From 3ea22321ee12af6fc04204f3effb0c16e2684336 Mon Sep 17 00:00:00 2001 From: hzero1996 Date: Tue, 7 Sep 2021 15:28:30 +0800 Subject: [PATCH] bugfix Overflow when printing Thawte Strong Extranet (cherry picked from commit 216244b0a9745d5066e5874391fa472c51c1a779) --- ...hen-printing-Thawte-Strong-Extranet-.patch | 53 +++++++++++++++++++ openssl.spec | 6 ++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch diff --git a/bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch b/bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch new file mode 100644 index 0000000..ea54d4f --- /dev/null +++ b/bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch @@ -0,0 +1,53 @@ +From 61b0fead5e6079ca826594df5b9ca00e65883cb0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 19 Nov 2020 13:58:21 +0000 +Subject: [PATCH] Don't Overflow when printing Thawte Strong Extranet Version + +When printing human readable info on the Thawte Strong Extranet extension +the version number could overflow if the version number == LONG_MAX. This +is undefined behaviour. + +Issue found by OSSFuzz. + +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/13452) +--- + crypto/x509v3/v3_sxnet.c | 18 +++++++++++++++--- + 1 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c +index 76f5eafc73..6e2b796a38 100644 +--- a/crypto/x509v3/v3_sxnet.c ++++ b/crypto/x509v3/v3_sxnet.c +@@ -57,12 +57,24 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET) + static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, + int indent) + { +- long v; ++ int64_t v; + char *tmp; + SXNETID *id; + int i; +- v = ASN1_INTEGER_get(sx->version); +- BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); ++ ++ /* ++ * Since we add 1 to the version number to display it, we don't support ++ * LONG_MAX since that would cause on overflow. ++ */ ++ if (!ASN1_INTEGER_get_int64(&v, sx->version) ++ || v >= LONG_MAX ++ || v < LONG_MIN) { ++ BIO_printf(out, "%*sVersion: ", indent, ""); ++ } else { ++ long vl = (long)v; ++ ++ BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl); ++ } + for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { + id = sk_SXNETID_value(sx->ids, i); + tmp = i2s_ASN1_INTEGER(NULL, id->zone); + +-- +2.23.0 + diff --git a/openssl.spec b/openssl.spec index b181676..fa2fd2d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 11 +Release: 12 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay and GPLv2+ URL: https://www.openssl.org/ @@ -87,6 +87,7 @@ Patch76: CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext- Patch77: CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch Patch78: CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch Patch79: CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch +Patch80: bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -263,6 +264,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Tue Sep 7 2021 openEuler Buildteam - 1:1.1.1f-12 +- bugfix Overflow when printing Thawte Strong Extranet + * Mon Aug 30 2021 openEuler Buildteam - 1:1.1.1f-11 - fix CVE-2021-3711 and CVE-2021-3712 -- Gitee