File openssl-CVE-2023-0286.patch of Package openssl-1_1.34951

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-CVE-2023-0286.patch of Package openssl-1_1.34951

commit a72082b1fd459bc6355c0d6e0ac5f28a34ae73b0
Author: Hugo Landau <hlandau@openssl.org>
Date:   Tue Jan 17 17:45:42 2023 +0000

CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)

---
 CHANGES                  |   18 ++++++++++++++++++
 crypto/x509v3/v3_genn.c  |    2 +-
 include/openssl/x509v3.h |    2 +-
 test/v3nametest.c        |   10 ++++++++++
 4 files changed, 30 insertions(+), 2 deletions(-)

--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,24 @@
 
  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
 
+  *) Fixed a type confusion vulnerability relating to X.400 address processing
+     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
+     vulnerability may allow an attacker who can provide a certificate chain and
+     CRL (neither of which need have a valid signature) to pass arbitrary
+     pointers to a memcmp call, creating a possible read primitive, subject to
+     some constraints. Refer to the advisory for more information. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0286)
+
+     This issue has been fixed by changing the public header file definition of
+     GENERAL_NAME so that x400Address reflects the implementation. It was not
+     possible for any existing application to successfully use the existing
+     definition; however, if any application references the x400Address field
+     (e.g. in dead code), note that the type of this field has changed. There is
+     no ABI change.
+
+     [Hugo Landau]
+
   *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
      The previous fix for this timing side channel turned out to cause
      a severe 2-3x performance regression in the typical use case
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE
         return -1;
     switch (a->type) {
     case GEN_X400:
-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
         break;
 
     case GEN_EDIPARTY:
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -646,6 +646,16 @@ struct gennamedata {
             0xb7, 0x09, 0x02, 0x02
         },
         15
+    }, {
+        /*
+         * Malformed encoding of a `[3] ORAddress`.
+         * Regression test for CVE-2023-0286.
+         */
+        {
+            0xa3, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
+            0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
+        },
+        16
     }
 };

Places

File openssl-CVE-2023-0286.patch of Package openssl-1_1.34951

Places