diff --git a/SOURCES/openssl-1.0.2o-cve-2022-0778.patch b/SOURCES/openssl-1.0.2o-cve-2022-0778.patch new file mode 100644 index 0000000..3b68d3a --- /dev/null +++ b/SOURCES/openssl-1.0.2o-cve-2022-0778.patch @@ -0,0 +1,66 @@ +From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:21 +0100 +Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() + +The calculation in some cases does not finish for non-prime p. + +This fixes CVE-2022-0778. + +Based on patch by David Benjamin . + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c +index 1723d5ded5a8..53b0f559855c 100644 +--- a/crypto/bn/bn_sqrt.c ++++ b/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ diff --git a/SPECS/compat-openssl10.spec b/SPECS/compat-openssl10.spec index 19ed1e8..ebb55ad 100644 --- a/SPECS/compat-openssl10.spec +++ b/SPECS/compat-openssl10.spec @@ -22,7 +22,7 @@ Summary: Compatibility version of the OpenSSL library Name: compat-openssl10 Version: 1.0.2o -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -92,6 +92,7 @@ Patch99: openssl-1.0.2k-fips-randlock.patch Patch80: openssl-1.0.2o-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch Patch82: openssl-1.0.2m-trusted-first-doc.patch +Patch83: openssl-1.0.2o-cve-2022-0778.patch License: OpenSSL Group: System Environment/Libraries @@ -194,6 +195,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 %patch82 -p1 -b .trusted-first +%patch83 -p1 -b .cve-2022-0778 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -416,6 +418,10 @@ install -m 644 apps/openssl10.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl10.cn %postun -p /sbin/ldconfig %changelog +* Wed May 04 2022 Clemens Lang - 1:1.0.2o-4 +- Fix CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates + Resolves: rhbz#2077417 + * Fri Aug 3 2018 Tomáš Mráz 1.0.2o-3 - provide and use compat openssl10.cnf as the non-compat one is incompatible