From 8755b29af179872acb4a7f10f4ef95ea4b5e6f4a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Dec 2021 04:09:18 -0500 Subject: [PATCH] import openssl-1.1.1k-5.el8_5 --- SOURCES/openssl-1.1.1-read-buff.patch | 319 ++++++++++++++++++++++++++ SPECS/openssl.spec | 8 +- 2 files changed, 326 insertions(+), 1 deletion(-) create mode 100644 SOURCES/openssl-1.1.1-read-buff.patch diff --git a/SOURCES/openssl-1.1.1-read-buff.patch b/SOURCES/openssl-1.1.1-read-buff.patch new file mode 100644 index 0000000..69a6535 --- /dev/null +++ b/SOURCES/openssl-1.1.1-read-buff.patch @@ -0,0 +1,319 @@ +diff -up openssl-1.1.1k/crypto/asn1/t_spki.c.read-buff openssl-1.1.1k/crypto/asn1/t_spki.c +--- openssl-1.1.1k/crypto/asn1/t_spki.c.read-buff 2021-11-11 15:38:39.678509348 +0100 ++++ openssl-1.1.1k/crypto/asn1/t_spki.c 2021-11-11 15:40:59.647922530 +0100 +@@ -38,7 +38,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCA + } + chal = spki->spkac->challenge; + if (chal->length) +- BIO_printf(out, " Challenge String: %s\n", chal->data); ++ BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data); + i = OBJ_obj2nid(spki->sig_algor.algorithm); + BIO_printf(out, " Signature Algorithm: %s", + (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i)); +diff -up openssl-1.1.1k/crypto/ec/ec_asn1.c.read-buff openssl-1.1.1k/crypto/ec/ec_asn1.c +--- openssl-1.1.1k/crypto/ec/ec_asn1.c.read-buff 2021-11-11 15:36:43.782339219 +0100 ++++ openssl-1.1.1k/crypto/ec/ec_asn1.c 2021-11-11 15:37:43.064937758 +0100 +@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters + ret->seed_len = params->curve->seed->length; + } + +- if (!params->order || !params->base || !params->base->data) { ++ if (params->order == NULL ++ || params->base == NULL ++ || params->base->data == NULL ++ || params->base->length == 0) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); + goto err; + } +diff -up openssl-1.1.1k/crypto/x509/t_x509.c.read-buff openssl-1.1.1k/crypto/x509/t_x509.c +--- openssl-1.1.1k/crypto/x509/t_x509.c.read-buff 2021-11-12 12:54:15.665091764 +0100 ++++ openssl-1.1.1k/crypto/x509/t_x509.c 2021-11-12 12:56:10.897782587 +0100 +@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, in + BIO_puts(out, "\n"); + } else + BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); +- alias = X509_alias_get0(x, NULL); ++ alias = X509_alias_get0(x, &i); + if (alias) +- BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); ++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); + keyid = X509_keyid_get0(x, &keyidlen); + if (keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); +diff -up openssl-1.1.1k/crypto/x509v3/v3_cpols.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_cpols.c +--- openssl-1.1.1k/crypto/x509v3/v3_cpols.c.read-buff 2021-11-12 12:40:51.415811428 +0100 ++++ openssl-1.1.1k/crypto/x509v3/v3_cpols.c 2021-11-12 12:50:06.062808372 +0100 +@@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, S + qualinfo = sk_POLICYQUALINFO_value(quals, i); + switch (OBJ_obj2nid(qualinfo->pqualid)) { + case NID_id_qt_cps: +- BIO_printf(out, "%*sCPS: %s\n", indent, "", ++ BIO_printf(out, "%*sCPS: %.*s\n", indent, "", ++ qualinfo->d.cpsuri->length, + qualinfo->d.cpsuri->data); + break; + +@@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERN + if (notice->noticeref) { + NOTICEREF *ref; + ref = notice->noticeref; +- BIO_printf(out, "%*sOrganization: %s\n", indent, "", ++ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "", ++ ref->organization->length, + ref->organization->data); + BIO_printf(out, "%*sNumber%s: ", indent, "", + sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); +@@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERN + BIO_puts(out, "\n"); + } + if (notice->exptext) +- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", ++ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", ++ notice->exptext->length, + notice->exptext->data); + } + +diff -up openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_ncons.c +--- openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff 2021-11-11 15:56:12.675140779 +0100 ++++ openssl-1.1.1k/crypto/x509v3/v3_ncons.c 2021-11-12 12:38:24.781856836 +0100 +@@ -63,8 +63,30 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = { + IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) + IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) + ++#define IA5_OFFSET_LEN(ia5base, offset) \ ++ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data)) ++ ++/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the ++ * starting point to search from ++ */ ++# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start)) ++ ++/* Like memrrchr but for ASN1_IA5STRING */ ++static char *ia5memrchr(ASN1_IA5STRING *str, int c) ++{ ++ int i; ++ ++ for (i = str->length; i > 0 && str->data[i - 1] != c; i--); ++ ++ if (i == 0) ++ return NULL; ++ ++ return (char *)&str->data[i - 1]; ++} ++ + /* +- * We cannot use strncasecmp here because that applies locale specific rules. ++ * We cannot use strncasecmp here because that applies locale specific rules. It ++ * also doesn't work with ASN1_STRINGs that may have embedded NUL characters. + * For example in Turkish 'I' is not the uppercase character for 'i'. We need to + * do a simple ASCII case comparison ignoring the locale (that is why we use + * numeric constants below). +@@ -89,20 +111,12 @@ static int ia5ncasecmp(const char *s1, c + + /* c1 > c2 */ + return 1; +- } else if (*s1 == 0) { +- /* If we get here we know that *s2 == 0 too */ +- return 0; + } + } + + return 0; + } + +-static int ia5casecmp(const char *s1, const char *s2) +-{ +- return ia5ncasecmp(s1, s2, SIZE_MAX); +-} +- + static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) + { +@@ -337,7 +351,7 @@ static int cn2dnsid(ASN1_STRING *cn, uns + --utf8_length; + + /* Reject *embedded* NULs */ +- if ((size_t)utf8_length != strlen((char *)utf8_value)) { ++ if (memchr(utf8_value, 0, utf8_length) != NULL) { + OPENSSL_free(utf8_value); + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + } +@@ -537,7 +551,7 @@ static int nc_dns(ASN1_IA5STRING *dns, A + char *baseptr = (char *)base->data; + char *dnsptr = (char *)dns->data; + /* Empty matches everything */ +- if (!*baseptr) ++ if (base->length == 0) + return X509_V_OK; + /* + * Otherwise can add zero or more components on the left so compare RHS +@@ -549,7 +563,7 @@ static int nc_dns(ASN1_IA5STRING *dns, A + return X509_V_ERR_PERMITTED_VIOLATION; + } + +- if (ia5casecmp(baseptr, dnsptr)) ++ if (ia5ncasecmp(baseptr, dnsptr, base->length)) + return X509_V_ERR_PERMITTED_VIOLATION; + + return X509_V_OK; +@@ -560,16 +574,17 @@ static int nc_email(ASN1_IA5STRING *eml, + { + const char *baseptr = (char *)base->data; + const char *emlptr = (char *)eml->data; ++ const char *baseat = ia5memrchr(base, '@'); ++ const char *emlat = ia5memrchr(eml, '@'); ++ size_t basehostlen, emlhostlen; + +- const char *baseat = strchr(baseptr, '@'); +- const char *emlat = strchr(emlptr, '@'); + if (!emlat) + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + /* Special case: initial '.' is RHS match */ +- if (!baseat && (*baseptr == '.')) { ++ if (!baseat && base->length > 0 && (*baseptr == '.')) { + if (eml->length > base->length) { + emlptr += eml->length - base->length; +- if (ia5casecmp(baseptr, emlptr) == 0) ++ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0) + return X509_V_OK; + } + return X509_V_ERR_PERMITTED_VIOLATION; +@@ -589,8 +604,10 @@ static int nc_email(ASN1_IA5STRING *eml, + baseptr = baseat + 1; + } + emlptr = emlat + 1; ++ basehostlen = IA5_OFFSET_LEN(base, baseptr); ++ emlhostlen = IA5_OFFSET_LEN(eml, emlptr); + /* Just have hostname left to match: case insensitive */ +- if (ia5casecmp(baseptr, emlptr)) ++ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen)) + return X509_V_ERR_PERMITTED_VIOLATION; + + return X509_V_OK; +@@ -601,10 +618,14 @@ static int nc_uri(ASN1_IA5STRING *uri, A + { + const char *baseptr = (char *)base->data; + const char *hostptr = (char *)uri->data; +- const char *p = strchr(hostptr, ':'); ++ const char *p = ia5memchr(uri, (char *)uri->data, ':'); + int hostlen; ++ + /* Check for foo:// and skip past it */ +- if (!p || (p[1] != '/') || (p[2] != '/')) ++ if (p == NULL ++ || IA5_OFFSET_LEN(uri, p) < 3 ++ || p[1] != '/' ++ || p[2] != '/') + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + hostptr = p + 3; + +@@ -612,13 +633,13 @@ static int nc_uri(ASN1_IA5STRING *uri, A + + /* Look for a port indicator as end of hostname first */ + +- p = strchr(hostptr, ':'); ++ p = ia5memchr(uri, hostptr, ':'); + /* Otherwise look for trailing slash */ +- if (!p) +- p = strchr(hostptr, '/'); ++ if (p == NULL) ++ p = ia5memchr(uri, hostptr, '/'); + +- if (!p) +- hostlen = strlen(hostptr); ++ if (p == NULL) ++ hostlen = IA5_OFFSET_LEN(uri, hostptr); + else + hostlen = p - hostptr; + +@@ -626,7 +647,7 @@ static int nc_uri(ASN1_IA5STRING *uri, A + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + + /* Special case: initial '.' is RHS match */ +- if (*baseptr == '.') { ++ if (base->length > 0 && *baseptr == '.') { + if (hostlen > base->length) { + p = hostptr + hostlen - base->length; + if (ia5ncasecmp(p, baseptr, base->length) == 0) +diff -up openssl-1.1.1k/crypto/x509v3/v3_pci.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_pci.c +--- openssl-1.1.1k/crypto/x509v3/v3_pci.c.read-buff 2021-11-12 12:39:06.649337807 +0100 ++++ openssl-1.1.1k/crypto/x509v3/v3_pci.c 2021-11-12 12:40:07.955201861 +0100 +@@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *me + i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); + BIO_puts(out, "\n"); + if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) +- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", ++ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "", ++ pci->proxyPolicy->policy->length, + pci->proxyPolicy->policy->data); + return 1; + } +diff -up openssl-1.1.1k/crypto/x509v3/v3_utl.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_utl.c +--- openssl-1.1.1k/crypto/x509v3/v3_utl.c.read-buff 2021-11-11 15:46:16.797124581 +0100 ++++ openssl-1.1.1k/crypto/x509v3/v3_utl.c 2021-11-11 15:50:36.696748621 +0100 +@@ -502,18 +502,26 @@ static int append_ia5(STACK_OF(OPENSSL_S + /* First some sanity checks */ + if (email->type != V_ASN1_IA5STRING) + return 1; +- if (!email->data || !email->length) ++ if (email->data == NULL || email->length == 0) ++ return 1; ++ if (memchr(email->data, 0, email->length) != NULL) + return 1; + if (*sk == NULL) + *sk = sk_OPENSSL_STRING_new(sk_strcmp); + if (*sk == NULL) + return 0; ++ ++ emtmp = OPENSSL_strndup((char *)email->data, email->length); ++ if (emtmp == NULL) ++ return 0; ++ + /* Don't add duplicates */ +- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) ++ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) { ++ OPENSSL_free(emtmp); + return 1; +- emtmp = OPENSSL_strdup((char *)email->data); +- if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) { +- OPENSSL_free(emtmp); /* free on push failure */ ++ } ++ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) { ++ OPENSSL_free(emtmp); /* free on push failure */ + X509_email_free(*sk); + *sk = NULL; + return 0; +diff -up openssl-1.1.1k/test/x509_time_test.c.read-buff openssl-1.1.1k/test/x509_time_test.c +--- openssl-1.1.1k/test/x509_time_test.c.read-buff 2021-11-11 15:53:59.112792286 +0100 ++++ openssl-1.1.1k/test/x509_time_test.c 2021-11-11 15:55:18.148590259 +0100 +@@ -330,10 +330,12 @@ static int test_x509_time(int idx) + + /* if t is not NULL but expected_string is NULL, it is an 'OK' case too */ + if (t != NULL && x509_format_tests[idx].expected_string) { +- if (!TEST_str_eq((const char *)t->data, +- x509_format_tests[idx].expected_string)) { +- TEST_info("test_x509_time(%d) failed: expected_string %s, got %s\n", +- idx, x509_format_tests[idx].expected_string, t->data); ++ if (!TEST_mem_eq((const char *)t->data, t->length, ++ x509_format_tests[idx].expected_string, ++ strlen(x509_format_tests[idx].expected_string))) { ++ TEST_info("test_x509_time(%d) failed: expected_string %s, got %.*s\n", ++ idx, x509_format_tests[idx].expected_string, t->length, ++ t->data); + goto out; + } + } +diff -up openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_ncons.c +--- openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff 2021-11-12 18:19:14.742820536 +0100 ++++ openssl-1.1.1k/crypto/x509v3/v3_ncons.c 2021-11-12 18:20:09.663327518 +0100 +@@ -553,6 +553,10 @@ static int nc_dns(ASN1_IA5STRING *dns, A + /* Empty matches everything */ + if (base->length == 0) + return X509_V_OK; ++ ++ if (dns->length < base->length) ++ return X509_V_ERR_PERMITTED_VIOLATION; ++ + /* + * Otherwise can add zero or more components on the left so compare RHS + * and if dns is longer and expect '.' as preceding character. diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 3ebe296..56ab8a7 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -81,6 +81,7 @@ Patch55: openssl-1.1.1-arm-update.patch Patch56: openssl-1.1.1-s390x-ecc.patch Patch74: openssl-1.1.1-addrconfig.patch Patch75: openssl-1.1.1-tls13-curves.patch +Patch81: openssl-1.1.1-read-buff.patch License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ @@ -200,6 +201,7 @@ cp %{SOURCE13} test/ %patch78 -p1 -b .addr-ipv6 %patch79 -p1 -b .servername-cb %patch80 -p1 -b .s390x-test-aes +%patch81 -p1 -b .read-buff %build @@ -484,6 +486,10 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Fri Nov 12 2021 Sahana Prasad - 1:1.1.1k-5 +- CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings +- Resolves: rhbz#2005400 + * Fri Jul 16 2021 Sahana Prasad - 1:1.1.1k-4 - Fixes bugs in s390x AES code. - Uses the first detected address family if IPv6 is not available