Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
openssl-1_1.32466
openssl-CVE-2023-0286.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2023-0286.patch of Package openssl-1_1.32466
commit a72082b1fd459bc6355c0d6e0ac5f28a34ae73b0 Author: Hugo Landau <hlandau@openssl.org> Date: Tue Jan 17 17:45:42 2023 +0000 CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1) --- CHANGES | 18 ++++++++++++++++++ crypto/x509v3/v3_genn.c | 2 +- include/openssl/x509v3.h | 2 +- test/v3nametest.c | 10 ++++++++++ 4 files changed, 30 insertions(+), 2 deletions(-) --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,24 @@ Changes between 1.1.1c and 1.1.1d [10 Sep 2019] + *) Fixed a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0286) + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + + [Hugo Landau] + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case --- a/crypto/x509v3/v3_genn.c +++ b/crypto/x509v3/v3_genn.c @@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE return -1; switch (a->type) { case GEN_X400: - result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); break; case GEN_EDIPARTY: --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; --- a/test/v3nametest.c +++ b/test/v3nametest.c @@ -646,6 +646,16 @@ struct gennamedata { 0xb7, 0x09, 0x02, 0x02 }, 15 + }, { + /* + * Malformed encoding of a `[3] ORAddress`. + * Regression test for CVE-2023-0286. + */ + { + 0xa3, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, + 0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01, + }, + 16 } };
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor