diffstat of debian/ for erlang_16.b.3-dfsg-1 erlang_16.b.3-dfsg-1ubuntu2.2 changelog | 282 ++++++++++++++++++ control | 33 -- patches/CVE-2014-1693.patch | 435 ++++++++++++++++++++++++++++ patches/CVE-2015-2774.patch | 522 ++++++++++++++++++++++++++++++++++ patches/CVE-2017-1000385.patch | 73 ++++ patches/bytecode-compat.patch | 32 ++ patches/fix-pointer-converstion.patch | 25 + patches/series | 5 rules | 9 9 files changed, 1395 insertions(+), 21 deletions(-) diff -Nru erlang-16.b.3-dfsg/debian/changelog erlang-16.b.3-dfsg/debian/changelog --- erlang-16.b.3-dfsg/debian/changelog 2013-12-12 08:05:46.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/changelog 2017-12-07 13:50:42.000000000 +0000 @@ -1,3 +1,55 @@ +erlang (1:16.b.3-dfsg-1ubuntu2.2) trusty-security; urgency=medium + + * SECURITY UPDATE: CRLF injection vulnerabilities in the FTP module + - debian/patches/CVE-2014-1693.patch: check values in + lib/inets/src/ftp/ftp.erl, /lib/inets/test/ftp_suite_lib.erl. + - CVE-2014-1693 + * SECURITY UPDATE: padding-oracle attack + - debian/patches/CVE-2015-2774.patch: re-enable padding check and + provide option to disable in lib/ssl/doc/src/ssl.xml, + lib/ssl/src/dtls_record.erl, lib/ssl/src/ssl.erl, + lib/ssl/src/ssl_cipher.erl, lib/ssl/src/ssl_internal.hrl, + lib/ssl/src/ssl_record.erl, lib/ssl/src/tls_connection.erl, + lib/ssl/src/tls_record.erl, lib/ssl/test/ssl_cipher_SUITE.erl. + - CVE-2015-2774 + * SECURITY UPDATE: Adaptive Chosen Ciphertext attack in TLS server + - debian/patches/CVE-2017-1000385.patch: add countermeasurements for + Bleichenbacher attack in lib/ssl/src/ssl_connection.erl, + lib/ssl/src/ssl_connection.hrl, lib/ssl/src/tls_connection.erl. + - CVE-2017-1000385 + + -- Marc Deslauriers Thu, 07 Dec 2017 08:47:37 -0500 + +erlang (1:16.b.3-dfsg-1ubuntu2.1) trusty; urgency=medium + + * Enable IPv6 support in epmd (LP: #1312507), supporting use in IPv6 + only environments: + - d/rules: Use "-DEPMD6" in CPPFLAGS and ensure this is passed to + relevant bits of the build process. + + -- James Page Tue, 12 Aug 2014 17:29:24 +0100 + +erlang (1:16.b.3-dfsg-1ubuntu2) trusty; urgency=medium + + * Build erlang-base-hipe on ppc64 and ppc64el. + + -- Matthias Klose Fri, 10 Jan 2014 13:30:11 +0100 + +erlang (1:16.b.3-dfsg-1ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk3.0-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Mon, 06 Jan 2014 11:13:39 +0000 + erlang (1:16.b.3-dfsg-1) unstable; urgency=low * New upstream release. @@ -9,6 +61,21 @@ -- Sergei Golovan Thu, 12 Dec 2013 12:03:35 +0400 +erlang (1:16.b.2-dfsg-2ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk3.0-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Thu, 28 Nov 2013 10:47:24 +0000 + erlang (1:16.b.2-dfsg-2) unstable; urgency=low * Switched to wxWidgets 3.0 from 2.8 for erlang-wx application. @@ -19,6 +86,21 @@ -- Sergei Golovan Thu, 21 Nov 2013 14:51:50 +0400 +erlang (1:16.b.2-dfsg-1ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk2.8-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Mon, 11 Nov 2013 16:54:10 +0000 + erlang (1:16.b.2-dfsg-1) unstable; urgency=low * New upstream release. @@ -41,6 +123,21 @@ -- Sergei Golovan Sat, 24 Aug 2013 00:24:27 +0400 +erlang (1:16.b.1-dfsg-4ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk2.8-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Wed, 10 Jul 2013 10:51:19 +0100 + erlang (1:16.b.1-dfsg-4) unstable; urgency=low * Fixed the binary packages interdependencies. @@ -71,6 +168,21 @@ -- Sergei Golovan Wed, 19 Jun 2013 14:10:46 +0400 +erlang (1:16.b-dfsg-3ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk2.8-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Mon, 13 May 2013 12:46:29 +0100 + erlang (1:16.b-dfsg-3) unstable; urgency=low * Upload to unstable. @@ -92,6 +204,21 @@ -- Sergei Golovan Thu, 28 Feb 2013 09:08:37 +0400 +erlang (1:15.b.1-dfsg-4ubuntu1) raring; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk2.8-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Tue, 05 Feb 2013 15:05:19 +0000 + erlang (1:15.b.1-dfsg-4) unstable; urgency=low * Added link for to_erl communication program to /usr/bin. Also created @@ -132,6 +259,27 @@ -- Sergei Golovan Fri, 07 Sep 2012 14:15:37 +0400 +erlang (1:15.b.1-dfsg-3ubuntu2) quantal; urgency=low + + * Ensure backwards comaptible Java bytecode is built (LP: #1049769): + - d/p/bytecode-compat.patch: Specify source/target = 1.5 when compiling + Java source code. + + -- James Page Thu, 20 Sep 2012 13:51:11 +0100 + +erlang (1:15.b.1-dfsg-3ubuntu1) quantal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk2.8-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + + -- James Page Mon, 02 Jul 2012 14:31:28 +0100 + erlang (1:15.b.1-dfsg-3) unstable; urgency=low * Moved kernel and stdlib include files from erlang-dev to the erlang-base @@ -144,6 +292,20 @@ -- Sergei Golovan Sat, 02 Jun 2012 01:02:17 +0400 +erlang (1:15.b.1-dfsg-2ubuntu1) quantal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/patches/fix-pointer-conversion.patch: Remove implicit integer to + pointer conversion. + - d/control: Drop libwxgtk2.8-dev build dependency. Wx isn't in main, + and not supposed to. + - d/control: Drop erlang-wx binary and associated dependencies from + other erlang-* packages. + - d/rules: Add "+debug_info" to ERL_COMPILE_FLAGS for debug builds. + * Tidied obsolete patches from d/patches. + + -- James Page Fri, 01 Jun 2012 10:07:21 +0100 + erlang (1:15.b.1-dfsg-2) unstable; urgency=low * Depend on procps unconditionally since it works for all architectures now. @@ -196,6 +358,23 @@ -- Sergei Golovan Thu, 15 Dec 2011 19:20:10 +0400 +erlang (1:14.b.4-dfsg-1ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - debian/patches/fix-pointer-conversion.patch: Remove implicit + integer to pointer conversion (patch refreshed) + - Drop libwxgtk2.8-dev build dependency. Wx isn't in main, and not + supposed to. + - Drop erlang-wx binary. + - Drop erlang-wx dependency from -megaco, -common-test, and -reltool, they + do not really need wx. Also drop it from -debugger; the GUI needs wx, + but it apparently has CLI bits as well, and is also needed by -megaco, + so let's keep the package for now. + * Dropped changes: + debian/patches/tcp.patch: applied upstream + + -- Clint Byrum Thu, 15 Dec 2011 16:41:11 -0800 + erlang (1:14.b.4-dfsg-1) unstable; urgency=low * New upstream release (closes: #636678). @@ -218,6 +397,40 @@ -- Sergei Golovan Wed, 08 Jun 2011 08:39:43 +0400 +erlang (1:14.b.2-dfsg-3ubuntu2) oneiric; urgency=low + + * debian/patches/fix-pointer-conversion.patch: Remove implicit + integer to pointer conversion (LP: #778474) + + -- Clint Byrum Fri, 06 May 2011 06:10:07 -0700 + +erlang (1:14.b.2-dfsg-3ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - Drop libwxgtk2.8-dev build dependency. Wx isn't in main, and not + supposed to. + - Drop erlang-wx binary. + - Drop erlang-wx dependency from -megaco, -common-test, and -reltool, they + do not really need wx. Also drop it from -debugger; the GUI needs wx, + but it apparently has CLI bits as well, and is also needed by -megaco, + so let's keep the package for now. + - debian/patches/series: Do what I meant, and enable build-options.patch + instead. + * Additional changes: + - Drop erlang-wx from -et + * Dropped Changes: + - patches/pcre-crash.patch: CVE-2008-2371: outer level option with + alternatives caused crash. (Applied Upstream) + - fix for ssl certificate verification in newSSL: + ssl_cacertfile_fix.patch (Applied Upstream) + - debian/patches/series: Enable native.patch again, to get stripped beam + files and reduce the package size again. (build-options is what + actually accomplished this) + - Remove build-options.patch on advice from upstream and because