forked from rpms/openssl
Fixed NULL dereference during PKCS7 data verification
Resolves: CVE-2023-0401
This commit is contained in:
parent
8673fb7c22
commit
9d8f618208
150
0108-CVE-2023-0401-pkcs7-md.patch
Normal file
150
0108-CVE-2023-0401-pkcs7-md.patch
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Wed, 18 Jan 2023 09:27:53 +0100
|
||||||
|
Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls
|
||||||
|
|
||||||
|
These calls invoke EVP_DigestInit() which can fail for digests
|
||||||
|
with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
|
||||||
|
or EVP_DigestFinal() from BIO_read() will segfault on NULL
|
||||||
|
dereference. This can be triggered by an attacker providing
|
||||||
|
PKCS7 data digested with MD4 for example if the legacy provider
|
||||||
|
is not loaded.
|
||||||
|
|
||||||
|
If BIO_set_md() fails the md BIO cannot be used.
|
||||||
|
|
||||||
|
CVE-2023-0401
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||||
|
---
|
||||||
|
crypto/pkcs7/pk7_doit.c | 12 ++++++++++--
|
||||||
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
||||||
|
index bde9ac4787..5e562fbea5 100644
|
||||||
|
--- a/crypto/pkcs7/pk7_doit.c
|
||||||
|
+++ b/crypto/pkcs7/pk7_doit.c
|
||||||
|
@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg,
|
||||||
|
}
|
||||||
|
(void)ERR_pop_to_mark();
|
||||||
|
|
||||||
|
- BIO_set_md(btmp, md);
|
||||||
|
+ if (BIO_set_md(btmp, md) <= 0) {
|
||||||
|
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
||||||
|
+ EVP_MD_free(fetched);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
EVP_MD_free(fetched);
|
||||||
|
if (*pbio == NULL)
|
||||||
|
*pbio = btmp;
|
||||||
|
@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
||||||
|
}
|
||||||
|
(void)ERR_pop_to_mark();
|
||||||
|
|
||||||
|
- BIO_set_md(btmp, md);
|
||||||
|
+ if (BIO_set_md(btmp, md) <= 0) {
|
||||||
|
+ EVP_MD_free(evp_md);
|
||||||
|
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
EVP_MD_free(evp_md);
|
||||||
|
if (out == NULL)
|
||||||
|
out = btmp;
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
|
From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Wed, 18 Jan 2023 17:07:24 +0100
|
||||||
|
Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md()
|
||||||
|
calls
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||||
|
---
|
||||||
|
test/recipes/80-test_cms.t | 15 ++++++++--
|
||||||
|
test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++
|
||||||
|
2 files changed, 45 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||||
|
|
||||||
|
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||||
|
index fd53683e6b..d45789de70 100644
|
||||||
|
--- a/test/recipes/80-test_cms.t
|
||||||
|
+++ b/test/recipes/80-test_cms.t
|
||||||
|
@@ -13,7 +13,7 @@ use warnings;
|
||||||
|
use POSIX;
|
||||||
|
use File::Spec::Functions qw/catfile/;
|
||||||
|
use File::Compare qw/compare_text compare/;
|
||||||
|
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
||||||
|
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
|
||||||
|
|
||||||
|
use OpenSSL::Test::Utils;
|
||||||
|
|
||||||
|
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||||
|
|
||||||
|
$no_rc2 = 1 if disabled("legacy");
|
||||||
|
|
||||||
|
-plan tests => 13;
|
||||||
|
+plan tests => 14;
|
||||||
|
|
||||||
|
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
||||||
|
|
||||||
|
@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub {
|
||||||
|
"verify binary input with -binary missing -crlfeol");
|
||||||
|
};
|
||||||
|
|
||||||
|
+# Test case for missing MD algorithm (must not segfault)
|
||||||
|
+
|
||||||
|
+with({ exit_checker => sub { return shift == 4; } },
|
||||||
|
+ sub {
|
||||||
|
+ ok(run(app(['openssl', 'smime', '-verify', '-noverify',
|
||||||
|
+ '-inform', 'PEM',
|
||||||
|
+ '-in', data_file("pkcs7-md4.pem"),
|
||||||
|
+ ])),
|
||||||
|
+ "Check failure of EVP_DigestInit is handled correctly");
|
||||||
|
+ });
|
||||||
|
+
|
||||||
|
sub check_availability {
|
||||||
|
my $tnam = shift;
|
||||||
|
|
||||||
|
diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..ecff611deb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+-----BEGIN PKCS7-----
|
||||||
|
+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG
|
||||||
|
+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G
|
||||||
|
+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx
|
||||||
|
+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ
|
||||||
|
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU
|
||||||
|
+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC
|
||||||
|
+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz
|
||||||
|
+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl
|
||||||
|
+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv
|
||||||
|
+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9
|
||||||
|
+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR
|
||||||
|
+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
|
||||||
|
+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB
|
||||||
|
+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS
|
||||||
|
+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3
|
||||||
|
+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2
|
||||||
|
++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU
|
||||||
|
+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC
|
||||||
|
+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC
|
||||||
|
+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
|
||||||
|
+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp
|
||||||
|
+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB
|
||||||
|
+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
|
||||||
|
+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B
|
||||||
|
+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7
|
||||||
|
+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c
|
||||||
|
+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp
|
||||||
|
+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk
|
||||||
|
+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a
|
||||||
|
+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6
|
||||||
|
+-----END PKCS7-----
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
@ -163,6 +163,7 @@ Patch104: 0104-CVE-2023-0215-UAF-bio.patch
|
|||||||
Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch
|
Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch
|
||||||
Patch106: 0106-CVE-2023-0217-dsa.patch
|
Patch106: 0106-CVE-2023-0217-dsa.patch
|
||||||
Patch107: 0107-CVE-2023-0286-X400.patch
|
Patch107: 0107-CVE-2023-0286-X400.patch
|
||||||
|
Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -508,6 +509,8 @@ install -m644 %{SOURCE9} \
|
|||||||
Resolves: CVE-2023-0217
|
Resolves: CVE-2023-0217
|
||||||
- Fixed X.400 address type confusion in X.509 GeneralName
|
- Fixed X.400 address type confusion in X.509 GeneralName
|
||||||
Resolves: CVE-2023-0286
|
Resolves: CVE-2023-0286
|
||||||
|
- Fixed NULL dereference during PKCS7 data verification
|
||||||
|
Resolves: CVE-2023-0401
|
||||||
|
|
||||||
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
|
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
|
||||||
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
|
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user