packages/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-2650

Browse Source
This commit is contained in:
steven 2023-06-12 11:07:26 +08:00 committed by hzero1996
parent 5d077d76a0
commit 9bbdf61f70
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch Normal file
View File

@ -0,0 +1,65 @@
From 423a2bc737a908ad0c77bda470b2b59dc879936b Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 12 May 2023 10:00:13 +0200
Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.
To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:
> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).
Fixes otc/security#96
Fixes CVE-2023-2650
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
NEWS.md | 4 ++++
crypto/objects/obj_dat.c | 19 +++++++++++++++++++
3 files changed, 50 insertions(+)
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 01cde00e98..c0e55197a0 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
first = 1;
bl = NULL;
+ /*
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
+ *
+ * > 3.5. OBJECT IDENTIFIER values
+ * >
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
+ * > numbers. For the SMIv2, each number in the list is referred to as a
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
+ * > decimal).
+ *
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
+ * i.e. 586 bytes long.
+ *
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+ */
+ if (len > 586)
+ goto err;
+
while (len > 0) {
l = 0;
use_bn = 0;
--
2.27.0

6
openssl.spec
View File

@ -2,7 +2,7 @@
Name: openssl
Epoch: 1
Version: 3.0.8
Release: 6
Release: 7
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
URL: https://www.openssl.org/
@ -30,6 +30,7 @@ Patch18: backport-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
Patch19: backport-Generate-some-certificates-with-the-certificatePolic.patch
Patch20: backport-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch
Patch21: backport-CVE-2023-1255.patch
Patch22: backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch
BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel
Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -230,6 +231,9 @@ make test || :
%ldconfig_scriptlets libs
%changelog
* Mon Jun 12 2023 steven <steven_ygui@163.com> - 1:3.0.8-7
- fix CVE-2023-2650
* Wed Apr 26 2023 zcwei <u201911736@hust.edu.cn> - 1:3.0.8-6
- fix CVE-2023-1255