it caused + odd build failures. + + -- Clint Byrum Thu, 05 May 2011 15:48:43 -0700 + erlang (1:14.b.2-dfsg-3) unstable; urgency=low * Enabled pre-Pentium-4 compatibility in the ethread library @@ -395,6 +608,33 @@ -- Sergei Golovan Sun, 07 Feb 2010 15:01:16 +0300 +erlang (1:13.b.3-dfsg-2ubuntu3) maverick; urgency=low + + * fix for ssl certificate verification in newSSL: ssl_cacertfile_fix.patch + (LP: #643787) + + -- Samuele Pedroni (Canonical Services Ltd.) Fri, 24 Sep 2010 09:35:12 +0200 + +erlang (1:13.b.3-dfsg-2ubuntu2) lucid; urgency=low + + * CVE-2008-2371: outer level option with alternatives caused crash. + (LP: #535090). + + -- Ralf Doering Thu, 11 Mar 2010 15:20:06 +0100 + +erlang (1:13.b.3-dfsg-2ubuntu1) lucid; urgency=low + + * Merge with Debian testing; remaining Ubuntu changes: + - Drop libwxgtk2.8-dev build dependency. Wx isn't in main, and not + supposed to. (LP #438365) + - Drop erlang-wx binary. + - Drop erlang-wx dependency from -megaco, -common-test, and -reltool, they + do not really need wx. Also drop it from -debugger; the GUI needs wx, + but it apparently has CLI bits as well, and is also needed by -megaco, + so let's keep the package for now. + + -- Elliot Murphy Mon, 21 Dec 2009 21:54:16 -0500 + erlang (1:13.b.3-dfsg-2) unstable; urgency=low * Fixed dialyzer(1) manpage which was placed into section 3 and conflicted @@ -413,6 +653,34 @@ -- Sergei Golovan Sat, 19 Dec 2009 19:44:54 +0300 +erlang (1:13.b.2.1-dfsg-1ubuntu3) lucid; urgency=low + + * build-options.patch: Fix to apply to current version. + * debian/patches/series: Do what I meant, and enable build-options.patch + instead. + + -- Martin Pitt Mon, 07 Dec 2009 10:28:47 +0100 + +erlang (1:13.b.2.1-dfsg-1ubuntu2) lucid; urgency=low + + * debian/patches/series: Enable native.patch again, to get stripped beam + files and reduce the package size again. (LP: #493278) + + -- Martin Pitt Mon, 07 Dec 2009 09:02:37 +0100 + +erlang (1:13.b.2.1-dfsg-1ubuntu1) lucid; urgency=low + + * Merge with Debian testing; remaining Ubuntu changes: + - Drop libwxgtk2.8-dev build dependency. Wx isn't in main, and not + supposed to. (LP #438365) + - Drop erlang-wx binary. + - Drop erlang-wx dependency from -megaco, -common-test, and -reltool, they + do not really need wx. Also drop it from -debugger; the GUI needs wx, + but it apparently has CLI bits as well, and is also needed by -megaco, + so let's keep the package for now. + + -- Martin Pitt Fri, 06 Nov 2009 18:54:42 +0100 + erlang (1:13.b.2.1-dfsg-1) unstable; urgency=low * New upstream release (closes: #539269). @@ -469,6 +737,19 @@ -- Sergei Golovan Tue, 30 Jun 2009 14:13:14 +0400 +erlang (1:13.b.1-dfsg-2ubuntu1) karmic; urgency=low + + * debian/control: + - Drop libwxgtk2.8-dev build dependency. Wx isn't in main, and not + supposed to. (LP: #438365) + - Drop erlang-wx binary. + - Drop erlang-wx dependency from -megaco, -common-test, and -reltool, they + do not really need wx. Also drop it from -debugger; the GUI needs wx, + but it apparently has CLI bits as well, and is also needed by -megaco, + so let's keep the package for now. + + -- Martin Pitt Fri, 16 Oct 2009 09:40:16 +0200 + erlang (1:13.b.1-dfsg-2) unstable; urgency=low * Updated manpages for section 1. @@ -1729,3 +2010,4 @@ * Erlang sources for libraries and tools are removed from the bin dist. -- Mark Ng Thu, 4 Feb 1999 23:21:00 +1100 + diff -Nru erlang-16.b.3-dfsg/debian/control erlang-16.b.3-dfsg/debian/control --- erlang-16.b.3-dfsg/debian/control 2013-11-22 16:06:18.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/control 2014-01-10 13:31:05.000000000 +0000 @@ -1,12 +1,13 @@ Source: erlang -Maintainer: Debian Erlang Packagers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Erlang Packagers Uploaders: Sergei Golovan Section: interpreters Priority: optional Standards-Version: 3.9.4 Build-Depends: debhelper (>= 8.0.0), autoconf (>= 2.50), openssl, libssl-dev, m4, libncurses5-dev, autotools-dev, unixodbc-dev, bison, flex, ed, - libwxgtk3.0-dev, dctrl-tools, xsltproc, + dctrl-tools, xsltproc, libgl1-mesa-dev | libgl-dev, libglu1-mesa-dev | libglu-dev, libsctp-dev [linux-any] Build-Depends-Indep: fop, default-jdk | sun-java6-jdk @@ -35,7 +36,7 @@ Package: erlang-base-hipe -Architecture: amd64 i386 powerpc sparc solaris-i386 +Architecture: amd64 i386 powerpc ppc64 ppc64el sparc solaris-i386 Priority: extra Depends: procps, ${shlibs:Depends}, ${misc:Depends} Recommends: ${libsctp:Version}, erlang-crypto (= ${binary:Version}), erlang-syntax-tools (= ${binary:Version}) @@ -137,7 +138,7 @@ Package: erlang-debugger Architecture: any -Depends: ${erlang-base}, erlang-gs (= ${binary:Version}), erlang-wx (= ${binary:Version}), ${misc:Depends} +Depends: ${erlang-base}, erlang-gs (= ${binary:Version}), ${misc:Depends} Suggests: erlang, erlang-manpages, erlang-doc Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2) Description: Erlang/OTP application for debugging and testing @@ -150,7 +151,7 @@ Package: erlang-dialyzer Architecture: any Depends: ${erlang-base}, erlang-syntax-tools (=${binary:Version}), ${shlibs:Depends}, ${misc:Depends} -Suggests: erlang-gs (= ${binary:Version}), erlang-wx (= ${binary:Version}), erlang, erlang-manpages, erlang-doc +Suggests: erlang-gs (= ${binary:Version}), erlang, erlang-manpages, erlang-doc Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2) Description: Erlang/OTP discrepancy analyzer application Dialyzer is a static analysis tool that identifies software @@ -215,7 +216,7 @@ Package: erlang-et Architecture: any -Depends: ${erlang-base}, erlang-gs (= ${binary:Version}), erlang-runtime-tools (= ${binary:Version}), erlang-wx (= ${binary:Version}), ${misc:Depends} +Depends: ${erlang-base}, erlang-gs (= ${binary:Version}), erlang-runtime-tools (= ${binary:Version}), ${misc:Depends} Suggests: erlang, erlang-manpages, erlang-doc Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2) Description: Erlang/OTP event tracer application @@ -317,7 +318,7 @@ Package: erlang-observer Architecture: any -Depends: ${erlang-base}, erlang-et (= ${binary:Version}), erlang-gs (= ${binary:Version}), erlang-inets (= ${binary:Version}), erlang-runtime-tools (= ${binary:Version}), erlang-webtool (= ${binary:Version}), erlang-wx (= ${binary:Version}), ${misc:Depends} +Depends: ${erlang-base}, erlang-et (= ${binary:Version}), erlang-gs (= ${binary:Version}), erlang-inets (= ${binary:Version}), erlang-runtime-tools (= ${binary:Version}), erlang-webtool (= ${binary:Version}), ${misc:Depends} Suggests: erlang, erlang-manpages, erlang-doc Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2) Description: Erlang/OTP application for investigating distributed systems @@ -392,7 +393,7 @@ Package: erlang-reltool Architecture: any -Depends: ${erlang-base}, erlang-tools (= ${binary:Version}), erlang-wx (= ${binary:Version}), ${misc:Depends} +Depends: ${erlang-base}, erlang-tools (= ${binary:Version}), ${misc:Depends} Suggests: erlang, erlang-manpages, erlang-doc Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2) Description: Erlang/OTP release management tool @@ -541,16 +542,6 @@ It configures and starts a web server as well as all available tools. -Package: erlang-wx -Architecture: any -Depends: ${erlang-base}, ${shlibs:Depends}, ${misc:Depends} -Suggests: erlang, erlang-manpages, erlang-doc -Replaces: erlang (<< ${source:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${source:Version}), erlang-x11 (<< ${binary:Version}), erlang-src (<< ${source:Version}), erlang-dev (<< ${binary:Version}), erlang-examples (<< ${source:Version}), erlang-mode (<< 1:12.b.1-dfsg-2), erlang-doc (<< ${source:Upstream-Version}), erlang-doc (>> ${source:Upstream-Version}-999), erlang-manpages (<= 1:11.b.1-2) -Description: Erlang/OTP