From 509226bd618078c68677de376597c7093aee85de Mon Sep 17 00:00:00 2001 From: Gwyn Ciesla Date: Tue, 23 Jan 2018 09:31:53 -0600 Subject: [PATCH] Fix patch, build with openssl. --- ...smission-build-against-openssl-1.1.0.patch | 124 ++++++++++++++++++ CVE-2018-5702.patch | 50 +++---- transmission.spec | 14 +- 3 files changed, 161 insertions(+), 27 deletions(-) create mode 100644 0001-transmission-build-against-openssl-1.1.0.patch diff --git a/0001-transmission-build-against-openssl-1.1.0.patch b/0001-transmission-build-against-openssl-1.1.0.patch new file mode 100644 index 0000000..2b56a8d --- /dev/null +++ b/0001-transmission-build-against-openssl-1.1.0.patch @@ -0,0 +1,124 @@ +From 1108498d2a1a9c47931f41b04f248616b29383d6 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Mon, 5 Sep 2016 21:49:07 +0000 +Subject: [PATCH] transmission: build against openssl 1.1.0 + +Signed-off-by: Sebastian Andrzej Siewior +--- + libtransmission/crypto-utils-openssl.c | 73 ++++++++++++++++++++++++++++++++-- + 1 file changed, 69 insertions(+), 4 deletions(-) + +diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c +index 77a628bea..16a37b205 100644 +--- a/libtransmission/crypto-utils-openssl.c ++++ b/libtransmission/crypto-utils-openssl.c +@@ -230,6 +230,61 @@ tr_rc4_process (tr_rc4_ctx_t handle, + **** + ***/ + ++#if OPENSSL_VERSION_NUMBER < 0x10100000 ++static inline int ++DH_set0_pqg (DH * dh, ++ BIGNUM * p, ++ BIGNUM * q, ++ BIGNUM * g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free (dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free (dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free (dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits (q); ++ } ++ ++ return 1; ++} ++ ++static inline int ++DH_set_length (DH * dh, ++ long length) ++{ ++ dh->length = length; ++ return 1; ++} ++ ++static inline void ++DH_get0_key(const DH * dh, ++ const BIGNUM ** pub_key, ++ const BIGNUM ** priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++#endif ++ + tr_dh_ctx_t + tr_dh_new (const uint8_t * prime_num, + size_t prime_num_length, +@@ -237,13 +292,19 @@ tr_dh_new (const uint8_t * prime_num, + size_t generator_num_length) + { + DH * handle = DH_new (); ++ BIGNUM * p, * g; + + assert (prime_num != NULL); + assert (generator_num != NULL); ++ p = BN_bin2bn (prime_num, prime_num_length, NULL); ++ g = BN_bin2bn (generator_num, generator_num_length, NULL); + +- if (!check_pointer (handle->p = BN_bin2bn (prime_num, prime_num_length, NULL)) || +- !check_pointer (handle->g = BN_bin2bn (generator_num, generator_num_length, NULL))) ++ if (!check_pointer (p) || ++ !check_pointer (g) || ++ !DH_set0_pqg (handle, p, NULL, g)) + { ++ BN_free (p); ++ BN_free (g); + DH_free (handle); + handle = NULL; + } +@@ -268,16 +329,20 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle, + { + DH * handle = raw_handle; + int dh_size, my_public_key_length; ++ const BIGNUM * hand_pub_key; + + assert (handle != NULL); + assert (public_key != NULL); + +- handle->length = private_key_length * 8; ++ ++ DH_set_length(handle, private_key_length * 8); + + if (!check_result (DH_generate_key (handle))) + return false; + +- my_public_key_length = BN_bn2bin (handle->pub_key, public_key); ++ DH_get0_key (handle, &hand_pub_key, NULL); ++ ++ my_public_key_length = BN_bn2bin (hand_pub_key, public_key); + dh_size = DH_size (handle); + + tr_dh_align_key (public_key, my_public_key_length, dh_size); +-- +2.14.3 + diff --git a/CVE-2018-5702.patch b/CVE-2018-5702.patch index 5c3b6d1..a3a0cf1 100644 --- a/CVE-2018-5702.patch +++ b/CVE-2018-5702.patch @@ -25,33 +25,33 @@ Subject: [PATCH] mitigate dns rebinding attacks against daemon 7 files changed, 121 insertions(+), 9 