From 9847fd6560ed2000b07b305653e534b7338ba3ab Mon Sep 17 00:00:00 2001 From: xzf1234 Date: Mon, 24 Apr 2023 23:28:03 +0800 Subject: [PATCH] fix CVE-2023-21930 --- fix-CVE-2023-21930.patch | 118 +++++++++++++++++++++++++++++++++++++++ openjdk-1.8.0.spec | 7 ++- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2023-21930.patch diff --git a/fix-CVE-2023-21930.patch b/fix-CVE-2023-21930.patch new file mode 100644 index 0000000..5f0c353 --- /dev/null +++ b/fix-CVE-2023-21930.patch @@ -0,0 +1,118 @@ +From 3f83229f04df85503de1c18405eb08f81ab50054 Mon Sep 17 00:00:00 2001 +From: xzf1234 +Date: Mon, 24 Apr 2023 22:50:30 +0800 +Subject: [PATCH] fix CVE-2023-21930 + +--- + .../share/classes/sun/security/ssl/KeyUpdate.java | 6 ++++-- + .../classes/sun/security/ssl/SSLEngineImpl.java | 8 ++++---- + .../classes/sun/security/ssl/SSLSocketImpl.java | 6 +++--- + .../classes/sun/security/ssl/TransportContext.java | 13 ++++++++++--- + 4 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java b/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java +index 1306344..9e921e6 100644 +--- a/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java ++++ b/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -169,7 +169,9 @@ final class KeyUpdate { + public byte[] produce(ConnectionContext context) throws IOException { + PostHandshakeContext hc = (PostHandshakeContext)context; + return handshakeProducer.produce(context, +- new KeyUpdateMessage(hc, KeyUpdateRequest.REQUESTED)); ++ new KeyUpdateMessage(hc, hc.conContext.isInboundClosed() ? ++ KeyUpdateRequest.NOTREQUESTED : ++ KeyUpdateRequest.REQUESTED)); + } + } + +diff --git a/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java +index ef64c7b..05ffb8a 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -325,11 +325,11 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport { + */ + private HandshakeStatus tryKeyUpdate( + HandshakeStatus currentHandshakeStatus) throws IOException { +- // Don't bother to kickstart if handshaking is in progress, or if the +- // connection is not duplex-open. ++ // Don't bother to kickstart if handshaking is in progress, or if ++ // the write side of the connection is not open. We allow a half- ++ // duplex write-only connection for key updates. + if ((conContext.handshakeContext == null) && + !conContext.isOutboundClosed() && +- !conContext.isInboundClosed() && + !conContext.isBroken) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { + SSLLogger.finest("trigger key update"); +diff --git a/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java +index ab93e30..edf02a2 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java +@@ -1428,11 +1428,11 @@ public final class SSLSocketImpl + * wrapped. + */ + private void tryKeyUpdate() throws IOException { +- // Don't bother to kickstart if handshaking is in progress, or if the +- // connection is not duplex-open. ++ // Don't bother to kickstart if handshaking is in progress, or if ++ // the write side of the connection is not open. We allow a half- ++ // duplex write-only connection for key updates. + if ((conContext.handshakeContext == null) && + !conContext.isOutboundClosed() && +- !conContext.isInboundClosed() && + !conContext.isBroken) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { + SSLLogger.finest("trigger key update"); +diff --git a/jdk/src/share/classes/sun/security/ssl/TransportContext.java b/jdk/src/share/classes/sun/security/ssl/TransportContext.java +index 416113e..9427ed7 100644 +--- a/jdk/src/share/classes/sun/security/ssl/TransportContext.java ++++ b/jdk/src/share/classes/sun/security/ssl/TransportContext.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -200,7 +200,14 @@ class TransportContext implements ConnectionContext { + throw new IllegalStateException("Client/Server mode not yet set."); + } + +- if (outputRecord.isClosed() || inputRecord.isClosed() || isBroken) { ++ // The threshold for allowing the method to continue processing ++ // depends on whether we are doing a key update or kickstarting ++ // a handshake. In the former case, we only require the write-side ++ // to be open where a handshake would require a full duplex connection. ++ boolean isNotUsable = outputRecord.writeCipher.atKeyLimit() ? ++ (outputRecord.isClosed() || isBroken) : ++ (outputRecord.isClosed() || inputRecord.isClosed() || isBroken); ++ if (isNotUsable) { + if (closeReason != null) { + throw new SSLException( + "Cannot kickstart, the connection is broken or closed", +@@ -227,7 +234,7 @@ class TransportContext implements ConnectionContext { + // + // Need no kickstart message on server side unless the connection + // has been established. +- if(isNegotiated || sslConfig.isClientMode) { ++ if (isNegotiated || sslConfig.isClientMode) { + handshakeContext.kickstart(); + } + } +-- +2.33.1.windows.1 + diff --git a/openjdk-1.8.0.spec b/openjdk-1.8.0.spec index f836f3c..f962d91 100644 --- a/openjdk-1.8.0.spec +++ b/openjdk-1.8.0.spec @@ -916,7 +916,7 @@ Provides: java-%{javaver}-%{origin}-accessibility%{?1} = %{epoch}:%{version}-%{r Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} -Release: 3 +Release: 4 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1184,6 +1184,7 @@ Patch298: Add-CMS-s-trim-test-cases-and-fix-failure.patch Patch299: Disable-cds-on-x86-32.patch Patch300: Disable-no-compressedOop-cds-on-x86-32.patch Patch301: fix-SUSE-x86_32-build-failure.patch +Patch302: fix-CVE-2023-21930.patch ############################################# # @@ -1706,6 +1707,7 @@ pushd %{top_level_dir_name} %patch299 -p1 %patch300 -p1 %patch301 -p1 +%patch302 -p1 popd # System library fixes @@ -2330,6 +2332,9 @@ cjc.mainProgram(arg) %endif %changelog +* Mon Apr 24 2023 xzf1244 - 1:1.8.0.362.b09-4 +- fix CVE-2023-21930. + * Thu Mar 09 2023 herengui - 1:1.8.0.362.b09-3 - fix the issue of %%pretrans reporting error. -- Gitee