diff --git a/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch b/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch new file mode 100644 index 0000000000000000000000000000000000000000..afd87baea87f23507507763391a05655e159f6d8 --- /dev/null +++ b/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch @@ -0,0 +1,36 @@ +From a8da305fa3dd6e34ba5aab3978281f652fd12883 Mon Sep 17 00:00:00 2001 +From: yangyangtiantianlonglong +Date: Mon, 31 Jul 2023 07:04:41 -0700 +Subject: [PATCH] A null pointer dereference occurs when memory allocation + fails + +Fixes #21605 + +Reviewed-by: Hugo Landau +Reviewed-by: Matthias St. Pierre +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/21606) +--- + ssl/ssl_sess.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index cda6b7cc5b..2a5d21be79 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -139,8 +139,11 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) + dest->references = 1; + + dest->lock = CRYPTO_THREAD_lock_new(); +- if (dest->lock == NULL) ++ if (dest->lock == NULL) { ++ OPENSSL_free(dest); ++ dest = NULL; + goto err; ++ } + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data)) + goto err; +-- +2.27.0 + diff --git a/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch b/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch new file mode 100644 index 0000000000000000000000000000000000000000..271c4815a36de4208a9f3d79fd5858b102e99f6b --- /dev/null +++ b/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch @@ -0,0 +1,37 @@ +From eec805ee71356c06f9a86192fa06507c3bb92b09 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 23 Jul 2023 14:27:54 +0200 +Subject: [PATCH] Make DH_check set some error bits in recently added error + +The pre-existing error cases where DH_check returned zero +are not related to the dh params in any way, but are only +triggered by out-of-memory errors, therefore having *ret +set to zero feels right, but since the new error case is +triggered by too large p values that is something different. +On the other hand some callers of this function might not +be prepared to handle the return value correctly but only +rely on *ret. Therefore we set some error bits in *ret as +additional safety measure. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21533) +--- + crypto/dh/dh_check.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index e5f9dd5030..2001d2e7cb 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -104,6 +104,7 @@ int DH_check(const DH *dh, int *ret) + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_CHECK_P_NOT_PRIME; + return 0; + } + +-- +2.27.0 + diff --git a/openssl.spec b/openssl.spec index 39dbe2c742ce84687c945e5a7233a41470561a00..7575648d77d753c3902df049b34cbffc0360fff4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 27 +Release: 28 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -112,6 +112,8 @@ Patch101: backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized- Patch102: backport-Update-further-expiring-certificates-that-affect-tes.patch Patch103: backport-CVE-2023-3817.patch Patch104: backport-CVE-2023-3817-testcase.patch +Patch105: backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch +Patch106: backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -296,6 +298,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Fri Sep 22 2023 dongyuzhen - 1:1.1.1f-28 +- Backport some upstream patches + * Thu Aug 3 2023 liningjie - 1:1.1.1f-27 - fix CVE-2023-3817