From 5e4feef220a0ff02085dadae7f36f1545286a2c3 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 8 Feb 2023 11:55:32 +0100 Subject: [PATCH] Fixed Invalid pointer dereference in d2i_PKCS7 functions Resolves: CVE-2023-0216 --- 0105-CVE-2023-0216-pkcs7-deref.patch | 110 +++++++++++++++++++++++++++ openssl.spec | 3 + 2 files changed, 113 insertions(+) create mode 100644 0105-CVE-2023-0216-pkcs7-deref.patch diff --git a/0105-CVE-2023-0216-pkcs7-deref.patch b/0105-CVE-2023-0216-pkcs7-deref.patch new file mode 100644 index 0000000..bbcd594 --- /dev/null +++ b/0105-CVE-2023-0216-pkcs7-deref.patch @@ -0,0 +1,110 @@ +From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 16 Jan 2023 19:45:23 +0100 +Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set + +Fixes CVE-2023-0216 + +Reviewed-by: Shane Lontis +Reviewed-by: Paul Dale +--- + crypto/pkcs7/pk7_lib.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c +index 753f1276e6..936e50da54 100644 +--- a/crypto/pkcs7/pk7_lib.c ++++ b/crypto/pkcs7/pk7_lib.c +@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, + + static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) + { ++ if (p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signed(p7)) + return p7->d.sign->cert; + if (PKCS7_type_is_signedAndEnveloped(p7)) +@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) + + static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) + { ++ if (p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signedAndEnveloped(p7)) + return p7->d.signed_and_enveloped->recipientinfo; + if (PKCS7_type_is_enveloped(p7)) +@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); + const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); +- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); +- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); +- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); ++ STACK_OF(PKCS7_RECIP_INFO) *rinfos; ++ STACK_OF(PKCS7_SIGNER_INFO) *sinfos; ++ STACK_OF(X509) *certs; + +- if (ctx == NULL) ++ if (ctx == NULL || p7->d.ptr == NULL) + return; + ++ rinfos = pkcs7_get_recipient_info(p7); ++ sinfos = PKCS7_get_signer_info(p7); ++ certs = pkcs7_get_signer_certs(p7); ++ + for (i = 0; i < sk_X509_num(certs); i++) + ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); + +-- +2.39.1 + +From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 16 Jan 2023 19:56:20 +0100 +Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference + +Reviewed-by: Shane Lontis +Reviewed-by: Paul Dale +--- + test/recipes/25-test_pkcs7.t | 7 +++++-- + test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++ + 2 files changed, 8 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7 + +diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t +index 37cd43dc6b..d61cd6abad 100644 +--- a/test/recipes/25-test_pkcs7.t ++++ b/test/recipes/25-test_pkcs7.t +@@ -11,11 +11,11 @@ use strict; + use warnings; + + use File::Spec; +-use OpenSSL::Test qw/:DEFAULT srctop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; + + setup("test_pkcs7"); + +-plan tests => 3; ++plan tests => 4; + + require_ok(srctop_file('test','recipes','tconversion.pl')); + +@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { + tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), + -args => ["pkcs7"] ); + }; ++ ++my $malformed = data_file('malformed.pkcs7'); ++ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); +diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 +new file mode 100644 +index 0000000000..e30d1b582c +--- /dev/null ++++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 +@@ -0,0 +1,3 @@ ++-----BEGIN PKCS7----- ++MAsGCSqGSIb3DQEHAg== ++-----END PKCS7----- +-- +2.39.1 + diff --git a/openssl.spec b/openssl.spec index ef22b31..f3c7b83 100644 --- a/openssl.spec +++ b/openssl.spec @@ -160,6 +160,7 @@ Patch101: 0101-CVE-2022-4203-nc-match.patch Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch Patch103: 0103-CVE-2022-4450-pem-read-bio.patch Patch104: 0104-CVE-2023-0215-UAF-bio.patch +Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -499,6 +500,8 @@ install -m644 %{SOURCE9} \ Resolves: CVE-2022-4450 - Fixed Use-after-free following BIO_new_NDEF Resolves: CVE-2023-0215 +- Fixed Invalid pointer dereference in d2i_PKCS7 functions + Resolves: CVE-2023-0216 * Wed Jan 11 2023 Clemens Lang - 1:3.0.7-4 - Disallow SHAKE in RSA-OAEP decryption in FIPS mode