summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wendler <polynomial-c@gentoo.org>2015-03-19 15:10:57 +0000
committerLars Wendler <polynomial-c@gentoo.org>2015-03-19 15:10:57 +0000
commit1beec64c23b68b5fb12837b500c0c2e858b88ef6 (patch)
tree11473ca45418377fca8b0a162a286526aff4ace3 /dev-libs/openssl
parentFix tcl/tk slotting; bump EAPI=5; fix for format-security (diff)
downloadhistorical-1beec64c23b68b5fb12837b500c0c2e858b88ef6.tar.gz
historical-1beec64c23b68b5fb12837b500c0c2e858b88ef6.tar.bz2
historical-1beec64c23b68b5fb12837b500c0c2e858b88ef6.zip
Security bump (bug #543552)
Package-Manager: portage-2.2.18/cvs/Linux x86_64 Manifest-Sign-Key: 0x981CA6FC
Diffstat (limited to 'dev-libs/openssl')
-rw-r--r--dev-libs/openssl/ChangeLog8
-rw-r--r--dev-libs/openssl/Manifest30
-rw-r--r--dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch326
-rw-r--r--dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild160
4 files changed, 509 insertions, 15 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog
index 9241a6d632be..f091aeb603f6 100644
--- a/dev-libs/openssl/ChangeLog
+++ b/dev-libs/openssl/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for dev-libs/openssl
# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.632 2015/03/19 14:28:24 polynomial-c Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.633 2015/03/19 15:10:56 polynomial-c Exp $
+
+*openssl-0.9.8z_p5-r1 (19 Mar 2015)
+
+ 19 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+ +openssl-0.9.8z_p5-r1.ebuild, +files/openssl-0.9.8ze-CVE-2015-0286.patch:
+ Security bump (bug #543552).
*openssl-1.0.2-r3 (19 Mar 2015)
*openssl-1.0.1l-r1 (19 Mar 2015)
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 57632505fff7..33caabfd8764 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -7,6 +7,7 @@ AUX gentoo.config-1.0.1 4980 SHA256 e7dd01bc76f0262c91b0a3a56bbf0675feedd6d5c6e6
AUX openssl-0.9.8e-bsd-sparc64.patch 1484 SHA256 8a79f022a17a7fadb4eb708538b41a7a034e21ad84162beb1f7fa7cff5eb487e SHA512 dbbfae5ce19a4247a6b1ca4a45ca6c15904e13e6bf603447cb5d9820292ceb411792e29db0001c5869e3c4cb0a8afe7fb64d35f007052efc68098301c2e81def WHIRLPOOL 36959cfb8a3f2ac05b28fb6c0e28574f0267ddb6f89471e663ee370a1a1ce3e6c85c6a637098acdac4644f4c20370e2775d9c2610ff03a5ae2a7662d79a60e95
AUX openssl-0.9.8h-ldflags.patch 1151 SHA256 29fe4b5e51cbe330451e505a5be9a74a3c83bebdca677848097967cf62f1770f SHA512 7f98c5ad310710aeceefd6fac440682bf2baaf41ce17de535add54af88c45fa0689e6e6c26bafb4fe2290fd3b6d80c51d85ffda1e276a73a3d66a319585aab11 WHIRLPOOL 43069cdcf5ae1b644a73292fc53c148e8356786069dfaadaba9e0f21b1adba5c14dbdfe061c4cffedefa072bc99d54b2af9a39b1063dcef7ab54bb45d01a7ce8
AUX openssl-0.9.8m-binutils.patch 684 SHA256 1e4475f7183ec237d129b686d4ca5265bf7eb34642e7d9e77cbe8ad9a97b4876 SHA512 5e8a20111bd4809e7375c7323dab2c2edd6a131d1ec2377ee99c5e06ceb7b4b000e9606ba6d0e68cd67d8e001cc8194e11e301eace0feb066d5f3c5b331b5f04 WHIRLPOOL dd4a0329e571e4f9322806fce2e6c510b978b68e5c6c64bfbe6993da16989c1a5451fe1e5b0509c0022925ca356cf3309799cdc204998107425fb016cb49da2d
+AUX openssl-0.9.8ze-CVE-2015-0286.patch 9784 SHA256 9c599a0e5d174ac26f1957aac085d86941972af02754d4faa94994880e43bc60 SHA512 f7864beb8b7a69fb5be7e5455b7b38583cb74f3acf8a959454eab66f111feea13a37e71cdf6545718ab6b0f037bedc903b736c55bad72f09bfd49018f53f2832 WHIRLPOOL 6f820b1195c26d34ff0d2daa3c763fb2c2a4a93ed4c8fe16dcc373fa88f97f2d4bbc9b5fc253fe8178de0adcc4164fafcd886a78223b383b103a7cabad71a9cd
AUX openssl-1.0.0a-ldflags.patch 1095 SHA256 2489ffbae4af11e1642d54992c404ca81b0c2a9c169032281f4f7778d945836f SHA512 d5a3f90ca0e9755940da525b8daba5b5d09b2b251863e9ca4f2b3b0a5db461e0aa25b2ae7a7d36d13a92ff64f2a37d4809b70aff9672c0f43398369bc7099979 WHIRLPOOL b7c2fbc833be856388110f2ac891976903e7c5dd4030249bcd79f915ae94fa93bff955ff3eaaf4a4bab306a09512bd861099c2738f5af7027174b79d023f7261
AUX openssl-1.0.0d-windres.patch 2912 SHA256 e5dbfd6af69bc3f69b51787cf1f6245207be9824dfffbdd9b4e278772ed8ab32 SHA512 d7a0238edea29aac7d20dca0778c67f8ae4dc0da190e5277e1b3519ae536f2c44533ac5dc1cbcd138bc4277ad669b13fca316bd962f26e2cb387f2ad3fd0111b WHIRLPOOL d62156820e55898d0a0393473c6ad8e49c5aa7bb9d3fc7043795de7102c3003d5f8b874c751e03cf832e306ac290790e871e1318bb830b3558a43e09be5b45b4
AUX openssl-1.0.0e-parallel-build.patch 9055 SHA256 dc7b14a29d4efc26bf14c5c37e9c3696448826a639ebf9c8485f9f2ddd7efc9b SHA512 1c34083ae3b4833792a0236a6fc73d14056aeb4f4ad086be42865f46dc81a15f017f76cc82c5e8d7cc296f6c7826fb060bf5388cba1653dc7d1fda78208513c5 WHIRLPOOL 5d31f5fdbddad7869912762bb39bcb0e93b0cfc81f3e3a5833f35517349662b9c59369524a05848fde92be600e8decc486219913a0ca3ea27761736cbee96ead
@@ -39,6 +40,7 @@ EBUILD openssl-0.9.8z_p1-r2.ebuild 4569 SHA256 97c0e405292df4bfcb70e2db0c98182f9
EBUILD openssl-0.9.8z_p2.ebuild 5012 SHA256 feb6e153bf8925e91598eb09db46d74a864a1af12db75341d44ef6a66b80b576 SHA512 cea42681b88ee20b5accd6359f45f71704ce55f6a72f6d391ddbd48b7329df2a85c343819cf16abd713fe6317c6c9cbf055790f4fb57b31a3c4d31f6f7981973 WHIRLPOOL aeb97de6f06f1e88b97f2b6646204e8f4e00d23cbb6c12442fcb7c80e72c06161af5856576a6d11713764979119fb8b73e8382299c8b60889d97f2a652f316e9
EBUILD openssl-0.9.8z_p3.ebuild 5017 SHA256 ea24ab1a926a614d81c02a228990e6584e3a58209c25ba0ccb6f9f06871d9c11 SHA512 96e20da07b2e5e1e41a19aa3da8973393b877b4d50c1f899fa39faf92bc59ab9c44d174b89c822605872e3a993820edc28fa57ecf8fa59136b1580a80a2d57fe WHIRLPOOL e540140710b97820f2d7a4adc119e5e254d6b88105a9ae2e3ed23380dff2b869920279ce2ffcc3170315e030848ea4d3280cffd4dbab1a742e965b9f6057098a
