diff options
author | Björn Bidar | 2019-01-13 13:03:16 +0100 |
---|---|---|
committer | Björn Bidar | 2019-01-13 13:05:53 +0100 |
commit | d6bcc3f5cdba55783c84e2d34e8662211665904b (patch) | |
tree | ed35bb606cf43aa06438407e35aa19cfa4a61bf3 | |
parent | c8e5b61b951201783f6d2fa31ea8000f86aab307 (diff) | |
download | aur-d6bcc3f5cdba55783c84e2d34e8662211665904b.tar.gz |
upkg
- new upstream release
- drop ssl session resumption patch that was applied in upstream
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | 0001-Disable-ssl-session-resumption.patch | 106 | ||||
-rw-r--r-- | PKGBUILD | 13 |
3 files changed, 10 insertions, 121 deletions
@@ -1,9 +1,9 @@ # Generated by mksrcinfo v8 -# Sun May 13 22:13:06 UTC 2018 +# Sun Jan 13 12:05:49 UTC 2019 pkgbase = osc pkgdesc = Command line client for the openSUSE Build Service - pkgver = 0.162.1 - pkgrel = 2 + pkgver = 0.164.0 + pkgrel = 1 url = https://github.com/openSUSE/osc arch = any license = GPL2 @@ -20,12 +20,10 @@ pkgbase = osc conflicts = zsh-completion-osc replaces = osc-bash-completion replaces = zsh-completion-osc - source = https://github.com/openSUSE/osc/archive/0.162.1.tar.gz + source = https://github.com/openSUSE/osc/archive/0.164.0.tar.gz source = _osc - source = 0001-Disable-ssl-session-resumption.patch - sha256sums = 529d627bf10117f43f52f6e6db09e9663474ae984b7be93cae9a686b52bd932c + sha256sums = a8ea3e2ab6703061685a4ae08e232e70728022e8f9308fc3b626d21c8584da55 sha256sums = 2b045e03d2fdce12683ceb9792d491a32f00b256045456412e7bc18c8726218a - sha256sums = 7f01860ac98f5b817ff4d835f60fc940300b5d9b83629a6e9950ed7e6ddb087f pkgname = osc diff --git a/0001-Disable-ssl-session-resumption.patch b/0001-Disable-ssl-session-resumption.patch deleted file mode 100644 index 0542a486ca4f..000000000000 --- a/0001-Disable-ssl-session-resumption.patch +++ /dev/null @@ -1,106 +0,0 @@ -From b730f880cfe85a8547f569355a21706f27ebfa78 Mon Sep 17 00:00:00 2001 -From: Marcus Huewe <suse-tux@gmx.de> -Date: Tue, 8 May 2018 14:23:08 +0200 -Subject: [PATCH] Disable ssl session resumption - -The old code could potentially yield to a use-after-free situation, -which results in UB. For this, consider the following scenario, where -osc performs several HTTPS requests (assumption: the server supports -ssl session resumption): - -- HTTPS Request 1: - * a new SSL *s connection is established, which also creates a new - SSL_SESSION *ss => ss->references == 1 - * once the handshake is done, the ss is put into the session cache - (see ssl_update_cache) => ss->references == 2 - - osc saves the session ss in a class variable - - s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1 - -- HTTPS Request 2: - * setup a new SSL *s connection that reuses the saved session ss - => ss->references == 2 - * once the handshake is done, ssl_update_cache is called, which is a - NOP, because s->hit == 1 (that is, the session was resumed) - * osc saves the session ss in a class variable - * s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1 - -... - -> 2 hours later (see tls1_default_timeout) - -... - -- HTTPS Request 256: - * setup a new SSL *s connection that reuses the saved session ss - => ss->references == 2 - * once the handshake is done, ssl_update_cache is called, but is - _no_ NOP anymore - * ssl_update_cache flushes the session cache (this is done every - 255/256 (depending on the way we count) connections) => ss is - SSL_SESSION_free()d => ss->references == 1 - * osc saves the session ss in a class variable - * s is SSL_free()d, which calls SSL_SESSION_free: - since ss->references == 1, ss is eventually free()d - -- HTTPS Request 257: - * setup a new SSL *s connection that reuses the saved session ss - -Since ss does not exist anymore, the remaining program execution is UB. - -(Note: SSL_free(...) is _NOT_ called, if M2Crypto 0.29 is used. -M2Crypto 0.30 calls SSL_free(...) again.) - -Due to a bug in OpenSSL_1_1_0h (see openssl commit 8e405776858) the -scenario from above can be triggered with exactly 2 HTTPS requests (the -SSL_SESSION is not cached, because we configured SSL_VERIFY_PEER, but -no sid_ctx was set). This is fixed in openssl commit c4fa1f7fc01. - -In order to reliably reuse a session, we probably need to listen to the -session cache changes. Such callbacks could be registered via -SSL_CTX_sess_set_new_cb and/or SSL_CTX_sess_set_remove_cb, but both -functions are not provided by M2Crypto. Another idea is to directly utilize -the session cache, but this also has to be implemented in M2Crypto first. -Yet another approach is to retrieve the session via SSL_get1_session, which -increases the session's refcnt, but this also needs to be implemented in -M2Crypto first (if we choose to use this approach, we also have to make -sure that we eventually free the session manually...). - -Fixes: #398 ("SIGSEGV on \"osc commit\"") ---- - osc/oscssl.py | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/osc/oscssl.py b/osc/oscssl.py -index 7aa5a0d..186c98d 100644 ---- a/osc/oscssl.py -+++ b/osc/oscssl.py -@@ -174,7 +174,6 @@ class mySSLContext(SSL.Context): - - class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler): - handler_order = 499 -- saved_session = None - - def __init__(self, *args, **kwargs): - self.appname = kwargs.pop('appname', 'generic') -@@ -204,8 +203,6 @@ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler): - selector = req.get_selector() - # End our change - h.set_debuglevel(self._debuglevel) -- if self.saved_session: -- h.set_session(self.saved_session) - - headers = dict(req.headers) - headers.update(req.unredirected_hdrs) -@@ -218,9 +215,6 @@ class myHTTPSHandler(M2Crypto.m2urllib2.HTTPSHandler): - headers["Connection"] = "close" - try: - h.request(req.get_method(), selector, req.data, headers) -- s = h.get_session() -- if s: -- self.saved_session = s - r = h.getresponse() - except socket.error as err: # XXX what error? - err.filename = full_url --- -2.17.0 - @@ -6,8 +6,8 @@ # Contributor : Patrick McCarty <pnorcks at gmail dot com> pkgname=osc -pkgver=0.162.1 -pkgrel=2 +pkgver=0.164.0 +pkgrel=1 pkgdesc="Command line client for the openSUSE Build Service" arch=(any) url="https://github.com/openSUSE/osc" @@ -24,17 +24,14 @@ optdepends=('obs-build: required to run local builds' conflicts=('osc-git' 'osc-bash-completion' 'zsh-completion-osc') replaces=('osc-bash-completion' 'zsh-completion-osc') source=("https://github.com/openSUSE/${pkgname}/archive/${pkgver}.tar.gz" - "_osc" - '0001-Disable-ssl-session-resumption.patch' ) -sha256sums=('529d627bf10117f43f52f6e6db09e9663474ae984b7be93cae9a686b52bd932c' - '2b045e03d2fdce12683ceb9792d491a32f00b256045456412e7bc18c8726218a' - '7f01860ac98f5b817ff4d835f60fc940300b5d9b83629a6e9950ed7e6ddb087f') + "_osc") +sha256sums=('a8ea3e2ab6703061685a4ae08e232e70728022e8f9308fc3b626d21c8584da55' + '2b045e03d2fdce12683ceb9792d491a32f00b256045456412e7bc18c8726218a') prepare() { # Add 'Arch_Core' and 'Arch_Extra' as osc build targets sed -i "s|SLE_11_SP2|SLE_11_SP2 Arch_Core Arch_Extra|" _osc cd "${srcdir}/${pkgname}-${pkgver}" - patch -Np1 -i "${srcdir}"/0001-Disable-ssl-session-resumption.patch } build() { |