From 869aa68f1bdf1bffe9a72cef6f9933d43f191e5c Mon Sep 17 00:00:00 2001 From: gaoyusong Date: Tue, 20 Sep 2022 16:05:48 +0800 Subject: [PATCH] fix CVE-2021-23840 CVE-2021-23841 CVE-2022-0778 CVE-2021-3712 --- backport-CVE-2021-23840.patch | 79 +++++++++++++++++++ backport-CVE-2021-23841.patch | 40 ++++++++++ backport-CVE-2021-3712.patch | 13 +++ backport-CVE-2022-0778.patch | 66 ++++++++++++++++ ...pdate-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch | 38 +++++++++ ...-make-update-EVP_F_EVP_DECRYPTUPDATE.patch | 41 ++++++++++ shim.spec | 13 ++- 7 files changed, 288 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2021-23840.patch create mode 100644 backport-CVE-2021-23841.patch create mode 100644 backport-CVE-2021-3712.patch create mode 100644 backport-CVE-2022-0778.patch create mode 100644 backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch create mode 100644 backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch diff --git a/backport-CVE-2021-23840.patch b/backport-CVE-2021-23840.patch new file mode 100644 index 0000000..bbcadc4 --- /dev/null +++ b/backport-CVE-2021-23840.patch @@ -0,0 +1,79 @@ +Backport of: + +From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 2 Feb 2021 17:17:23 +0000 +Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls + +CVE-2021-23840 + +Reviewed-by: Paul Dale +--- + crypto/err/openssl.txt | 3 ++- + crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++ + crypto/evp/evp_err.c | 4 +++- + include/openssl/evperr.h | 7 +++---- + 4 files changed, 35 insertions(+), 6 deletions(-) + +--- a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c +@@ -354,6 +354,19 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct + return 1; + } else { + j = bl - i; ++ ++ /* ++ * Once we've processed the first j bytes from in, the amount of ++ * data left that is a multiple of the block length is: ++ * (inl - j) & ~(bl - 1) ++ * We must ensure that this amount of data, plus the one block that ++ * we process from ctx->buf does not exceed INT_MAX ++ */ ++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { ++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, ++ EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(&(ctx->buf[i]), in, j); + if (!M_do_cipher(ctx, out, ctx->buf, bl)) + return 0; +@@ -455,6 +468,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + OPENSSL_assert(b <= sizeof ctx->final); + + if (ctx->final_used) { ++ /* ++ * final_used is only ever set if buf_len is 0. Therefore the maximum ++ * length output we will ever see from evp_EncryptDecryptUpdate is ++ * the maximum multiple of the block length that is <= inl, or just: ++ * inl & ~(b - 1) ++ * Since final_used has been set then the final output length is: ++ * (inl & ~(b - 1)) + b ++ * This must never exceed INT_MAX ++ */ ++ if ((inl & ~(b - 1)) > INT_MAX - b) { ++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(out, ctx->final, b); + out += b; + fix_len = 1; +--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c +@@ -215,6 +215,7 @@ static ERR_STRING_DATA EVP_str_reasons[] + {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, ++ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"}, + {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE), + "pkcs8 unknown broken type"}, + {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, +--- a/Cryptlib/Include/openssl/evp.h ++++ b/Cryptlib/Include/openssl/evp.h +@@ -1509,6 +1509,7 @@ void ERR_load_EVP_strings(void); + # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 diff --git a/backport-CVE-2021-23841.patch b/backport-CVE-2021-23841.patch new file mode 100644 index 0000000..773ea49 --- /dev/null +++ b/backport-CVE-2021-23841.patch @@ -0,0 +1,40 @@ +Backport of: + +From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 10 Feb 2021 16:10:36 +0000 +Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash() + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts +to create a unique hash value based on the issuer and serial number data +contained within an X509 certificate. However it fails to correctly +handle any errors that may occur while parsing the issuer field (which +might occur if the issuer field is maliciously constructed). This may +subsequently result in a NULL pointer deref and a crash leading to a +potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by +OpenSSL itself so applications are only vulnerable if they use this +function directly and they use it on certificates that may have been +obtained from untrusted sources. + +CVE-2021-23841 + +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) +--- + crypto/x509/x509_cmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c ++++ b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c +@@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has + + EVP_MD_CTX_init(&ctx); + f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); ++ if (f == NULL) ++ goto err; + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) + goto err; + if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) diff --git a/backport-CVE-2021-3712.patch b/backport-CVE-2021-3712.patch new file mode 100644 index 0000000..3768084 --- /dev/null +++ b/backport-CVE-2021-3712.patch @@ -0,0 +1,13 @@ +Index: openssl-1.0.2p/crypto/asn1/t_x509a.c +=================================================================== +--- a/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c ++++ b/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c +@@ -104,7 +104,7 @@ int X509_CERT_AUX_print(BIO *out, X509_C + } else + BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); + if (aux->alias) +- BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data); ++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length, aux->alias->data); + if (aux->keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); + for (i = 0; i < aux->keyid->length; i++) diff --git a/backport-CVE-2022-0778.patch b/backport-CVE-2022-0778.patch new file mode 100644 index 0000000..db3376e --- /dev/null +++ b/backport-CVE-2022-0778.patch @@ -0,0 +1,66 @@ +From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:21 +0100 +Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() + +The calculation in some cases does not finish for non-prime p. + +This fixes CVE-2022-0778. + +Based on patch by David Benjamin . + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c +index 1723d5ded5a..53b0f559855 100644 +--- a/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c ++++ b/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ diff --git a/backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch b/backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch new file mode 100644 index 0000000..65c941d --- /dev/null +++ b/backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch @@ -0,0 +1,38 @@ +Backport of: + +From 4bd0db1feaaf97fbc2bd31f54f1fbdeab80b2b1a Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sun, 9 Dec 2018 14:20:30 +0100 +Subject: [PATCH] make update + +Reviewed-by: Kurt Roeckx +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/7852) + +(cherry picked from commit f2f734d4f9e34643a1d3e5b79d2447cd643519f8) +--- + crypto/err/openssl.txt | 1 + + crypto/evp/evp_err.c | 2 ++ + include/openssl/evperr.h | 1 + + 3 files changed, 4 insertions(+) + +--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c +@@ -94,6 +94,7 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTDECRYPTUPDATE), "evp_EncryptDecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, +--- a/Cryptlib/Include/openssl/evp.h ++++ b/Cryptlib/Include/openssl/evp.h +@@ -1398,6 +1398,7 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_DECRYPTFINAL_EX 101 + # define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 ++# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 + # define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 diff --git a/backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch b/backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch new file mode 100644 index 0000000..85ea540 --- /dev/null +++ b/backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch @@ -0,0 +1,41 @@ +Partial backport of: + +From 83151b73a4736bca1797f8edc2b0ad4cf7ac9146 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 25 Jul 2016 15:02:26 +0200 +Subject: [PATCH] evp/evp_enc.c: make assert error message more readable and + add EVPerr(PARTIALLY_OVERLAPPED) + +Reviewed-by: Stephen Henson +--- + crypto/evp/evp_enc.c | 28 +++++++++++++++++++--------- + crypto/evp/evp_err.c | 3 +++ + include/openssl/evp.h | 3 +++ + 3 files changed, 25 insertions(+), 9 deletions(-) + +--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c +@@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), + "EVP_CIPHER_CTX_set_key_length"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, + {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, + {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, +--- a/Cryptlib/Include/openssl/evp.h ++++ b/Cryptlib/Include/openssl/evp.h +@@ -1396,8 +1396,10 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_CIPHER_CTX_CTRL 124 + # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 + # define EVP_F_EVP_DECRYPTFINAL_EX 101 ++# define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 ++# define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 + # define EVP_F_EVP_MD_SIZE 162 + # define EVP_F_EVP_OPENINIT 102 diff --git a/shim.spec b/shim.spec index f162e15..625972e 100644 --- a/shim.spec +++ b/shim.spec @@ -22,7 +22,7 @@ Name: shim Version: 15 -Release: 23 +Release: 24 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -47,6 +47,12 @@ Patch12: backport-0001-CVE-2020-1971.patch Patch13: backport-0002-CVE-2020-1971.patch Patch14: backport-0003-CVE-2020-1971.patch Patch15: backport-0004-CVE-2020-1971.patch +Patch16: backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch +Patch17: backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch +Patch18: backport-CVE-2021-23840.patch +Patch19: backport-CVE-2021-23841.patch +Patch20: backport-CVE-2022-0778.patch +Patch21: backport-CVE-2021-3712.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc Requires: dbxtool efi-filesystem mokutil @@ -145,7 +151,10 @@ cd .. /usr/src/debug/%{name}-%{version}-%{release}/* %changelog -* Mon Sep 19 09:12:56 PM CST 2022 gaoyusong - 15-23 +* Tue Sep 20 2022 gaoyusong - 15-24 +- fix CVE-2021-23840 CVE-2021-23841 CVE-2022-0778 CVE-2021-3712 + +* Mon Sep 19 2022 gaoyusong - 15-23 - fix CVE-2017-3735 CVE-2017-3737 CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 CVE-2019-1563 CVE-2020-1971 -- Gitee