deletions(-) diff --git a/libtransmission/quark.c b/libtransmission/quark.c -index 30cc2bca4..6de4bc221 100644 +index 30cc2bca4..b4fd7aabd 100644 --- a/libtransmission/quark.c +++ b/libtransmission/quark.c -@@ -297,6 +297,8 @@ static const struct tr_key_struct my_static[] = - { "rpc-version-minimum", 19 }, - { "rpc-whitelist", 13 }, - { "rpc-whitelist-enabled", 21 }, +@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] = + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, + { "rpc-host-whitelist", 18 }, + { "rpc-host-whitelist-enabled", 26 }, - { "scrape", 6 }, - { "scrape-paused-torrents-enabled", 30 }, - { "scrapeState", 11 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, diff --git a/libtransmission/quark.h b/libtransmission/quark.h -index 7f5212733..21723dea9 100644 +index 7f5212733..17464be8f 100644 --- a/libtransmission/quark.h +++ b/libtransmission/quark.h -@@ -299,6 +299,8 @@ enum - TR_KEY_rpc_version_minimum, - TR_KEY_rpc_whitelist, - TR_KEY_rpc_whitelist_enabled, +@@ -291,6 +291,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, + TR_KEY_rpc_host_whitelist, + TR_KEY_rpc_host_whitelist_enabled, - TR_KEY_scrape, - TR_KEY_scrape_paused_torrents_enabled, - TR_KEY_scrapeState, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c -index a3485f3fa..a048dc8aa 100644 +index a3485f3fa..292cd5fce 100644 --- a/libtransmission/rpc-server.c +++ b/libtransmission/rpc-server.c @@ -52,6 +52,7 @@ struct tr_rpc_server @@ -84,6 +84,10 @@ index a3485f3fa..a048dc8aa 100644 + + char const* const host = evhttp_find_header(req->input_headers, "Host"); + ++ // If whitelist is disabled, no restrictions. ++ if (!server->isHostWhitelistEnabled) ++ return true; ++ + /* No host header, invalid request. */ + if (host == NULL) + { @@ -101,15 +105,11 @@ index a3485f3fa..a048dc8aa 100644 + } + + /* Otherwise, hostname must be whitelisted. */ -+ if (server->isHostWhitelistEnabled) -+ { -+ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) ++ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) { ++ if (tr_wildmat(hostname, l->data)) + { -+ if (tr_wildmat(hostname, l->data)) -+ { -+ tr_free(hostname); -+ return true; -+ } ++ tr_free(hostname); ++ return true; + } + } + diff --git a/transmission.spec b/transmission.spec index 445641b..d9bbf1f 100644 --- a/transmission.spec +++ b/transmission.spec @@ -2,7 +2,7 @@ Name: transmission Version: 2.92 -Release: 11%{?dist} +Release: 12%{?dist} Summary: A lightweight GTK+ BitTorrent client # See COPYING. This licensing situation is... special. License: MIT and GPLv2 @@ -16,8 +16,10 @@ Patch1: transmission-libsystemd.patch Patch2: transmission-fdlimits.patch # https://github.com/transmission/transmission/pull/468 Patch3: CVE-2018-5702.patch +# Cherry-picked from upstream +Patch4: 0001-transmission-build-against-openssl-1.1.0.patch -BuildRequires: compat-openssl10-devel >= 0.9.4 +BuildRequires: openssl-devel >= 1.1.0 BuildRequires: glib2-devel >= 2.32.0 BuildRequires: gtk3-devel >= 3.2.0 BuildRequires: libnotify-devel >= 0.4.3 @@ -97,6 +99,7 @@ exit 0 %patch1 -p0 %patch2 -p0 %patch3 -p1 +%patch4 -p1 # fix icon location for Transmission Qt sed -i 's|Icon=%{name}-qt|Icon=%{name}|g' qt/%{name}-qt.desktop @@ -121,6 +124,9 @@ pushd qt make %{?_smp_mflags} popd +%check +make %{?_smp_mflags} check + %install mkdir -p %{buildroot}%{_unitdir} install -m0644 daemon/transmission-daemon.service %{buildroot}%{_unitdir}/ @@ -232,6 +238,10 @@ EOF %doc %{_mandir}/man1/transmission-qt.* %changelog +* Tue Jan 23 2018 Gwyn Ciesla - 2.92-12 +- Patch for openssl 1.1.x +- Corrected CVE-2018-5702 patch. + * Tue Jan 16 2018 Peter Robinson 2.92-11 - Upstream fix for CVE-2018-5702 (Mitigate dns rebinding attacks against daemon)