From 794d81540e55bf6125a1d9429856c74e96354d54 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 26 May 2022 12:14:19 +0200 Subject: [PATCH] CVE-2022-1292 openssl: c_rehash script allows command injection Resolves: rhbz#2090362 --- 0065-CVE-2022-1292.patch | 58 ++++++++++++++++++++++++++++++++++++++++ openssl.spec | 5 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0065-CVE-2022-1292.patch diff --git a/0065-CVE-2022-1292.patch b/0065-CVE-2022-1292.patch new file mode 100644 index 0000000..5531fb3 --- /dev/null +++ b/0065-CVE-2022-1292.patch @@ -0,0 +1,58 @@ +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index d51d8856d7..a630773a02 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -152,6 +152,23 @@ sub check_file { + return ($is_cert, $is_crl); + } + ++sub compute_hash { ++ my $fh; ++ if ( $^O eq "VMS" ) { ++ # VMS uses the open through shell ++ # The file names are safe there and list form is unsupported ++ if (!open($fh, "-|", join(' ', @_))) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } else { ++ if (!open($fh, "-|", @_)) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } ++ return (<$fh>, <$fh>); ++} + + # Link a certificate to its subject name hash value, each hash is of + # the form . where n is an integer. If the hash value already exists +@@ -161,10 +178,12 @@ sub check_file { + + sub link_hash_cert { + my $fname = $_[0]; +- $fname =~ s/\"/\\\"/g; +- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; ++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; +@@ -202,10 +221,12 @@ sub link_hash_cert { + + sub link_hash_crl { + my $fname = $_[0]; +- $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; ++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; diff --git a/openssl.spec b/openssl.spec index 40d0dc3..dfa064b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -123,7 +123,8 @@ Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch Patch63: 0063-CVE-2022-1473.patch # upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a Patch64: 0064-CVE-2022-1343.diff - +# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2 +Patch65: 0065-CVE-2022-1292.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -460,6 +461,8 @@ install -m644 %{SOURCE9} \ - CVE-2022-1343 openssl: Signer certificate verification returned inaccurate response when using OCSP_NOCHECKS - Resolves: rhbz#2087911 +- CVE-2022-1292 openssl: c_rehash script allows command injection +- Resolves: rhbz#2090362 * Thu May 19 2022 Dmitry Belyavskiy - 1:3.0.1-32 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode