From 9d8f6182089dd1cb32f8385c49fc810b76873f82 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 8 Feb 2023 12:07:16 +0100 Subject: [PATCH] Fixed NULL dereference during PKCS7 data verification Resolves: CVE-2023-0401 --- 0108-CVE-2023-0401-pkcs7-md.patch | 150 ++++++++++++++++++++++++++++++ openssl.spec | 3 + 2 files changed, 153 insertions(+) create mode 100644 0108-CVE-2023-0401-pkcs7-md.patch diff --git a/0108-CVE-2023-0401-pkcs7-md.patch b/0108-CVE-2023-0401-pkcs7-md.patch new file mode 100644 index 0000000..7608f56 --- /dev/null +++ b/0108-CVE-2023-0401-pkcs7-md.patch @@ -0,0 +1,150 @@ +From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 18 Jan 2023 09:27:53 +0100 +Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls + +These calls invoke EVP_DigestInit() which can fail for digests +with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() +or EVP_DigestFinal() from BIO_read() will segfault on NULL +dereference. This can be triggered by an attacker providing +PKCS7 data digested with MD4 for example if the legacy provider +is not loaded. + +If BIO_set_md() fails the md BIO cannot be used. + +CVE-2023-0401 + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +--- + crypto/pkcs7/pk7_doit.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index bde9ac4787..5e562fbea5 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, + } + (void)ERR_pop_to_mark(); + +- BIO_set_md(btmp, md); ++ if (BIO_set_md(btmp, md) <= 0) { ++ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); ++ EVP_MD_free(fetched); ++ goto err; ++ } + EVP_MD_free(fetched); + if (*pbio == NULL) + *pbio = btmp; +@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) + } + (void)ERR_pop_to_mark(); + +- BIO_set_md(btmp, md); ++ if (BIO_set_md(btmp, md) <= 0) { ++ EVP_MD_free(evp_md); ++ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); ++ goto err; ++ } + EVP_MD_free(evp_md); + if (out == NULL) + out = btmp; +-- +2.39.1 + +From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 18 Jan 2023 17:07:24 +0100 +Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md() + calls + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +--- + test/recipes/80-test_cms.t | 15 ++++++++-- + test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++ + 2 files changed, 45 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem + +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index fd53683e6b..d45789de70 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -13,7 +13,7 @@ use warnings; + use POSIX; + use File::Spec::Functions qw/catfile/; + use File::Compare qw/compare_text compare/; +-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; ++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; + + use OpenSSL::Test::Utils; + +@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + + $no_rc2 = 1 if disabled("legacy"); + +-plan tests => 13; ++plan tests => 14; + + ok(run(test(["pkcs7_test"])), "test pkcs7"); + +@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub { + "verify binary input with -binary missing -crlfeol"); + }; + ++# Test case for missing MD algorithm (must not segfault) ++ ++with({ exit_checker => sub { return shift == 4; } }, ++ sub { ++ ok(run(app(['openssl', 'smime', '-verify', '-noverify', ++ '-inform', 'PEM', ++ '-in', data_file("pkcs7-md4.pem"), ++ ])), ++ "Check failure of EVP_DigestInit is handled correctly"); ++ }); ++ + sub check_availability { + my $tnam = shift; + +diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem +new file mode 100644 +index 0000000000..ecff611deb +--- /dev/null ++++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem +@@ -0,0 +1,32 @@ ++-----BEGIN PKCS7----- ++MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG ++SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G ++CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx ++MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ ++KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU ++fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC ++76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz ++BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl ++V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv ++0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9 ++MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR ++M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH ++AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB ++AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS ++EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3 ++IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2 +++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU ++TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC ++e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC ++MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq ++hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp ++RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB ++ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN ++BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B ++AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7 ++kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c ++lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp ++0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk ++Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a ++ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6 ++-----END PKCS7----- +-- +2.39.1 + diff --git a/openssl.spec b/openssl.spec index 6b893a3..f8d2451 100644 --- a/openssl.spec +++ b/openssl.spec @@ -163,6 +163,7 @@ Patch104: 0104-CVE-2023-0215-UAF-bio.patch Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch Patch106: 0106-CVE-2023-0217-dsa.patch Patch107: 0107-CVE-2023-0286-X400.patch +Patch108: 0108-CVE-2023-0401-pkcs7-md.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -508,6 +509,8 @@ install -m644 %{SOURCE9} \ Resolves: CVE-2023-0217 - Fixed X.400 address type confusion in X.509 GeneralName Resolves: CVE-2023-0286 +- Fixed NULL dereference during PKCS7 data verification + Resolves: CVE-2023-0401 * Wed Jan 11 2023 Clemens Lang - 1:3.0.7-4 - Disallow SHAKE in RSA-OAEP decryption in FIPS mode