Package: spice / 0.14.3-2.1

With-OpenSSL-1.0.2-and-earlier-disable-client-side-r.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
Date: Thu, 3 Dec 2020 09:33:48 +0100
Subject: [2/2] With OpenSSL 1.0.2 and earlier: disable client-side
 renegotiation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9
Bug: https://gitlab.freedesktop.org/spice/spice/-/issues/49
Bug-Debian: https://bugs.debian.org/983698
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-20201

Fixed issue #49
Fixes BZ#1904459

Signed-off-by: Julien Ropé <jrope@redhat.com>
Reported-by: BlackKD
Acked-by: Frediano Ziglio <fziglio@redhat.com>
[Salvatore Bonaccorso: Backport to 0.14.3: Filename change]
---
 server/red-stream.cpp | 5 +++++
 1 file changed, 5 insertions(+)

--- a/server/red-stream.c
+++ b/server/red-stream.c
@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept
         return RED_STREAM_SSL_STATUS_OK;
     }
 
+#ifndef SSL_OP_NO_RENEGOTIATION
+    // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
+    stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+#endif
+
     ssl_error = SSL_get_error(stream->priv->ssl, return_code);
     if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
                               ssl_error == SSL_ERROR_WANT_WRITE)) {