forked from rpms/openssl
Fixed Invalid pointer dereference in d2i_PKCS7 functions
Resolves: CVE-2023-0216
This commit is contained in:
parent
b889341096
commit
5e4feef220
110
0105-CVE-2023-0216-pkcs7-deref.patch
Normal file
110
0105-CVE-2023-0216-pkcs7-deref.patch
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 16 Jan 2023 19:45:23 +0100
|
||||||
|
Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set
|
||||||
|
|
||||||
|
Fixes CVE-2023-0216
|
||||||
|
|
||||||
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/pkcs7/pk7_lib.c | 16 ++++++++++++----
|
||||||
|
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
|
||||||
|
index 753f1276e6..936e50da54 100644
|
||||||
|
--- a/crypto/pkcs7/pk7_lib.c
|
||||||
|
+++ b/crypto/pkcs7/pk7_lib.c
|
||||||
|
@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
|
||||||
|
|
||||||
|
static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
||||||
|
{
|
||||||
|
+ if (p7->d.ptr == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
if (PKCS7_type_is_signed(p7))
|
||||||
|
return p7->d.sign->cert;
|
||||||
|
if (PKCS7_type_is_signedAndEnveloped(p7))
|
||||||
|
@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
||||||
|
|
||||||
|
static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
|
||||||
|
{
|
||||||
|
+ if (p7->d.ptr == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
if (PKCS7_type_is_signedAndEnveloped(p7))
|
||||||
|
return p7->d.signed_and_enveloped->recipientinfo;
|
||||||
|
if (PKCS7_type_is_enveloped(p7))
|
||||||
|
@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
|
||||||
|
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
|
||||||
|
OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
|
||||||
|
const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
|
||||||
|
- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
|
||||||
|
- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
|
||||||
|
- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
|
||||||
|
+ STACK_OF(PKCS7_RECIP_INFO) *rinfos;
|
||||||
|
+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
|
||||||
|
+ STACK_OF(X509) *certs;
|
||||||
|
|
||||||
|
- if (ctx == NULL)
|
||||||
|
+ if (ctx == NULL || p7->d.ptr == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ rinfos = pkcs7_get_recipient_info(p7);
|
||||||
|
+ sinfos = PKCS7_get_signer_info(p7);
|
||||||
|
+ certs = pkcs7_get_signer_certs(p7);
|
||||||
|
+
|
||||||
|
for (i = 0; i < sk_X509_num(certs); i++)
|
||||||
|
ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
|
From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 16 Jan 2023 19:56:20 +0100
|
||||||
|
Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference
|
||||||
|
|
||||||
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
---
|
||||||
|
test/recipes/25-test_pkcs7.t | 7 +++++--
|
||||||
|
test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++
|
||||||
|
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||||
|
|
||||||
|
diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
|
||||||
|
index 37cd43dc6b..d61cd6abad 100644
|
||||||
|
--- a/test/recipes/25-test_pkcs7.t
|
||||||
|
+++ b/test/recipes/25-test_pkcs7.t
|
||||||
|
@@ -11,11 +11,11 @@ use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
|
use File::Spec;
|
||||||
|
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
||||||
|
+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
|
||||||
|
|
||||||
|
setup("test_pkcs7");
|
||||||
|
|
||||||
|
-plan tests => 3;
|
||||||
|
+plan tests => 4;
|
||||||
|
|
||||||
|
require_ok(srctop_file('test','recipes','tconversion.pl'));
|
||||||
|
|
||||||
|
@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
|
||||||
|
tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
|
||||||
|
-args => ["pkcs7"] );
|
||||||
|
};
|
||||||
|
+
|
||||||
|
+my $malformed = data_file('malformed.pkcs7');
|
||||||
|
+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
|
||||||
|
diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..e30d1b582c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+-----BEGIN PKCS7-----
|
||||||
|
+MAsGCSqGSIb3DQEHAg==
|
||||||
|
+-----END PKCS7-----
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
@ -160,6 +160,7 @@ Patch101: 0101-CVE-2022-4203-nc-match.patch
|
|||||||
Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch
|
Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch
|
||||||
Patch103: 0103-CVE-2022-4450-pem-read-bio.patch
|
Patch103: 0103-CVE-2022-4450-pem-read-bio.patch
|
||||||
Patch104: 0104-CVE-2023-0215-UAF-bio.patch
|
Patch104: 0104-CVE-2023-0215-UAF-bio.patch
|
||||||
|
Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -499,6 +500,8 @@ install -m644 %{SOURCE9} \
|
|||||||
Resolves: CVE-2022-4450
|
Resolves: CVE-2022-4450
|
||||||
- Fixed Use-after-free following BIO_new_NDEF
|
- Fixed Use-after-free following BIO_new_NDEF
|
||||||
Resolves: CVE-2023-0215
|
Resolves: CVE-2023-0215
|
||||||
|
- Fixed Invalid pointer dereference in d2i_PKCS7 functions
|
||||||
|
Resolves: CVE-2023-0216
|
||||||
|
|
||||||
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
|
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
|
||||||
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
|
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user