx); + } + + +@@ -239,11 +243,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + uint8_t * output, + uint32_t * bytes_written) + { +- EVP_CIPHER_CTX ctx; +- EVP_CIPHER_CTX_init(&ctx); +- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); +- EVP_CIPHER_CTX_set_padding(&ctx, 0); +- ++ EVP_CIPHER_CTX *ctx = NULL; + + if (verbose >= 5) + { +@@ -252,12 +252,20 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + printbuf(input, input_length, "decrypting this data"); + } + +- + *bytes_written = 0; + + if (input_length == 0) + return; + ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed"); ++ return; ++ } ++ EVP_CIPHER_CTX_init(ctx); ++ EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); ++ EVP_CIPHER_CTX_set_padding(ctx, 0); ++ + /* + * The default implementation adds a whole block of padding if the input + * data is perfectly aligned. We would like to keep that from happening. +@@ -266,33 +274,33 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); + + +- if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) ++ if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) + { + /* Error */ + lprintf(LOG_DEBUG, "ERROR: decrypt update failed"); + *bytes_written = 0; +- return; + } + else + { + uint32_t tmplen; + +- if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) ++ if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) + { ++ /* Error */ + char buffer[1000]; + ERR_error_string(ERR_get_error(), buffer); + lprintf(LOG_DEBUG, "the ERR error %s", buffer); + lprintf(LOG_DEBUG, "ERROR: decrypt final failed"); + *bytes_written = 0; +- return; /* Error */ + } + else + { + /* Success */ + *bytes_written += tmplen; +- EVP_CIPHER_CTX_cleanup(&ctx); + } + } ++ /* performs cleanup and free */ ++ EVP_CIPHER_CTX_free(ctx); + + if (verbose >= 5) + { diff --git a/debian/patches/series b/debian/patches/series index d3b8208..197df06 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,6 @@ #0605-manpage_typo.patch #0105-typo.patch +0120-openssl1.1.patch 0100-fix_buf_overflow.patch 0500-fix_CVE-2011-4339.patch #0610-readme_typo.patch |