diff --git a/Fix-FIPS-getenv-build-failure.patch b/Fix-FIPS-getenv-build-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc57d2df94c4e8ff4902b6383167b69e9fe8d42c --- /dev/null +++ b/Fix-FIPS-getenv-build-failure.patch @@ -0,0 +1,30 @@ +diff --git a/crypto/o_init.c b/crypto/o_init.c +index b1eef43..4fbb0e5 100644 +--- a/crypto/o_init.c ++++ b/crypto/o_init.c +@@ -7,7 +7,7 @@ + * https://www.openssl.org/source/license.html + */ + +-/* for secure_getenv */ ++/* for ossl_safe_getenv */ + #define _GNU_SOURCE + #include "e_os.h" + #include +@@ -21,6 +21,7 @@ + # include + # include + # include "crypto/fips.h" ++# include "internal/cryptlib.h" + + # define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +@@ -29,7 +30,7 @@ static void init_fips_mode(void) + char buf[2] = "0"; + int fd; + +- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; diff --git a/backport-x509-Fix-possible-use-after-free-when-OOM.patch b/backport-x509-Fix-possible-use-after-free-when-OOM.patch new file mode 100644 index 0000000000000000000000000000000000000000..7fd92a2cb95886a39f60e23996e18c9df314212a --- /dev/null +++ b/backport-x509-Fix-possible-use-after-free-when-OOM.patch @@ -0,0 +1,65 @@ +From b1cc84e82d41ab669bf804ea519f5332c48a3d77 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 24 May 2023 12:22:25 +0200 +Subject: [PATCH] x509: Fix possible use-after-free when OOM + +ossl_policy_level_add_node() first adds the new node to the level->nodes +stack, and then attempts to add extra data if extra_data is true. If +memory allocation or adding the extra data to tree->extra_data fails, +the allocated node (that has already been added to the level->nodes +stack) is freed using ossl_policy_node_free(), which leads to +a potential use after free. + +Additionally, the tree's node count and the parent's child count would +not be updated, despite the new node being added. + +Fix this by either performing the function's purpose completely, or not +at all by reverting the changes on error. + +Signed-off-by: Clemens Lang + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Matt Caswell +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21066) +--- + crypto/x509v3/pcy_node.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c +index d574fb9d66..c6c01cbb39 100644 +--- a/crypto/x509v3/pcy_node.c ++++ b/crypto/x509v3/pcy_node.c +@@ -100,11 +100,11 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ + X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); +- goto node_error; ++ goto extra_data_error; + } + if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { + X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); +- goto node_error; ++ goto extra_data_error; + } + } + +@@ -114,6 +114,14 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + + return node; + ++ extra_data_error: ++ if (level != NULL) { ++ if (level->anyPolicy == node) ++ level->anyPolicy = NULL; ++ else ++ (void) sk_X509_POLICY_NODE_pop(level->nodes); ++ } ++ + node_error: + policy_node_free(node); + return NULL; +-- +2.27.0 + diff --git a/backport-x509-Handle-ossl_policy_level_add_node-errors.patch b/backport-x509-Handle-ossl_policy_level_add_node-errors.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d976cb56f94a5e5fec9753ecf1449f424252fd8 --- /dev/null +++ b/backport-x509-Handle-ossl_policy_level_add_node-errors.patch @@ -0,0 +1,72 @@ +From 3cc6933555a0c66328ec659b5bb86c57b6402e1e Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 24 May 2023 13:12:54 +0200 +Subject: [PATCH] x509: Handle ossl_policy_level_add_node errors + +The invocation of ossl_policy_level_add_node in tree_calculate_user_set +did not have any error handling. Add it to prevent a memory leak for the +allocated extra policy data. + +Also add error handling to sk_X509_POLICY_NODE_push to ensure that if +a new node was allocated, but could not be added to the stack, it is +freed correctly. + +Fix error handling if tree->user_policies cannot be allocated by +returning 0, indicating failure, rather than 1. + +Signed-off-by: Clemens Lang + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Matt Caswell +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21066) +--- + crypto/x509v3/pcy_tree.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c +index 6c7fd35405..3c504e82c6 100644 +--- a/crypto/x509v3/pcy_tree.c ++++ b/crypto/x509v3/pcy_tree.c +@@ -25,6 +25,8 @@ + # define OPENSSL_POLICY_TREE_NODES_MAX 1000 + #endif + ++static void exnode_free(X509_POLICY_NODE *node); ++ + /* + * Enable this to print out the complete policy tree at various point during + * evaluation. +@@ -572,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->qualifier_set = anyPolicy->data->qualifier_set; + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; +- node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); ++ node = level_add_node(NULL, extra, anyPolicy->parent, ++ tree, 1); ++ if (node == NULL) { ++ policy_data_free(extra); ++ return 0; ++ } + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +- if (!tree->user_policies) +- return 1; ++ if (!tree->user_policies) { ++ exnode_free(node); ++ return 0; ++ } + } +- if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) ++ if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) { ++ exnode_free(node); + return 0; ++ } + } + return 1; + } +-- +2.27.0 + diff --git a/openssl.spec b/openssl.spec index bc38dceacc10e44644adedfeecca9ca76feed9a3..f06f6b3cdca4094cfc3ba25d3439f0eee81a51e3 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 23 +Release: 25 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -65,6 +65,9 @@ Patch54: backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized- Patch55: backport-update-expired-certificates-for-sm2.patch Patch56: backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch Patch57: backport-CVE-2023-3817-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch +Patch58: backport-x509-Handle-ossl_policy_level_add_node-errors.patch +Patch59: backport-x509-Fix-possible-use-after-free-when-OOM.patch +Patch60: Fix-FIPS-getenv-build-failure.patch BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -271,6 +274,12 @@ make test || : %ldconfig_scriptlets libs %changelog +* Thu Sep 7 2023 reverse-world - 1:1.1.1m-25 +* fix FIPS getenv compatibility problem + +* Tue Aug 08 2023 zcfsite - 1:1.1.1m-24 +* backport some patches + * Tue Aug 08 2023 steven - 1:1.1.1m-23 - fix CVE-2023-3817