bindings to wxWidgets - The wxErlang application is an API for writing graphical user - interfaces with wxWidgets. - - Package: erlang-xmerl Architecture: any Depends: ${erlang-base}, ${misc:Depends} @@ -597,7 +588,7 @@ Package: erlang-examples Architecture: all Depends: erlang-base (>= ${binary:Version}) | erlang-base-hipe (>= ${binary:Version}), erlang-base (<< ${binary:Version}.0) | erlang-base-hipe (<< ${binary:Version}.0), ${misc:Depends} -Recommends: erlang-asn1, erlang-crypto, erlang-gs, erlang-inets, erlang-megaco, erlang-snmp, erlang-ssh, erlang-ssl, erlang-syntax-tools, erlang-wx +Recommends: erlang-asn1, erlang-crypto, erlang-gs, erlang-inets, erlang-megaco, erlang-snmp, erlang-ssh, erlang-ssl, erlang-syntax-tools Suggests: erlang, erlang-manpages, erlang-doc Replaces: erlang (<< ${binary:Version}), erlang-base (<< ${binary:Version}), erlang-base-hipe (<< ${binary:Version}), erlang-nox (<< ${binary:Version}), erlang-x11 (<< ${binary:Version}), erlang-dev (<< ${binary:Version}), erlang-src (<< ${binary:Version}), erlang-mode (<< 1:12.b.1-dfsg-2) Description: Erlang/OTP application examples @@ -644,7 +635,7 @@ Depends: erlang-base | erlang-base-hipe, erlang-nox, erlang-appmon, erlang-common-test, erlang-debugger, erlang-dialyzer, erlang-et, erlang-gs, erlang-megaco, erlang-observer, erlang-pman, erlang-reltool, - erlang-test-server, erlang-toolbar, erlang-tv, erlang-typer, erlang-wx, + erlang-test-server, erlang-toolbar, erlang-tv, erlang-typer, ${misc:Depends} Suggests: erlang, erlang-manpages, erlang-doc Description: Erlang/OTP applications that require X Window System @@ -664,7 +655,7 @@ erlang-public-key, erlang-reltool, erlang-runtime-tools, erlang-snmp, erlang-ssh, erlang-ssl, erlang-syntax-tools, erlang-test-server, erlang-toolbar, erlang-tools, erlang-tv, erlang-typer, erlang-webtool, - erlang-wx, erlang-xmerl, ${misc:Depends} + erlang-xmerl, ${misc:Depends} Recommends: erlang-jinterface, erlang-ic-java, erlang-mode, erlang-src, erlang-examples Suggests: erlang-manpages, erlang-doc diff -Nru erlang-16.b.3-dfsg/debian/patches/CVE-2014-1693.patch erlang-16.b.3-dfsg/debian/patches/CVE-2014-1693.patch --- erlang-16.b.3-dfsg/debian/patches/CVE-2014-1693.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/patches/CVE-2014-1693.patch 2017-12-07 13:10:12.000000000 +0000 @@ -0,0 +1,435 @@ +From dfe10daaee512ba39a0b918613f36b989fc90c49 Mon Sep 17 00:00:00 2001 +From: Sergei Golovan +Date: Sun, 9 Feb 2014 23:06:25 +0400 +Subject: [PATCH] lib/inets/src/ftp/ftp.erl: Check the filenames, usernames, + passwords etc. for and in them and return error if these + offending chars are found. See + http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html for + details. lib/inets/test/ftp_suite_lib.erl: Added checks for in file + and directory names. + +--- + lib/inets/src/ftp/ftp.erl | 142 +++++++++++++++++++++++++++++++++------ + lib/inets/test/ftp_suite_lib.erl | 20 ++++++ + 2 files changed, 143 insertions(+), 19 deletions(-) + +Index: erlang-16.b.3-dfsg/lib/inets/src/ftp/ftp.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/inets/src/ftp/ftp.erl 2017-12-07 08:10:07.364866594 -0500 ++++ erlang-16.b.3-dfsg/lib/inets/src/ftp/ftp.erl 2017-12-07 08:10:07.312866003 -0500 +@@ -192,7 +192,12 @@ do_open(Pid, OpenOptions, TLSOpts) -> + 'ok' | {'error', Reason :: 'euser' | common_reason()}. + + user(Pid, User, Pass) -> +- call(Pid, {user, User, Pass}, atom). ++ case {is_name_sane(User), is_name_sane(Pass)} of ++ {true, true} -> ++ call(Pid, {user, User, Pass}, atom); ++ _ -> ++ {error, euser} ++ end. + + -spec user(Pid :: pid(), + User :: string(), +@@ -201,7 +206,12 @@ user(Pid, User, Pass) -> + 'ok' | {'error', Reason :: 'euser' | common_reason()}. + + user(Pid, User, Pass, Acc) -> +- call(Pid, {user, User, Pass, Acc}, atom). ++ case {is_name_sane(User), is_name_sane(Pass), is_name_sane(Acc)} of ++ {true, true, true} -> ++ call(Pid, {user, User, Pass, Acc}, atom); ++ _ -> ++ {error, euser} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -216,7 +226,12 @@ user(Pid, User, Pass, Acc) -> + 'ok' | {'error', Reason :: 'eacct' | common_reason()}. + + account(Pid, Acc) -> +- call(Pid, {account, Acc}, atom). ++ case is_name_sane(Acc) of ++ true -> ++ call(Pid, {account, Acc}, atom); ++ _ -> ++ {error, eacct} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -262,7 +277,12 @@ lpwd(Pid) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + cd(Pid, Dir) -> +- call(Pid, {cd, Dir}, atom). ++ case is_name_sane(Dir) of ++ true -> ++ call(Pid, {cd, Dir}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -305,7 +325,12 @@ ls(Pid) -> + {'error', Reason :: restriction_reason() | common_reason()}. + + ls(Pid, Dir) -> +- call(Pid, {dir, long, Dir}, string). ++ case is_name_sane(Dir) of ++ true -> ++ call(Pid, {dir, long, Dir}, string); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -333,7 +358,12 @@ nlist(Pid) -> + {'error', Reason :: restriction_reason() | common_reason()}. + + nlist(Pid, Dir) -> +- call(Pid, {dir, short, Dir}, string). ++ case is_name_sane(Dir) of ++ true -> ++ call(Pid, {dir, short, Dir}, string); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -349,7 +379,12 @@ nlist(Pid, Dir) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + rename(Pid, Old, New) -> +- call(Pid, {rename, Old, New}, string). ++ case {is_name_sane(Old), is_name_sane(New)} of ++ {true, true} -> ++ call(Pid, {rename, Old, New}, string); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -365,7 +400,12 @@ rename(Pid, Old, New) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + delete(Pid, File) -> +- call(Pid, {delete, File}, string). ++ case is_name_sane(File) of ++ true -> ++ call(Pid, {delete, File}, string); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -380,7 +420,12 @@ delete(Pid, File) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + mkdir(Pid, Dir) -> +- call(Pid, {mkdir, Dir}, atom). ++ case is_name_sane(Dir) of ++ true -> ++ call(Pid, {mkdir, Dir}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -395,7 +440,12 @@ mkdir(Pid, Dir) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + rmdir(Pid, Dir) -> +- call(Pid, {rmdir, Dir}, atom). ++ case is_name_sane(Dir) of ++ true -> ++ call(Pid, {rmdir, Dir}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -437,7 +487,12 @@ recv(Pid, RemotFileName) -> + 'ok' | {'error', Reason :: term()}. + + recv(Pid, RemotFileName, LocalFileName) -> +- call(Pid, {recv, RemotFileName, LocalFileName}, atom). ++ case is_name_sane(RemotFileName) of ++ true -> ++ call(Pid, {recv, RemotFileName, LocalFileName}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -456,7 +511,12 @@ recv(Pid, RemotFileName, LocalFileName) + {'error', Reason :: restriction_reason() | common_reason()}. + + recv_bin(Pid, RemoteFile) -> +- call(Pid, {recv_bin, RemoteFile}, bin). ++ case is_name_sane(RemoteFile) of ++ true -> ++ call(Pid, {recv_bin, RemoteFile}, bin); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -473,7 +533,12 @@ recv_bin(Pid, RemoteFile) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + recv_chunk_start(Pid, RemoteFile) -> +- call(Pid, {recv_chunk_start, RemoteFile}, atom). ++ case is_name_sane(RemoteFile) of ++ true -> ++ call(Pid, {recv_chunk_start, RemoteFile}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -521,7 +586,12 @@ send(Pid, LocalFileName) -> + shortage_reason()}. + + send(Pid, LocalFileName, RemotFileName) -> +- call(Pid, {send, LocalFileName, RemotFileName}, atom). ++ case is_name_sane(RemotFileName) of ++ true -> ++ call(Pid, {send, LocalFileName, RemotFileName}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -541,7 +611,12 @@ send(Pid, LocalFileName, RemotFileName) + shortage_reason()}. + + send_bin(Pid, Bin, RemoteFile) when is_binary(Bin) -> +- call(Pid, {send_bin, Bin, RemoteFile}, atom); ++ case is_name_sane(RemoteFile) of ++ true -> ++ call(Pid, {send_bin, Bin, RemoteFile}, atom); ++ _ -> ++ {error, efnamena} ++ end; + send_bin(_Pid, _Bin, _RemoteFile) -> + {error, enotbinary}. + +@@ -559,7 +634,12 @@ send_bin(_Pid, _Bin, _RemoteFile) -> + 'ok' | {'error', Reason :: restriction_reason() | common_reason()}. + + send_chunk_start(Pid, RemoteFile) -> +- call(Pid, {send_chunk_start, RemoteFile}, atom). ++ case is_name_sane(RemoteFile) of ++ true -> ++ call(Pid, {send_chunk_start, RemoteFile}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -575,7 +655,12 @@ send_chunk_start(Pid, RemoteFile) -> + 'ok' | {'error', Reason :: term()}. + + append_chunk_start(Pid, RemoteFile) -> +- call(Pid, {append_chunk_start, RemoteFile}, atom). ++ case is_name_sane(RemoteFile) of ++ true -> ++ call(Pid, {append_chunk_start, RemoteFile}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -683,7 +768,12 @@ append(Pid, LocalFileName) -> + 'ok' | {'error', Reason :: term()}. + + append(Pid, LocalFileName, RemotFileName) -> +- call(Pid, {append, LocalFileName, RemotFileName}, atom). ++ case is_name_sane(RemotFileName) of ++ true -> ++ call(Pid, {append, LocalFileName, RemotFileName}, atom); ++ _ -> ++ {error, efnamena} ++ end. + + + %%-------------------------------------------------------------------------- +@@ -705,7 +795,12 @@ append(Pid, LocalFileName, RemotFileName + shortage_reason()}. + + append_bin(Pid, Bin, RemoteFile) when is_binary(Bin) -> +- call(Pid, {append_bin, Bin, RemoteFile}, atom); ++ case is_name_sane(RemoteFile) of ++ true -> ++ call(Pid, {append_bin, Bin, RemoteFile}, atom); ++ _ -> ++ {error, efnamena} ++ end; + append_bin(_Pid, _Bin, _RemoteFile) -> + {error, enotbinary}. + +@@ -2302,6 +2397,15 @@ send_bin(State, Bin) -> + mk_cmd(Fmt, Args) -> + [io_lib:format(Fmt, Args)| [?CR, ?LF]]. % Deep list ok. + ++is_name_sane([]) -> ++ true; ++is_name_sane([?CR| _]) -> ++ false; ++is_name_sane([?LF| _]) -> ++ false; ++is_name_sane([_| Rest]) -> ++ is_name_sane(Rest). ++ + pwd_result(Lines) -> + {_, [?DOUBLE_QUOTE | Rest]} = + lists:splitwith(fun(?DOUBLE_QUOTE) -> false; (_) -> true end, Lines), +Index: erlang-16.b.3-dfsg/lib/inets/test/ftp_suite_lib.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/inets/test/ftp_suite_lib.erl 2017-12-07 08:10:07.364866594 -0500 ++++ erlang-16.b.3-dfsg/lib/inets/test/ftp_suite_lib.erl 2017-12-07 08:10:07.328866185 -0500 +@@ -1266,6 +1266,8 @@ read_log_6035([]) -> + %%-------------------------------------------------------------------- + do_user(Pid) -> + {error, euser} = ftp:user(Pid, ?BAD_USER, ?FTP_PASS), ++ {error, euser} = ftp:user(Pid, ?FTP_USER++"\r\nPASS "++?FTP_PASS, ?FTP_PASS), ++ {error, euser} = ftp:user(Pid, ?FTP_USER, ?FTP_PASS++"\r\nCWD ."), + ok = ftp:user(Pid, ?FTP_USER, ?FTP_PASS), + ok. + +@@ -1278,6 +1280,7 @@ do_pwd(Pid) -> + do_cd(Pid) -> + ok = ftp:cd(Pid, "/pub"), + {error, epath} = ftp:cd(Pid, ?BAD_DIR), ++ {error, efnamena} = ftp:cd(Pid, "/pub\r\nCWD ."), + ok. + + do_lcd(Pid, Dir) -> +@@ -1294,11 +1297,14 @@ do_ls(Pid) -> + %% directory, but can also be a filename or a group + %% of files (including wildcards). + {ok, _} = ftp:ls(Pid, "incom*"), ++ %% but \r\n can't be in the wildcard ++ {error, efnamena} = ftp:ls(Pid, "incoming\r\nCWD ."), + ok. + + do_nlist(Pid, WildcardSupport) -> + {ok, _} = ftp:nlist(Pid), + {ok, _} = ftp:nlist(Pid, "incoming"), ++ {error, efnamena} = ftp:ls(Pid, "incoming\r\nCWD ."), + %% neither nlist nor ls operates on a directory + %% they operate on a pathname, which *can* be a + %% directory, but can also be a filename or a group +@@ -1324,6 +1330,8 @@ do_rename(Pid, Config) -> + ftp:delete(Pid, NewLFile), % reset + ok = ftp:send(Pid, LFile), + {error, epath} = ftp:rename(Pid, NewLFile, LFile), ++ {error, efnamena} = ftp:rename(Pid, NewLFile++"\r\nRNTO "++LFile++"\r\nRNFR "++NewLFile, LFile), ++ {error, efnamena} = ftp:rename(Pid, NewLFile, LFile++"\r\nCWD ."), + ok = ftp:rename(Pid, LFile, NewLFile), + ftp:delete(Pid, LFile), % cleanup + ftp:delete(Pid, NewLFile), % cleanup +@@ -1338,6 +1346,7 @@ do_delete(Pid, Config) -> + ok = ftp:cd(Pid, "incoming"), + ok = ftp:lcd(Pid, PrivDir), + ftp:delete(Pid,LFile), % reset ++ {error, efnamena} = ftp:delete(Pid,LFile++"\r\nCWD ."), + ok = ftp:send(Pid, LFile), + ok = ftp:delete(Pid,LFile), + ok. +@@ -1348,6 +1357,8 @@ do_mkdir(Pid) -> + integer_to_list(B) ++ "_" ++ integer_to_list(C), + ok = ftp:cd(Pid, "incoming"), + {ok, CurrDir} = ftp:pwd(Pid), ++ {error, efnamena} = ftp:mkdir(Pid, NewDir++"\r\nCWD ."), ++ {error, efnamena} = ftp:rmdir(Pid, NewDir++"\r\nCWD ."), + ok = ftp:mkdir(Pid, NewDir), + ok = ftp:cd(Pid, NewDir), + ok = ftp:cd(Pid, CurrDir), +@@ -1363,6 +1374,7 @@ do_send(Pid, Config) -> + ok = file:write_file(AbsLFile, list_to_binary(Contents)), + ok = ftp:cd(Pid, "incoming"), + ok = ftp:lcd(Pid, PrivDir), ++ {error, efnamena} = ftp:send(Pid, LFile, RFile++"1\r\nCWD ."), + ok = ftp:send(Pid, LFile, RFile), + {ok, RFilesString} = ftp:nlist(Pid), + RFiles = split(RFilesString), +@@ -1392,6 +1404,7 @@ do_append(Pid, Config) -> + ftp:delete(Pid, RFile), + ftp:delete(Pid, LFile), + ++ {error, efnamena} = ftp:append(Pid, LFile, RFile++"1\r\nCWD ."), + ok = ftp:append(Pid, LFile, RFile), + ok = ftp:append(Pid, LFile, RFile), + ok = ftp:append(Pid, LFile), +@@ -1413,6 +1426,7 @@ do_send_bin(Pid, Config) -> + Bin = list_to_binary(Contents), + ok = ftp:cd(Pid, "incoming"), + {error, enotbinary} = ftp:send_bin(Pid, Contents, File), ++ {error, efnamena} = ftp:send_bin(Pid, Bin, File++"1\r\nCWD ."), + ok = ftp:send_bin(Pid, Bin, File), + {ok, RFilesString} = ftp:nlist(Pid), + RFiles = split(RFilesString), +@@ -1426,6 +1440,7 @@ do_append_bin(Pid, Config) -> + Bin = list_to_binary(Contents), + ok = ftp:cd(Pid, "incoming"), + {error, enotbinary} = ftp:append_bin(Pid, Contents, File), ++ {error, efnamena} = ftp:append_bin(Pid, Bin, File++"1\r\nCWD ."), + ok = ftp:append_bin(Pid, Bin, File), + ok = ftp:append_bin(Pid, Bin, File), + %% Control the contents of the file +@@ -1438,6 +1453,7 @@ do_send_chunk(Pid, Config) -> + Contents = "ftp_SUITE test ...", + Bin = list_to_binary(Contents), + ok = ftp:cd(Pid, "incoming"), ++ {error, efnamena} = ftp:send_chunk_start(Pid, File++"1\r\nCWD ."), + ok = ftp:send_chunk_start(Pid, File), + {error, echunk} = ftp:cd(Pid, "incoming"), + {error, enotbinary} = ftp:send_chunk(Pid, Contents), +@@ -1454,6 +1470,7 @@ do_append_chunk(Pid, Config) -> + File = ?config(file, Config), + Contents = ["ER","LE","RL"], + ok = ftp:cd(Pid, "incoming"), ++ {error, efnamena} = ftp:append_chunk_start(Pid, File++"1\r\nCWD ."), + ok = ftp:append_chunk_start(Pid, File), + {error, enotbinary} = ftp:append_chunk(Pid, lists:nth(1,Contents)), + ok = ftp:append_chunk(Pid,list_to_binary(lists:nth(1,Contents))), +@@ -1480,6 +1497,7 @@ do_recv(Pid, Config) -> + ok = file:delete(AbsFile), % cleanup + test_server:sleep(100), + ok = ftp:lcd(Pid, PrivDir), ++ {error, efnamena} = ftp:recv(Pid, File++"\r\nCWD ."), + ok = ftp:recv(Pid, File), + {ok, Files} = file:list_dir(PrivDir), + true = lists:member(File, Files), +@@ -1495,6 +1513,7 @@ do_recv_bin(Pid, Config) -> + ok = ftp:cd(Pid, "incoming"), + ok = ftp:send_bin(Pid, Bin1, File), + test_server:sleep(100), ++ {error, efnamena} = ftp:recv_bin(Pid, File++"\r\nCWD ."), + {ok, Bin2} = ftp:recv_bin(Pid, File), + ok = ftp:delete(Pid, File), % cleanup + Contents2 = binary_to_list(Bin2), +@@ -1520,6 +1539,7 @@ do_recv_chunk(Pid, Config) -> + ok = ftp:send_bin(Pid, Bin1, File), + test_server:sleep(100), + {error, "ftp:recv_chunk_start/2 not called"} = recv_chunk(Pid, <<>>), ++ {error, efnamena} = ftp:recv_chunk_start(Pid, File++"\r\nCWD ."), + ok = ftp:recv_chunk_start(Pid, File), + {ok, Contents2} = recv_chunk(Pid, <<>>), + ok = ftp:delete(Pid, File), % cleanup diff -Nru erlang-16.b.3-dfsg/debian/patches/CVE-2015-2774.patch erlang-16.b.3-dfsg/debian/patches/CVE-2015-2774.patch --- erlang-16.b.3-dfsg/debian/patches/CVE-2015-2774.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/patches/CVE-2015-2774.patch 2017-12-07 14:38:39.000000000 +0000 @@ -0,0 +1,522 @@ +Backport of: + +From e53c55dd0ab69982bc511396ccf8655d27c6d38c Mon Sep 17 00:00:00 2001 +From: Ingela Anderton Andin +Date: Tue, 13 Jan 2015 15:16:20 +0100 +Subject: [PATCH] ssl: Reenable padding check for TLS-1.0 and provide backwards + compatible disable option + +Conflicts: + lib/ssl/src/ssl_cipher.erl + lib/ssl/src/ssl_record.erl + lib/ssl/src/tls_record.erl + lib/ssl/test/ssl_cipher_SUITE.erl +--- + lib/ssl/doc/src/ssl.xml | 20 +++- + lib/ssl/src/dtls_record.erl | 4 +- + lib/ssl/src/ssl.erl | 9 +- + lib/ssl/src/ssl_cipher.erl | 48 +++++----- + lib/ssl/src/ssl_internal.hrl | 5 +- + lib/ssl/src/ssl_record.erl | 11 ++- + lib/ssl/src/tls_connection.erl | 7 +- + lib/ssl/src/tls_record.erl | 22 +++-- + lib/ssl/test/ssl_cipher_SUITE.erl | 188 ++++++++++++++++++++++---------------- + 9 files changed, 183 insertions(+), 131 deletions(-) + +Index: erlang-16.b.3-dfsg/lib/ssl/doc/src/ssl.xml +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/doc/src/ssl.xml 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/doc/src/ssl.xml 2017-12-07 09:38:10.552278643 -0500 +@@ -334,11 +334,23 @@ fun(srp, Username :: string(), UserState +

+ + ++ {padding_check, boolean()} ++ ++

This option only affects TLS-1.0 connections. ++ If set to false it disables the block cipher padding check ++ to be able to interoperate with legacy software. ++

++ ++

Using this option makes TLS vulnerable to ++ the Poodle attack

 ++ ++ ++ + +- ++ + +- +-
++ ++
+ SSL OPTION DESCRIPTIONS - CLIENT SIDE + +

Options described here are client specific or has a slightly different +Index: erlang-16.b.3-dfsg/lib/ssl/src/dtls_record.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/dtls_record.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/dtls_record.erl 2017-12-07 09:38:10.584279139 -0500 +@@ -140,7 +140,7 @@ decode_cipher_text(#ssl_tls{type = Type, + = ConnnectionStates0) -> + CompressAlg = SecParams#security_parameters.compression_algorithm, + {PlainFragment, Mac, ReadState1} = ssl_record:decipher(dtls_v1:corresponding_tls_version(Version), +- CipherFragment, ReadState0), ++ CipherFragment, ReadState0, true), + MacHash = calc_mac_hash(Type, Version, Epoch, Seq, PlainFragment, ReadState1), + case ssl_record:is_correct_mac(Mac, MacHash) of + true -> +Index: erlang-16.b.3-dfsg/lib/ssl/src/ssl.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/ssl.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/ssl.erl 2017-12-07 09:38:10.592279262 -0500 +@@ -639,7 +639,8 @@ handle_options(Opts0, _Role) -> + next_protocol_selector = + make_next_protocol_selector( + handle_option(client_preferred_next_protocols, Opts, undefined)), +- log_alert = handle_option(log_alert, Opts, true) ++ log_alert = handle_option(log_alert, Opts, true), ++ padding_check = proplists:get_value(padding_check, Opts, true) + }, + + CbInfo = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}), +@@ -651,7 +652,7 @@ handle_options(Opts0, _Role) -> + reuse_session, reuse_sessions, ssl_imp, + cb_info, renegotiate_at, secure_renegotiate, hibernate_after, + erl_dist, next_protocols_advertised, +- client_preferred_next_protocols, log_alert], ++ client_preferred_next_protocols, log_alert, padding_check], + + SockOpts = lists:foldl(fun(Key, PropList) -> + proplists:delete(Key, PropList) +@@ -822,6 +823,8 @@ validate_option(client_preferred_next_pr + validate_option(log_alert, Value) when Value == true; + Value == false -> + Value; ++validate_option(padding_check, Value) when is_boolean(Value) -> ++ Value; + validate_option(next_protocols_advertised = Opt, Value) when is_list(Value) -> + case tls_record:highest_protocol_version([]) of + {3,0} -> +Index: erlang-16.b.3-dfsg/lib/ssl/src/ssl_cipher.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/ssl_cipher.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/ssl_cipher.erl 2017-12-07 09:38:10.600279386 -0500 +@@ -33,7 +33,7 @@ + -include_lib("public_key/include/public_key.hrl"). + + -export([security_parameters/2, security_parameters/3, suite_definition/1, +- decipher/5, cipher/5, ++ decipher/6, cipher/5, + suite/1, suites/1, ec_keyed_suites/0, anonymous_suites/0, psk_suites/1, srp_suites/0, + openssl_suite/1, openssl_suite_name/1, filter/2, filter_suites/1, + hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2]). +@@ -127,15 +127,15 @@ block_cipher(Fun, BlockSz, #cipher_state + {T, CS0#cipher_state{iv=NextIV}}. + + %%-------------------------------------------------------------------- +--spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(), tls_version()) -> ++-spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(), tls_version(), boolean()) -> + {binary(), binary(), #cipher_state{}} | #alert{}. + %% + %% Description: Decrypts the data and the MAC using cipher described + %% by cipher_enum() and updating the cipher state. + %%------------------------------------------------------------------- +-decipher(?NULL, _HashSz, CipherState, Fragment, _) -> ++decipher(?NULL, _HashSz, CipherState, Fragment, _, _) -> + {Fragment, <<>>, CipherState}; +-decipher(?RC4, HashSz, CipherState, Fragment, _) -> ++decipher(?RC4, HashSz, CipherState, Fragment, _, _) -> + State0 = case CipherState#cipher_state.state of + undefined -> crypto:stream_init(rc4, CipherState#cipher_state.key); + S -> S +@@ -155,23 +155,23 @@ decipher(?RC4, HashSz, CipherState, Frag + ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC) + end; + +-decipher(?DES, HashSz, CipherState, Fragment, Version) -> ++decipher(?DES, HashSz, CipherState, Fragment, Version, PaddingCheck) -> + block_decipher(fun(Key, IV, T) -> + crypto:block_decrypt(des_cbc, Key, IV, T) +- end, CipherState, HashSz, Fragment, Version); +-decipher(?'3DES', HashSz, CipherState, Fragment, Version) -> ++ end, CipherState, HashSz, Fragment, Version, PaddingCheck); ++decipher(?'3DES', HashSz, CipherState, Fragment, Version, PaddingCheck) -> + block_decipher(fun(<>, IV, T) -> + crypto:block_decrypt(des3_cbc, [K1, K2, K3], IV, T) +- end, CipherState, HashSz, Fragment, Version); +-decipher(?AES, HashSz, CipherState, Fragment, Version) -> ++ end, CipherState, HashSz, Fragment, Version, PaddingCheck); ++decipher(?AES, HashSz, CipherState, Fragment, Version, PaddingCheck) -> + block_decipher(fun(Key, IV, T) when byte_size(Key) =:= 16 -> + crypto:block_decrypt(aes_cbc128, Key, IV, T); + (Key, IV, T) when byte_size(Key) =:= 32 -> + crypto:block_decrypt(aes_cbc256, Key, IV, T) +- end, CipherState, HashSz, Fragment, Version). ++ end, CipherState, HashSz, Fragment, Version, PaddingCheck). + + block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0, +- HashSz, Fragment, Version) -> ++ HashSz, Fragment, Version, PaddingCheck) -> + try + Text = Fun(Key, IV, Fragment), + NextIV = next_iv(Fragment, IV), +@@ -179,7 +179,7 @@ block_decipher(Fun, #cipher_state{key=Ke + Content = GBC#generic_block_cipher.content, + Mac = GBC#generic_block_cipher.mac, + CipherState1 = CipherState0#cipher_state{iv=GBC#generic_block_cipher.next_iv}, +- case is_correct_padding(GBC, Version) of ++ case is_correct_padding(GBC, Version, PaddingCheck) of + true -> + {Content, Mac, CipherState1}; + false -> +@@ -1266,16 +1266,18 @@ generic_stream_cipher_from_bin(T, HashSz + #generic_stream_cipher{content=Content, + mac=Mac}. + +-%% For interoperability reasons we do not check the padding content in +-%% SSL 3.0 and TLS 1.0 as it is not strictly required and breaks +-%% interopability with for instance Google. + is_correct_padding(#generic_block_cipher{padding_length = Len, +- padding = Padding}, {3, N}) +- when N == 0; N == 1 -> +- Len == byte_size(Padding); +-%% Padding must be check in TLS 1.1 and after ++ padding = Padding}, {3, 0}, _) -> ++ Len == byte_size(Padding); %% Only length check is done in SSL 3.0 spec ++%% For interoperability reasons it is possible to disable ++%% the padding check when using TLS 1.0, as it is not strictly required ++%% in the spec (only recommended), howerver this makes TLS 1.0 vunrable to the Poodle attack ++%% so by default this clause will not match ++is_correct_padding(GenBlockCipher, {3, 1}, false) -> ++ is_correct_padding(GenBlockCipher, {3, 0}, false); ++%% Padding must be checked in TLS 1.1 and after + is_correct_padding(#generic_block_cipher{padding_length = Len, +- padding = Padding}, _) -> ++ padding = Padding}, _, _) -> + Len == byte_size(Padding) andalso + list_to_binary(lists:duplicate(Len, Len)) == Padding. + +Index: erlang-16.b.3-dfsg/lib/ssl/src/ssl_internal.hrl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/ssl_internal.hrl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/ssl_internal.hrl 2017-12-07 09:38:36.168674813 -0500 +@@ -114,7 +114,8 @@ + next_protocols_advertised = undefined, %% [binary()], + next_protocol_selector = undefined, %% fun([binary()]) -> binary()) + log_alert :: boolean(), +- server_name_indication = undefined ++ server_name_indication = undefined, ++ padding_check = true + }). + + -record(config, {ssl, %% SSL parameters +Index: erlang-16.b.3-dfsg/lib/ssl/src/ssl_record.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/ssl_record.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/ssl_record.erl 2017-12-07 09:38:10.644280067 -0500 +@@ -48,7 +48,7 @@ + -export([compress/3, uncompress/3, compressions/0]). + + %% Payload encryption/decryption +--export([cipher/4, decipher/3, is_correct_mac/2]). ++-export([cipher/4, decipher/4, is_correct_mac/2]). + + %%==================================================================== + %% Internal application API +@@ -372,7 +372,7 @@ cipher(Version, Fragment, + ssl_cipher:cipher(BulkCipherAlgo, CipherS0, MacHash, Fragment, Version), + {CipherFragment, WriteState0#connection_state{cipher_state = CipherS1}}. + %%-------------------------------------------------------------------- +--spec decipher(tls_version(), binary(), #connection_state{}) -> {binary(), binary(), #connection_state{}}. ++-spec decipher(tls_version(), binary(), #connection_state{}, boolean()) -> {binary(), binary(), #connection_state{}}. + %% + %% Description: Payload decryption + %%-------------------------------------------------------------------- +@@ -382,8 +382,8 @@ decipher(Version, CipherFragment, + BulkCipherAlgo, + hash_size = HashSz}, + cipher_state = CipherS0 +- } = ReadState) -> +- case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version) of ++ } = ReadState, PaddingCheck) -> ++ case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version, PaddingCheck) of + {PlainFragment, Mac, CipherS1} -> + CS1 = ReadState#connection_state{cipher_state = CipherS1}, + {PlainFragment, Mac, CS1}; +Index: erlang-16.b.3-dfsg/lib/ssl/src/tls_connection.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/tls_connection.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/tls_connection.erl 2017-12-07 09:38:10.652280191 -0500 +@@ -499,8 +499,9 @@ next_record(#state{protocol_buffers = #p + next_record(#state{protocol_buffers = + #protocol_buffers{tls_packets = [], tls_cipher_texts = [CT | Rest]} + = Buffers, +- connection_states = ConnStates0} = State) -> +- case tls_record:decode_cipher_text(CT, ConnStates0) of ++ connection_states = ConnStates0, ++ ssl_options = #ssl_options{padding_check = Check}} = State) -> ++ case tls_record:decode_cipher_text(CT, ConnStates0, Check) of + {Plain, ConnStates} -> + {Plain, State#state{protocol_buffers = + Buffers#protocol_buffers{tls_cipher_texts = Rest}, +Index: erlang-16.b.3-dfsg/lib/ssl/src/tls_record.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/tls_record.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/tls_record.erl 2017-12-07 09:38:10.664280377 -0500 +@@ -34,7 +34,7 @@ + -export([get_tls_records/2]). + + %% Decoding +--export([decode_cipher_text/2]). ++-export([decode_cipher_text/3]). + + %% Encoding + -export([encode_plain_text/4]). +@@ -137,19 +137,21 @@ encode_plain_text(Type, Version, Data, + {CipherText, ConnectionStates#connection_states{current_write = WriteState#connection_state{sequence_number = Seq +1}}}. + + %%-------------------------------------------------------------------- +--spec decode_cipher_text(#ssl_tls{}, #connection_states{}) -> ++-spec decode_cipher_text(#ssl_tls{}, #connection_states{}, boolean()) -> + {#ssl_tls{}, #connection_states{}}| #alert{}. + %% + %% Description: Decode cipher text + %%-------------------------------------------------------------------- + decode_cipher_text(#ssl_tls{type = Type, version = Version, +- fragment = CipherFragment} = CipherText, ConnnectionStates0) -> +- ReadState0 = ConnnectionStates0#connection_states.current_read, +- #connection_state{compression_state = CompressionS0, +- sequence_number = Seq, +- security_parameters = SecParams} = ReadState0, +- CompressAlg = SecParams#security_parameters.compression_algorithm, +- {PlainFragment, Mac, ReadState1} = ssl_record:decipher(Version, CipherFragment, ReadState0), ++ fragment = CipherFragment} = CipherText, ++ #connection_states{current_read = ++ #connection_state{ ++ compression_state = CompressionS0, ++ sequence_number = Seq, ++ security_parameters= ++ #security_parameters{compression_algorithm = CompressAlg} ++ } = ReadState0} = ConnnectionStates0, PaddingCheck) -> ++ {PlainFragment, Mac, ReadState1} = ssl_record:decipher(Version, CipherFragment, ReadState0, PaddingCheck), + MacHash = calc_mac_hash(Type, Version, PlainFragment, ReadState1), + case ssl_record:is_correct_mac(Mac, MacHash) of + true -> +Index: erlang-16.b.3-dfsg/lib/ssl/test/ssl_cipher_SUITE.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/test/ssl_cipher_SUITE.erl 2017-12-07 09:38:10.732281431 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/test/ssl_cipher_SUITE.erl 2017-12-07 09:38:10.720281245 -0500 +@@ -38,7 +38,7 @@ + suite() -> [{ct_hooks,[ts_install_cth]}]. + + all() -> +- [aes_decipher_good, aes_decipher_good_tls11, aes_decipher_fail, aes_decipher_fail_tls11]. ++ [aes_decipher_good, aes_decipher_fail, padding_test]. + + groups() -> + []. +@@ -73,93 +73,123 @@ end_per_testcase(_TestCase, Config) -> + %% Test Cases -------------------------------------------------------- + %%-------------------------------------------------------------------- + aes_decipher_good() -> +- [{doc,"Decipher a known cryptotext."}]. ++ [{doc,"Decipher a known cryptotext using a correct key"}]. + + aes_decipher_good(Config) when is_list(Config) -> + HashSz = 32, +- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>, +- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}, +- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8, +- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160, +- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122, +- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>, +- Content = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56, "HELLO\n">>, +- Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>, +- Version = {3,0}, +- {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version), +- Version1 = {3,1}, +- {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1), +- ok. +- +-%%-------------------------------------------------------------------- +- +-aes_decipher_good_tls11() -> +- [{doc,"Decipher a known TLS 1.1 cryptotext."}]. +- +-%% the fragment is actuall a TLS 1.1 record, with +-%% Version = TLS 1.1, we get the correct NextIV in #cipher_state +-aes_decipher_good_tls11(Config) when is_list(Config) -> +- HashSz = 32, +- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>, +- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}, +- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8, +- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160, +- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122, +- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>, +- Content = <<"HELLO\n">>, +- NextIV = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>, +- Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>, +- Version = {3,2}, +- {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version), +- Version1 = {3,2}, +- {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1), +- ok. ++ CipherState = correct_cipher_state(), ++ decipher_check_good(HashSz, CipherState, {3,0}), ++ decipher_check_good(HashSz, CipherState, {3,1}), ++ decipher_check_good(HashSz, CipherState, {3,2}), ++ decipher_check_good(HashSz, CipherState, {3,3}). + + %%-------------------------------------------------------------------- + + aes_decipher_fail() -> +- [{doc,"Decipher a known cryptotext."}]. ++ [{doc,"Decipher a known cryptotext using a incorrect key"}]. + +-%% same as above, last byte of key replaced + aes_decipher_fail(Config) when is_list(Config) -> + HashSz = 32, +- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>, +- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}, +- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8, +- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160, +- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122, +- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>, +- Version = {3,0}, +- {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version), +- 32 = byte_size(Content), +- 32 = byte_size(Mac), +- Version1 = {3,1}, +- {Content1, Mac1, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1), +- 32 = byte_size(Content1), +- 32 = byte_size(Mac1), +- ok. + +-%%-------------------------------------------------------------------- +- +-aes_decipher_fail_tls11() -> +- [{doc,"Decipher a known TLS 1.1 cryptotext."}]. +- +-%% same as above, last byte of key replaced +-%% stricter padding checks in TLS 1.1 mean we get an alert instead +-aes_decipher_fail_tls11(Config) when is_list(Config) -> +- HashSz = 32, +- CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>, +- key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}, +- Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8, +- 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160, +- 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122, +- 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>, +- Version = {3,2}, +- #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} = +- ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version), +- Version1 = {3,3}, +- #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} = +- ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1), +- ok. +- +-%%-------------------------------------------------------------------- ++ CipherState = incorrect_cipher_state(), ++ decipher_check_fail(HashSz, CipherState, {3,0}), ++ decipher_check_fail(HashSz, CipherState, {3,1}), ++ decipher_check_fail(HashSz, CipherState, {3,2}), ++ decipher_check_fail(HashSz, CipherState, {3,3}). ++ ++%%-------------------------------------------------------------------- ++padding_test(Config) when is_list(Config) -> ++ HashSz = 16, ++ CipherState = correct_cipher_state(), ++ pad_test(HashSz, CipherState, {3,0}), ++ pad_test(HashSz, CipherState, {3,1}), ++ pad_test(HashSz, CipherState, {3,2}), ++ pad_test(HashSz, CipherState, {3,3}). ++ ++%%-------------------------------------------------------------------- ++% Internal functions -------------------------------------------------------- ++%%-------------------------------------------------------------------- ++decipher_check_good(HashSz, CipherState, Version) -> ++ {Content, NextIV, Mac} = content_nextiv_mac(Version), ++ {Content, Mac, #cipher_state{iv = NextIV}} = ++ ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version, true). ++ ++decipher_check_fail(HashSz, CipherState, Version) -> ++ {Content, NextIV, Mac} = content_nextiv_mac(Version), ++ true = {Content, Mac, #cipher_state{iv = NextIV}} =/= ++ ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version, true). ++ ++pad_test(HashSz, CipherState, {3,0} = Version) -> ++ %% 3.0 does not have padding test ++ {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version), ++ {Content, Mac, #cipher_state{iv = NextIV}} = ++ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, true), ++ {Content, Mac, #cipher_state{iv = NextIV}} = ++ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, false); ++pad_test(HashSz, CipherState, {3,1} = Version) -> ++ %% 3.1 should have padding test, but may be disabled ++ {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version), ++ BadCont = badpad_content(Content), ++ {Content, Mac, #cipher_state{iv = NextIV}} = ++ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,1}) , {3,1}, false), ++ {BadCont, Mac, #cipher_state{iv = NextIV}} = ++ ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,1}), {3,1}, true); ++pad_test(HashSz, CipherState, Version) -> ++ %% 3.2 and 3.3 must have padding test ++ {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version), ++ BadCont = badpad_content(Content), ++ {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, ++ badpad_aes_fragment(Version), Version, false), ++ {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, ++ badpad_aes_fragment(Version), Version, true). ++ ++aes_fragment({3,N}) when N == 0; N == 1-> ++ <<197,9,6,109,242,87,80,154,85,250,110,81,119,95,65,185,53,206,216,153,246,169, ++ 119,177,178,238,248,174,253,220,242,81,33,0,177,251,91,44,247,53,183,198,165, ++ 63,20,194,159,107>>; ++ ++aes_fragment(_) -> ++ <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8, ++ 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160, ++ 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122, ++ 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>. ++ ++badpad_aes_fragment({3,N}) when N == 0; N == 1 -> ++ <<186,139,125,10,118,21,26,248,120,108,193,104,87,118,145,79,225,55,228,10,105, ++ 30,190,37,1,88,139,243,210,99,65,41>>; ++badpad_aes_fragment(_) -> ++ <<137,31,14,77,228,80,76,103,183,125,55,250,68,190,123,131,117,23,229,180,207, ++ 94,121,137,117,157,109,99,113,61,190,138,131,229,201,120,142,179,172,48,77, ++ 234,19,240,33,38,91,93>>. ++ ++content_nextiv_mac({3,N}) when N == 0; N == 1 -> ++ {<<"HELLO\n">>, ++ <<33,0, 177,251, 91,44, 247,53, 183,198, 165,63, 20,194, 159,107>>, ++ <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}; ++content_nextiv_mac(_) -> ++ {<<"HELLO\n">>, ++ <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>, ++ <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}. ++ ++badpad_content_nextiv_mac({3,N}) when N == 0; N == 1 -> ++ {<<"HELLO\n">>, ++ <<225,55,228,10,105,30,190,37,1,88,139,243,210,99,65,41>>, ++ <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>> ++ }; ++badpad_content_nextiv_mac(_) -> ++ {<<"HELLO\n">>, ++ <<133,211,45,189,179,229,56,86,11,178,239,159,14,160,253,140>>, ++ <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>> ++ }. ++ ++badpad_content(Content) -> ++ %% BadContent will fail mac test ++ <<16#F0, Content/binary>>. ++ ++correct_cipher_state() -> ++ #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>, ++ key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}. ++ ++incorrect_cipher_state() -> ++ #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>, ++ key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}. diff -Nru erlang-16.b.3-dfsg/debian/patches/CVE-2017-1000385.patch erlang-16.b.3-dfsg/debian/patches/CVE-2017-1000385.patch --- erlang-16.b.3-dfsg/debian/patches/CVE-2017-1000385.