From c64694b9612a2b1093ec127461aed4dacec26480 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 14 Jul 2022 14:49:46 +0200 Subject: [PATCH] Fix segfault in EVP_PKEY_Q_keygen() When OpenSSL was not previously initialized, EVP_PKEY_Q_keygen() would cause a segmentation fault. Avoid this by backporting a fix from upstream. Resolves: rhbz#2103289 Signed-off-by: Clemens Lang --- ...n-Call-OPENSSL_init_crypto-to-init-s.patch | 56 +++++++++++++++++++ openssl.spec | 9 ++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch diff --git a/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch b/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch new file mode 100644 index 0000000..5a16ae7 --- /dev/null +++ b/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch @@ -0,0 +1,56 @@ +From edceec7fe0c9a5534ae155c8398c63dd7dd95483 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 5 May 2022 08:11:24 +0200 +Subject: [PATCH] EVP_PKEY_Q_keygen: Call OPENSSL_init_crypto to init + strcasecmp + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18247) + +(cherry picked from commit b807c2fbab2128cf3746bb2ebd51cbe3bb6914a9) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483] +--- + crypto/evp/evp_lib.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c +index 3fe4743761..d9b8c0af41 100644 +--- a/crypto/evp/evp_lib.c ++++ b/crypto/evp/evp_lib.c +@@ -24,6 +24,7 @@ + #include + #include + #include "crypto/evp.h" ++#include "crypto/cryptlib.h" + #include "internal/provider.h" + #include "evp_local.h" + +@@ -1094,6 +1095,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) + return (ctx->flags & flags); + } + ++#if !defined(FIPS_MODULE) ++ + int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name) + { + OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; +@@ -1169,6 +1172,8 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, + + va_start(args, type); + ++ OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL); ++ + if (OPENSSL_strcasecmp(type, "RSA") == 0) { + bits = va_arg(args, size_t); + params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits); +@@ -1189,3 +1194,5 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, + va_end(args); + return ret; + } ++ ++#endif /* !defined(FIPS_MODULE) */ +-- +2.35.3 + diff --git a/openssl.spec b/openssl.spec index 178de5f..38e2e94 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 37%{?dist} +Release: 38%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -138,6 +138,8 @@ Patch68: 0068-CVE-2022-2068.patch # https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93 # https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Patch69: 0069-CVE-2022-2097.patch +# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483 +Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -468,6 +470,11 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Jul 14 2022 Clemens Lang - 1:3.0.1-38 +- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously + initialized. + Resolves: rhbz#2103289 + * Tue Jul 05 2022 Clemens Lang - 1:3.0.1-37 - CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 Resolves: CVE-2022-2097