EBUILD openssl-0.9.8z_p4.ebuild 5017 SHA256 c391e1b26a814d9027b08f7c609057a00a8d75426cfb2bdc69e0b9371a7d98af SHA512 5b1d7c9ac8166a7f62f9f9e630e46e2454e5bd2c113746f62a8702d0c858fbc82e1a08b9a83706145fe6baa3f61d171c235e2014582eb3774de9830064eae585 WHIRLPOOL a4134155a1a7b648c0999c9c5886d86af7de24039823f4078cfb1885753380c2cd571bbed59ca74aa80de507e29eef22f2ecbf6caeb1a92f32b4349fa7d2574f
+EBUILD openssl-0.9.8z_p5-r1.ebuild 5094 SHA256 c50376455a492e2380e8623e888b6d6be7aa54fe63b3e2369182f1e5f85040c0 SHA512 5af35c41b72b8b9cc9e066407e64cc807e875feaedf49cfbc464e045d2835b7cfcea690f1bab31f62e327ffb5b835f93587b806805fea9869a2857e558452c3c WHIRLPOOL 738193ff7befe0873c1a83f1334801f4420a3ed3f6dcc0876dfc75694fe1332606b142081e346ebc4c27e049ccd748df8de094a88596853b5f9c66f9d94e858e
EBUILD openssl-0.9.8z_p5.ebuild 5021 SHA256 82deb7f4a4fdd0e0717d7f13d99bef53cae670da3d1735ea5ccb0c64d6e50648 SHA512 3ad9e0f04cfdb5edaeb5844d8f6fea088fbe861c5fcbf9dbc02eca76b8217f20c1668f21a166ad1ecb1de36611f92975bc841ef28524ff424a0a2230dab0d83b WHIRLPOOL ca2aeea7d68fb249c408a64fc061e72f7cbb6f0c28af0a57e3b4d89ef310c5f46486cf905d6e8acc2975f492139ec1e408b60a0027d077136a060d0014ef8e07
EBUILD openssl-1.0.0q.ebuild 7075 SHA256 aeddad6e3cf7a01dc270ca928bf9e2c2d9d3315579afc3fc2317c96f0c0634d1 SHA512 088beca351809a7a8cd85a7b409a985e4e9c82df7abdc1829526c8f4d923b568d406d5d52ef6600b7beab2d4cda58ee4c644fb9bc329d7cda95ccefd19e15e3f WHIRLPOOL bd816ac0f6659c5dda70c4dffccab98c9d379f29288099f0855f8cc7f4c216271c46c8e81a7d32774792f9167f664f4192aa1283532be8b867e6f0c0bc6a9a2d
EBUILD openssl-1.0.1j.ebuild 8781 SHA256 d95067eb3e8a17a63af329b7fe90dbf1f8f172512d0d6c87d2468295c3a13492 SHA512 e6687805ace2465600d6a212f07f84d549d6949c29e336104966691081773d0729c3b165356be07e52c9eacb1135924a2f4c1dddfc919096a815a3bb92f4333d WHIRLPOOL 5195724f3e59bb54cff52cdfd7532860da8edbd8752276c6aa7aef7baf2cfdf9c0bde46055140ed5c636b4763f6a4cf7d723ae73afe3393be0fe5fd218f63e51
@@ -48,22 +50,22 @@ EBUILD openssl-1.0.1l.ebuild 8793 SHA256 f745217205fdb90496bcb3ce539b0d856b91562
EBUILD openssl-1.0.2-r1.ebuild 8731 SHA256 648eb0511e4ddaf96bdfd9743d10a49e3be0068b6b2d6e88f2b83c58db0fb478 SHA512 e588f7fd3953e744ea1e1c03de718a5910390e47eb5692a66e14949ef4475a13aa871eb3c76c5a32a5e2e632e96104ddc872ea605abffe2ea37517ca1ee0f6f3 WHIRLPOOL e38e904d6580f83f12096a27d1906bfa722b8002c509cc242e7225568f99bb0dbde1cadcb3bbc2aed8e0de9da818199fb664c759b1d45d1c061a2e9dec5633a3
EBUILD openssl-1.0.2-r2.ebuild 8837 SHA256 94368907488d088c3bafccb5304bfcb1affc830d442715495e711b2c97f3c204 SHA512 21d57f56ccc5a15f02eef7a8b8684fb793173eacb29939958702fb277b6c5c028677704bbb2bc4880b32a29fc913b64d7a83ca5f1ab09a8aa6c26869b9a40dc6 WHIRLPOOL 7623ed6ac7858b6a533a12a17fd541cc91645a1fa41c2dce466b24afd51867ce98841a8aa6212bd4c76542918edb3e7da54148c0abe8e99e2500d7340e4ff026