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/patches/CVE-2017-1000385.patch 2017-12-07 13:47:24.000000000 +0000 @@ -0,0 +1,73 @@ +Backport of: + +From de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 Mon Sep 17 00:00:00 2001 +From: Ingela Anderton Andin +Date: Tue, 7 Nov 2017 18:34:34 +0100 +Subject: [PATCH] ssl: Countermeasurements for Bleichenbacher attack + +Back ported for security reasons. +Remove DTLS changes as DTLS is not at all working in OTP 18. +--- + lib/ssl/src/ssl_connection.erl | 21 +++++++++++++++++++-- + lib/ssl/src/ssl_connection.hrl | 3 ++- + lib/ssl/src/tls_connection.erl | 1 + + 3 files changed, 22 insertions(+), 3 deletions(-) + +Index: erlang-16.b.3-dfsg/lib/ssl/src/ssl_connection.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/ssl_connection.erl 2017-12-07 08:46:17.058547839 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/ssl_connection.erl 2017-12-07 08:46:17.050547746 -0500 +@@ -1057,8 +1057,25 @@ server_certify_and_key_exchange(State0, + request_client_cert(State2, Connection). + + certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS}, +- #state{private_key = Key} = State, Connection) -> +- PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key), ++ #state{private_key = Key, client_hello_version = {Major, Minor} = Version} = State, Connection) -> ++ ++ %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret ++ %% and fail handshake later.RFC 5246 section 7.4.7.1. ++ PremasterSecret = ++ try ssl_handshake:premaster_secret(EncPMS, Key) of ++ Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES -> ++ case Secret of ++ <> -> %% Correct ++ Secret; ++ <> -> %% Version mismatch ++ <> ++ end; ++ _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES ++ make_premaster_secret(Version, rsa) ++ catch ++ #alert{description = ?DECRYPT_ERROR} -> ++ make_premaster_secret(Version, rsa) ++ end, + calculate_master_secret(PremasterSecret, State, Connection, certify, cipher); + + certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey}, +Index: erlang-16.b.3-dfsg/lib/ssl/src/ssl_connection.hrl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/ssl_connection.hrl 2017-12-07 08:46:17.058547839 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/ssl_connection.hrl 2017-12-07 08:47:11.915214891 -0500 +@@ -53,7 +53,8 @@ + session :: #session{}, + session_cache :: db_handle(), + session_cache_cb :: atom(), +- negotiated_version :: tls_version(), ++ negotiated_version :: tls_version() | 'undefined', ++ client_hello_version :: tls_version() | 'undefined', + client_certificate_requested = false :: boolean(), + key_algorithm :: key_algo(), + hashsign_algorithm = {undefined, undefined}, +Index: erlang-16.b.3-dfsg/lib/ssl/src/tls_connection.erl +=================================================================== +--- erlang-16.b.3-dfsg.orig/lib/ssl/src/tls_connection.erl 2017-12-07 08:46:17.058547839 -0500 ++++ erlang-16.b.3-dfsg/lib/ssl/src/tls_connection.erl 2017-12-07 08:46:17.058547839 -0500 +@@ -216,6 +216,7 @@ hello(Hello = #client_hello{client_versi + ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign}, + State#state{connection_states = ConnectionStates, + negotiated_version = Version, ++ client_hello_version = ClientVersion, + session = Session, + client_ecc = {EllipticCurves, EcPointFormats}}, ?MODULE); + #alert{} = Alert -> diff -Nru erlang-16.b.3-dfsg/debian/patches/bytecode-compat.patch erlang-16.b.3-dfsg/debian/patches/bytecode-compat.patch --- erlang-16.b.3-dfsg/debian/patches/bytecode-compat.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/patches/bytecode-compat.patch 2013-07-10 09:29:30.000000000 +0000 @@ -0,0 +1,32 @@ +Description: Build backwards compatible bytecode. + By default, javac compiles bytecode which is compatible + with the Java implementation the JDK originates from and + onwards. + . + This patch ensures that bytecode is compatible with Java + 1.5 and up. +Author: James Page +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/erlang/+bug/1049769 + +--- a/lib/ic/java_src/com/ericsson/otp/ic/Makefile ++++ b/lib/ic/java_src/com/ericsson/otp/ic/Makefile +@@ -90,7 +90,7 @@ ifneq ($(V),0) + JARFLAGS= -cfv + endif + +-JAVA_OPTIONS = ++JAVA_OPTIONS = -source 1.5 -target 1.5 + + # ---------------------------------------------------- + # Make Rules +--- a/lib/jinterface/java_src/com/ericsson/otp/erlang/Makefile ++++ b/lib/jinterface/java_src/com/ericsson/otp/erlang/Makefile +@@ -66,7 +66,7 @@ ifneq ($(V),0) + JARFLAGS=-cfv + endif + +-JAVA_OPTIONS = ++JAVA_OPTIONS = -source 1.5 -target 1.5 + + ifeq ($(TESTROOT),) + RELEASE_PATH="$(ERL_TOP)/release/$(TARGET)" diff -Nru erlang-16.b.3-dfsg/debian/patches/fix-pointer-converstion.patch erlang-16.b.3-dfsg/debian/patches/fix-pointer-converstion.patch --- erlang-16.b.3-dfsg/debian/patches/fix-pointer-converstion.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/patches/fix-pointer-converstion.patch 2013-07-10 09:29:30.000000000 +0000 @@ -0,0 +1,25 @@ +From: Clint Byrum +Subject: resolve buildd failure "Function `erl_malloc' implicitly converted to pointer at legacy/erl_timeout.c:77" +Bug-Ubuntu: https://launchpad.net/bugs/778484 + +Index: erlang-14.b.4-dfsg-1ubuntu1/lib/erl_interface/src/legacy/erl_timeout.c +=================================================================== +--- erlang-14.b.4-dfsg-1ubuntu1.orig/lib/erl_interface/src/legacy/erl_timeout.c 2011-12-15 16:39:50.958344893 -0800 ++++ erlang-14.b.4-dfsg-1ubuntu1/lib/erl_interface/src/legacy/erl_timeout.c 2011-12-15 16:40:45.183171477 -0800 +@@ -45,6 +45,7 @@ + + #include "erl_interface.h" + #include "erl_timeout.h" ++#include "erl_interface.h" + + typedef struct jmp_s { + jmp_buf jmpbuf; +@@ -75,7 +76,7 @@ + t.it_value.tv_usec = (ms % 1000) * 1000; + + /* get a jump buffer and save it */ +- j = erl_malloc(sizeof(*j)); ++ j = (jmp_t)erl_malloc(sizeof(*j)); + j->siginfo = s; + push(j); + diff -Nru erlang-16.b.3-dfsg/debian/patches/series erlang-16.b.3-dfsg/debian/patches/series --- erlang-16.b.3-dfsg/debian/patches/series 2013-12-12 08:05:46.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/patches/series 2017-12-07 13:46:13.000000000 +0000 @@ -8,3 +8,8 @@ java.patch hppa.patch powerpc.patch +fix-pointer-converstion.patch +bytecode-compat.patch +CVE-2014-1693.patch +CVE-2015-2774.patch +CVE-2017-1000385.patch diff -Nru erlang-16.b.3-dfsg/debian/rules erlang-16.b.3-dfsg/debian/rules --- erlang-16.b.3-dfsg/debian/rules 2013-12-12 08:05:46.000000000 +0000 +++ erlang-16.b.3-dfsg/debian/rules 2014-08-12 10:54:41.000000000 +0000 @@ -69,12 +69,17 @@ CFLAGS=-g -O2 -fno-strict-aliasing GEN_OPT_FLGS=-O2 -fno-strict-aliasing TYPE=debug +ERL_COMPILE_FLAGS="+debug_info" else CFLAGS=-g -O2 -fno-strict-aliasing GEN_OPT_FLGS=-O2 -fno-strict-aliasing TYPE= +ERL_COMPILE_FLAGS="" endif +# Enable IPv6 support in epmd +CPPFLAGS=-DEPMD6 + JAVA_OPTIONS=-source 1.5 -target 1.5 JOBS=4 @@ -177,7 +182,9 @@ [ ! -f Makefile ] || ${MAKE} -j ${JOBS} clean rm -f lib/dialyzer/SKIP # + ERL_COMPILE_FLAGS="$(ERL_COMPILE_FLAGS)" \ CFLAGS="$(CFLAGS)" \ + CPPFLAGS="$(CPPFLAGS)" \ ./configure --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr \ @@ -206,7 +213,9 @@ [ ! -f Makefile ] || ${MAKE} -j ${JOBS} clean rm -f lib/dialyzer/SKIP # + ERL_COMPILE_FLAGS="$(ERL_COMPILE_FLAGS)" \ CFLAGS="$(CFLAGS)" \ + CPPFLAGS="$(CPPFLAGS)" \ ./configure --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr \