fix CVE-2021-3449
This commit is contained in:
guoxiaoqi
parent
240ea81a7b
commit
6fcf338c2e
47
CVE-2021-3449.patch
Normal file
47
CVE-2021-3449.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From fb9fa6b51defd48157eeb207f52181f735d96148 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Kaestle <peter.kaestle@nokia.com>
|
||||
Date: Mon, 15 Mar 2021 13:19:56 +0100
|
||||
Subject: [PATCH] ssl sigalg extension: fix NULL pointer dereference
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
|
||||
possible to crash an openssl tls secured server remotely by sending a
|
||||
manipulated hello message in a rehandshake.
|
||||
|
||||
On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
|
||||
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
|
||||
handshake, while the peer_sigalgs has been freed.
|
||||
As a result tls12_shared_sigalgs() walks over the available
|
||||
peer_sigalgs and tries to access data of a NULL pointer.
|
||||
|
||||
This issue was introduced by c589c34e61 (Add support for the TLS 1.3
|
||||
signature_algorithms_cert extension, 2018-01-11).
|
||||
|
||||
Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
|
||||
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
|
||||
|
||||
CVE-2021-3449
|
||||
|
||||
CLA: trivial
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
ssl/statem/extensions.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
|
||||
index b055935d697b..4aed508d0f03 100644
|
||||
--- a/ssl/statem/extensions.c
|
||||
+++ b/ssl/statem/extensions.c
|
||||
@@ -1139,6 +1139,7 @@ static int init_sig_algs(SSL *s, unsigned int context)
|
||||
/* Clear any signature algorithms extension received */
|
||||
OPENSSL_free(s->s3->tmp.peer_sigalgs);
|
||||
s->s3->tmp.peer_sigalgs = NULL;
|
||||
+ s->s3->tmp.peer_sigalgslen = 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
@ -2,7 +2,7 @@
|
||||
Name: openssl
|
||||
Epoch: 1
|
||||
Version: 1.1.1f
|
||||
Release: 4
|
||||
Release: 5
|
||||
Summary: Cryptography and SSL/TLS Toolkit
|
||||
License: OpenSSL and SSLeay
|
||||
URL: https://www.openssl.org/
|
||||
@ -19,6 +19,7 @@ Patch8: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
|
||||
Patch9: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
|
||||
Patch10: CVE-2021-23840.patch
|
||||
Patch11: CVE-2021-23841.patch
|
||||
Patch12: CVE-2021-3449.patch
|
||||
|
||||
BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel
|
||||
|
||||
@ -195,6 +196,9 @@ make test || :
|
||||
%{_pkgdocdir}/html/
|
||||
|
||||
%changelog
|
||||
* Wed Apr 7 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-5
|
||||
- fix CVE-2021-3449
|
||||
|
||||
* Wed Mar 10 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-4
|
||||
- fix CVE-2021-23840 and CVE-2021-23841
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user