EBUILD openssl-1.0.2-r3.ebuild 8898 SHA256 22f9818f36e4024fb97de00d63f968d802c46591f63943b57b6aa1f5f7c9ef09 SHA512 c3074774fcc69a08bef04e6ead96822a550458cb5a1476bb432302c6e586f8bade74df35c8a5467704863c81881619db2664e4d5e3f7675f7e7968e3ddbda2a7 WHIRLPOOL aca3af606654ae81d7c9fd56700814fe7c0b139c54c28b8032af9b0c0d904efe97438587471cd5356c62adcd3f548b3bfd57a5bbc8125157f3dacbe167e6fad7
-MISC ChangeLog 97119 SHA256 0194e621c8c35e98ac7d0adf3bdc3adfc8535568648767f355253fa69f28d3ff SHA512 a2886c363ffceda510bf91fd1246ab11db10b947c334a52de1065ced5f19b1600f5173670e11bee47c912eaa2df89c03019a70b833aa07df9c5e1b56a75da876 WHIRLPOOL fb7d8478654e8215bc78dce68aed05dbf1662da50eb1aa0649fbc3788df0c118baac684897b48aa1a5fb018f2e9518490e60b09ec69254a026794dc506a26fa2
+MISC ChangeLog 97318 SHA256 15213472f41c4e944461b2d04c55e9f13e782afab42bd0f1cd1606cccd31f965 SHA512 fc31c1bd163816364d33e1fe851694e036806376f51b8309fa32ffd5e2e8b45334fbe6423554b78366565a2d27420a5bf4130a3f3ec38b1fdfe983fc5824481e WHIRLPOOL 730aa3766f35b01b177c36725ee4aa5ba0f070390bddd216ba5971c7efc689628a4b6dcf9e80dbbb77686ea022ec370f3d93515929a16862e5797d812403f608
MISC metadata.xml 637 SHA256 7b96f0e49fc5ab28bf914be847a89300bf3c7e65f652d748a48721a40c444b8d SHA512 a92ca59f6fc42237f7d30c4b0cd7339a7e82455ef31e155fb09d61012b3e3892d235d09a8c535f1db73b1468d483bb697575167cfe0d1ab45ef184bb95dc37db WHIRLPOOL f6fe48fc5b7a3a94eff327c5a8d6930efe2a7c92e7fb8a3366d8af0133b466420e68e168883742f993e89e45db12dab8c5a11e665242e368f012b0dc26d3c9ef
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-iQIcBAEBCAAGBQJVCt0JAAoJEPiazRVxLXTFCGgP/Ro9ejRRDPLUaKr/K5SM50yw
-QZ73PkkAPCB2I/ZWWuwgCQdrGbvSR9b8e5v6XbJYUkUXyCE2ve6JSYgg40qpmgpQ
-KG7hh0dkql+rk+4fXY1LlEejYufCvuAeZvDgv6IQKg+qIQFMGzIUAx5QIsHvKok+
-HpyMDo1V1+Y1/G5AxHRIQrmPJXlOgHROQ7EyjkIJ6Odb8bB1jvVq1Vf7yp/6NlT3
-wZdoT5EiTTd0NIuQNLS8rxTyXipJigK91o021GbZNsMMUrmKisFNGw3qm5q4febx
-s1yfEW3RbaHVIn6CXZwdjm8YN5T9MfCY1l03UZO2se3LdUrxFokxr1f07sq5jeMt
-a8AJmQXSRH4deKhm0Sm1LwDGijilW9zDwgU/Y6BS1MftXUNcvRuCjQsatc+YV+zV
-6F5obT/0eJ1PwP0lBOY03ZnJvAqp+8nUFms+P4N+MjHak6RmeWAsgnhin03GHQIQ
-KcSyFm51WygQbuJzG5CjKWgWbyebr45dVgOxyqypi2XPpYlkicNTvFNPVXe6fu81
-N7SlAJfbhXk3LRNgKAcZWQgFAUvdalA5CIA7xCsP6pqO5ASomCPNffrVd4AU9qNp
-kB06bangmr3dHwJNDCgsfPcxq5GrYggXZZBEMmXokQpeif4V454LoOWbVVQgk+Q5
-FHl7+QqO3h0KhKHYEs1a
-=8Xbm
+iQIcBAEBCAAGBQJVCucBAAoJEPiazRVxLXTF7zAQALrFSsTdC6HJO5m7V7AgCaga
+wbUmKjJ3DOfMu+WZbN7PCFvPvRDOtl5H5gnYhLlwV2TC2O2m+oGNMG9zqREWQWLe
+pphgMRqvqjpN3haZa+Loyk90HO/04ZKEwAWB7snafviPtw+of9MU+87wH0IajmXr
+xR8TmGXeDI04n5FoUxnLiGDgIyMkxlVwJDrW1T5gUBJAk6pPG9+It8VBHHnMnaeZ
+K/cCNXlTOqJd1EheX3gMbRhDaGFpqjbEgNPhDQqZmvXTTq6hJZgwMkRsj77T6RQG
+TwQMbrVfUUEIDN+zyTkW426u66B3WqV26SoDxtYftRE2mODbflkd/iyzuAqd5hSD
+TgLcgSSVC5ode8cZpittBgpXTUdgUh4reF58YrruRSARFVsAiMbqrTRKuBAjVlns
+05SPRXEAArUnIQmK+bx8ceaGgAcKTF6J6fGmjEKXFFCwyLAvUOEZFQFT/tUSRQAD
+2+eGfF2AXwHRR031Ecx1e2X2XyyrMtf5YpK98+rmXaaPOoVwIq8hPkVxHh6WxPqE
+Chc9AXxr9OvWYvPkMaiRwsIKu/o404YcP2Y8hLx9ewpiz4CJ5eCjFcmjlwYH1LUM
+pHV7t1/860xwRG7KWZabF1istYbKr9nZUSPTTQ5DXtzZ1HntBjSIPmaIQ/L3wnom
+rPoiN5zQSboxKECdW51f
+=d9M0
-----END PGP SIGNATURE-----
diff --git a/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch b/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch
new file mode 100644
index 000000000000..facb77d203a1
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8ze-CVE-2015-0286.patch
@@ -0,0 +1,326 @@
+--- openssl-0.9.8ze/crypto/asn1/a_type.c
++++ openssl-0.9.8ze/crypto/asn1/a_type.c
+@@ -121,6 +121,9 @@
+ case V_ASN1_OBJECT:
+ result = OBJ_cmp(a->value.object, b->value.object);
+ break;
++ case V_ASN1_BOOLEAN:
++ result = a->value.boolean - b->value.boolean;
++ break;
+ case V_ASN1_NULL:
+ result = 0; /* They do not have content. */
+ break;
+--- openssl-0.9.8ze/crypto/asn1/tasn_dec.c
++++ openssl-0.9.8ze/crypto/asn1/tasn_dec.c
+@@ -128,11 +128,17 @@
+ {
+ ASN1_TLC c;
+ ASN1_VALUE *ptmpval = NULL;
+- if (!pval)
+- pval = &ptmpval;
+ c.valid = 0;
+- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
+- return *pval;
++ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
++ ptmpval = *pval;
++ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
++ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
++ if (*pval)
++ ASN1_item_free(*pval, it);
++ *pval = ptmpval;
++ }
++ return ptmpval;
++ }
+ return NULL;
+ }
+
+@@ -309,9 +315,16 @@
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+ goto auxerr;
+
+- /* Allocate structure */
+- if (!*pval && !ASN1_item_ex_new(pval, it))
+- {
++ if (*pval) {
++ /* Free up and zero CHOICE value if initialised */
++ i = asn1_get_choice_selector(pval, it);
++ if ((i >= 0) && (i < it->tcount)) {
++ tt = it->templates + i;
++ pchptr = asn1_get_field_ptr(pval, tt);
++ ASN1_template_free(pchptr, tt);
++ asn1_set_choice_selector(pval, -1, it);
++ }
++ } else if (!ASN1_item_ex_new(pval, it)) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+ ERR_R_NESTED_ASN1_ERROR);
+ goto err;
+@@ -405,6 +418,17 @@
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+ goto auxerr;
+
++ /* Free up and zero any ADB found */
++ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
++ if (tt->flags & ASN1_TFLG_ADB_MASK) {
++ const ASN1_TEMPLATE *seqtt;
++ ASN1_VALUE **pseqval;
++ seqtt = asn1_do_adb(pval, tt, 1);
++ pseqval = asn1_get_field_ptr(pval, seqtt);
++ ASN1_template_free(pseqval, seqtt);
++ }
++ }
++
+ /* Get each field entry */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+ {
+--- openssl-0.9.8ze/crypto/pkcs7/pk7_doit.c
++++ openssl-0.9.8ze/crypto/pkcs7/pk7_doit.c
+@@ -151,6 +151,25 @@
+ EVP_PKEY *pkey;
+ ASN1_OCTET_STRING *os=NULL;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
++ return NULL;
++ }
++ /*
++ * The content field in the PKCS7 ContentInfo is optional, but that really
++ * only applies to inner content (precisely, detached signatures).
++ *
++ * When reading content, missing outer content is therefore treated as an
++ * error.
++ *
++ * When creating content, PKCS7_content_new() must be called before
++ * calling this method, so a NULL p7->d is always an error.
++ */
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
++ return NULL;
++ }
++
+ i=OBJ_obj2nid(p7->type);
+ p7->state=PKCS7_S_HEADER;
+
+@@ -344,6 +363,16 @@
+ STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
+ PKCS7_RECIP_INFO *ri=NULL;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
++ return NULL;
++ }
++
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
++ return NULL;
++ }
++
+ i=OBJ_obj2nid(p7->type);
+ p7->state=PKCS7_S_HEADER;
+
+@@ -637,6 +666,16 @@
+ STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
+ ASN1_OCTET_STRING *os=NULL;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
++ return 0;
++ }
++
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
++ return 0;
++ }
++
+ EVP_MD_CTX_init(&ctx_tmp);
+ i=OBJ_obj2nid(p7->type);
+ p7->state=PKCS7_S_HEADER;
+@@ -668,6 +707,7 @@
+ /* If detached data then the content is excluded */
+ if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
+ M_ASN1_OCTET_STRING_free(os);
++ os = NULL;
+ p7->d.sign->contents->d.data = NULL;
+ }
+ break;
+@@ -678,6 +718,7 @@
+ if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
+ {
+ M_ASN1_OCTET_STRING_free(os);
++ os = NULL;
+ p7->d.digest->contents->d.data = NULL;
+ }
+ break;
+@@ -815,6 +856,11 @@
+
+ if (!PKCS7_is_detached(p7))
+ {
++ /*
++ * NOTE(emilia): I think we only reach os == NULL here because detached
++ */
++ if (os == NULL)
++ goto err;
+ btmp=BIO_find_type(bio,BIO_TYPE_MEM);
+ if (btmp == NULL)
+ {
+@@ -849,6 +895,16 @@
+ STACK_OF(X509) *cert;
+ X509 *x509;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
++ return 0;
++ }
++
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
++ return 0;
++ }
++
+ if (PKCS7_type_is_signed(p7))
+ {
+ cert=p7->d.sign->cert;
+--- openssl-0.9.8ze/crypto/pkcs7/pk7_lib.c
++++ openssl-0.9.8ze/crypto/pkcs7/pk7_lib.c
+@@ -70,6 +70,7 @@
+
+ switch (cmd)
+ {
++ /* NOTE(emilia): does not support detached digested data. */
+ case PKCS7_OP_SET_DETACHED_SIGNATURE:
+ if (nid == NID_pkcs7_signed)
+ {
+@@ -473,6 +474,8 @@
+
+ STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
+ {
++ if (p7 == NULL || p7->d.ptr == NULL)
++ return NULL;
+ if (PKCS7_type_is_signed(p7))
+ {
+ return(p7->d.sign->signer_info);
+--- openssl-0.9.8ze/doc/crypto/d2i_X509.pod
++++ openssl-0.9.8ze/doc/crypto/d2i_X509.pod
+@@ -199,6 +199,12 @@
+ persist if they are not present in the new one. As a result the use
+ of this "reuse" behaviour is strongly discouraged.
+
++Current versions of OpenSSL will not modify B<*px> if an error occurs.
++If parsing succeeds then B<*px> is freed (if it is not NULL) and then
++set to the value of the newly decoded structure. As a result B<*px>
++B<must not> be allocated on the stack or an attempt will be made to
++free an invalid pointer.
++
+ i2d_X509() will not return an error in many versions of OpenSSL,
+ if mandatory fields are not initialized due to a programming error
+ then the encoded structure may contain invalid data or omit the
+@@ -210,7 +216,9 @@
+
+ d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
+ or B<NULL> if an error occurs. The error code that can be obtained by
+-L<ERR_get_error(3)|ERR_get_error(3)>.
++L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
++with a valid X509 structure being passed in via B<px> then the object is not
++modified in the event of error.
+
+ i2d_X509() returns the number of bytes successfully encoded or a negative
+ value if an error occurs. The error code can be obtained by
+--- openssl-0.9.8ze/ssl/s2_lib.c
++++ openssl-0.9.8ze/ssl/s2_lib.c
+@@ -410,7 +410,7 @@
+
+ OPENSSL_assert(s->session->master_key_length >= 0
+ && s->session->master_key_length
+- < (int)sizeof(s->session->master_key));
++ <= (int)sizeof(s->session->master_key));
+ EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
+ EVP_DigestUpdate(&ctx,&c,1);
+ c++;
+--- openssl-0.9.8ze/ssl/s2_srvr.c
++++ openssl-0.9.8ze/ssl/s2_srvr.c
+@@ -446,10 +446,6 @@
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
+ return(-1);
+ }
+- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
+- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
+- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+-
+ is_export=SSL_C_IS_EXPORT(s->session->cipher);
+
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
+@@ -467,21 +463,59 @@
+ else
+ ek=5;
+
++ /*
++ * The format of the CLIENT-MASTER-KEY message is
++ * 1 byte message type
++ * 3 bytes cipher
++ * 2-byte clear key length (stored in s->s2->tmp.clear)
++ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
++ * 2-byte key args length (IV etc)
++ * clear key
++ * encrypted key
++ * key args
++ *
++ * If the cipher is an export cipher, then the encrypted key bytes
++ * are a fixed portion of the total key (5 or 8 bytes). The size of
++ * this portion is in |ek|. If the cipher is not an export cipher,
++ * then the entire key material is encrypted (i.e., clear key length
++ * must be zero).
++ */
++ if ((!is_export && s->s2->tmp.clear != 0) ||
++ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
++ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
++ return -1;
++ }
++ /*
++ * The encrypted blob must decrypt to the encrypted portion of the key.
++ * Decryption can't be expanding, so if we don't have enough encrypted
++ * bytes to fit the key in the buffer, stop now.
++ */
++ if ((is_export && s->s2->tmp.enc < ek) ||
++ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
++ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
++ return -1;
++ }
++
++ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
++ &(p[s->s2->tmp.clear]),
++ &(p[s->s2->tmp.clear]),
++ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
++ RSA_PKCS1_PADDING);
++
+ /* bad decrypt */
+ #if 1
+ /* If a bad decrypt, continue with protocol but with a
+ * random master secret (Bleichenbacher attack) */
+- if ((i < 0) ||
+- ((!is_export && (i != EVP_CIPHER_key_length(c)))
+- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
+- (unsigned int)EVP_CIPHER_key_length(c))))))
+- {
++ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
++ || (is_export && i != ek))) {
+ ERR_clear_error();
+ if (is_export)
+ i=ek;
+ else
+ i=EVP_CIPHER_key_length(c);
+- if (RAND_pseudo_bytes(p,i) <= 0)
++ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
+ return 0;
+ }
+ #else
+@@ -505,7 +539,8 @@
+ }
+ #endif
+
+- if (is_export) i+=s->s2->tmp.clear;
++ if (is_export)
++ i = EVP_CIPHER_key_length(c);
+
+ if (i > SSL_MAX_MASTER_KEY_LENGTH)
+ {
diff --git a/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild b/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild
new file mode 100644
index 000000000000..8c008c98dc00
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8z_p5-r1.ebuild,v 1.1 2015/03/19 15:10:56 polynomial-c Exp $
+
+# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PLEVEL=$(echo "${PV##*_p}" | tr '[1-9]' '[a-i]')
+MY_PV=${PV/_p*/${PLEVEL}}
+MY_P=${PN}-${MY_PV}
+S="${WORKDIR}/${MY_P}"
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0.9.8"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
+
+RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+ kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r4
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )
+ !=dev-libs/openssl-0.9.8*:0"
+DEPEND="${RDEPEND}
+ sys-apps/diffutils
+ >=dev-lang/perl-5
+ test? ( sys-devel/bc )"
+
+# Do not install any docs
+DOCS=()
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+ epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+ epatch "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
+ epatch "${FILESDIR}"/${PN}-0.9.8ze-CVE-2015-0286.patch #543552
+
+ # disable fips in the build
+ # make sure the man pages are suffixed #302165
+ # don't bother building man pages if they're disabled
+ sed -i \
+ -e '/DIRS/s: fips : :g' \
+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+ -e $(has noman FEATURES \
+ && echo '/^install:/s:install_docs::' \
+ || echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
+ Makefile{,.org} \
+ || die
+ # show the actual commands in the log
+ sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
+ # update the enginedir path.
+ # punt broken config we don't care about as it fails sanity check.
+ sed -i \
+ -e '/^"debug-ben-debug-64"/d' \
+ -e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
+ Configure || die
+
+ # since we're forcing $(CC) as makedep anyway, just fix
+ # the conditional as always-on
+ # helps clang (#417795), and versioned gcc (#499818)
+ sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+ # quiet out unknown driver argument warnings since openssl
+ # doesn't have well-split CFLAGS and we're making it even worse
+ # and 'make depend' uses -Werror for added fun (#417795 again)
+ [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+ # allow openssl to be cross-compiled
+ cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+ chmod a+rx gentoo.config
+
+ append-flags -fno-strict-aliasing
+ append-flags -Wa,--noexecstack
+
+ sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
+ sed -i '/^"debug-bodo/d' Configure # 0.9.8za shipped broken
+ ./config --test-sanity || die "I AM NOT SANE"
+
+ multilib_copy_sources
+}
+
+multilib_src_configure() {
+ unset APPS #197996
+ unset SCRIPTS #312551
+
+ tc-export CC AR RANLIB
+
+ # Clean out patent-or-otherwise-encumbered code
+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
+ # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5
+
+ use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+ echoit() { echo "$@" ; "$@" ; }
+
+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+ local sslout=$(./gentoo.config)
+ einfo "Use configuration ${sslout:-(openssl knows best)}"
+ local config="Configure"
+ [[ -z ${sslout} ]] && config="config"
+
+ echoit \
+ ./${config} \
+ ${sslout} \
+ $(use cpu_flags_x86_sse2 || echo "no-sse2") \
+ enable-camellia \
+ $(use_ssl !bindist ec) \
+ enable-idea \
+ enable-mdc2 \
+ $(use_ssl !bindist rc5) \
+ enable-tlsext \
+ $(use_ssl gmp gmp -lgmp) \
+ $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+ $(use_ssl zlib) \
+ --prefix=/usr \
+ --openssldir=/etc/ssl \
+ shared threads \
+ || die "Configure failed"
+
+ # Clean out hardcoded flags that openssl uses
+ local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+ -e 's:^CFLAG=::' \
+ -e 's:-fomit-frame-pointer ::g' \
+ -e 's:-O[0-9] ::g' \
+ -e 's:-march=[-a-z0-9]* ::g' \
+ -e 's:-mcpu=[-a-z0-9]* ::g' \
+ -e 's:-m[a-z0-9]* ::g' \
+ )
+ sed -i \
+ -e "/^LIBDIR=/s|=.*|=$(get_libdir)|" \
+ -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \
+ -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \
+ Makefile || die
+}
+
+multilib_src_compile() {
+ # depend is needed to use $confopts
+ emake -j1 depend
+ emake -j1 build_libs
+}
+
+multilib_src_test() {
+ emake -j1 test
+}
+
+multilib_src_install() {
+ dolib.so lib{crypto,ssl}.so.0.9.8
+}