diff --git a/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch b/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch new file mode 100644 index 0000000000000000000000000000000000000000..afd87baea87f23507507763391a05655e159f6d8 --- /dev/null +++ b/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch @@ -0,0 +1,36 @@ +From a8da305fa3dd6e34ba5aab3978281f652fd12883 Mon Sep 17 00:00:00 2001 +From: yangyangtiantianlonglong +Date: Mon, 31 Jul 2023 07:04:41 -0700 +Subject: [PATCH] A null pointer dereference occurs when memory allocation + fails + +Fixes #21605 + +Reviewed-by: Hugo Landau +Reviewed-by: Matthias St. Pierre +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/21606) +--- + ssl/ssl_sess.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index cda6b7cc5b..2a5d21be79 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -139,8 +139,11 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) + dest->references = 1; + + dest->lock = CRYPTO_THREAD_lock_new(); +- if (dest->lock == NULL) ++ if (dest->lock == NULL) { ++ OPENSSL_free(dest); ++ dest = NULL; + goto err; ++ } + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data)) + goto err; +-- +2.27.0 + diff --git a/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch b/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch new file mode 100644 index 0000000000000000000000000000000000000000..271c4815a36de4208a9f3d79fd5858b102e99f6b --- /dev/null +++ b/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch @@ -0,0 +1,37 @@ +From eec805ee71356c06f9a86192fa06507c3bb92b09 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 23 Jul 2023 14:27:54 +0200 +Subject: [PATCH] Make DH_check set some error bits in recently added error + +The pre-existing error cases where DH_check returned zero +are not related to the dh params in any way, but are only +triggered by out-of-memory errors, therefore having *ret +set to zero feels right, but since the new error case is +triggered by too large p values that is something different. +On the other hand some callers of this function might not +be prepared to handle the return value correctly but only +rely on *ret. Therefore we set some error bits in *ret as +additional safety measure. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21533) +--- + crypto/dh/dh_check.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index e5f9dd5030..2001d2e7cb 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -104,6 +104,7 @@ int DH_check(const DH *dh, int *ret) + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_CHECK_P_NOT_PRIME; + return 0; + } + +-- +2.27.0 + diff --git a/openssl.spec b/openssl.spec index e0d9c8ac7e90242f945303e9892c7dd13e8bdc12..d227acbb937ed5b738e9a9e8046c410ce043daa9 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 25 +Release: 26 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -68,6 +68,8 @@ Patch57: backport-CVE-2023-3817-dhtest.c-Add-test-of-DH_check-with-q-p-1.pat Patch58: backport-x509-Handle-ossl_policy_level_add_node-errors.patch Patch59: backport-x509-Fix-possible-use-after-free-when-OOM.patch Patch60: Fix-FIPS-getenv-build-failure.patch +Patch61: backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch +Patch62: backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -274,6 +276,9 @@ make test || : %ldconfig_scriptlets libs %changelog +* Fri Sep 22 2023 dongyuzhen - 1:1.1.1m-26 +- Backport some upstream patches + * Fri Sep 8 2023 reverse-world - 1:1.1.1m-25 * fix FIPS getenv compatibility problem