Opened 19 months ago
Closed 19 months ago
#4911 closed enhancement (fixed)
|Reported by:||Douglas R. Reno||Owned by:||Bruce Dubbs|
New patch version, looks like a security release. Will probably have to wait until 11.1 though, although this is rated as High upstream.
OpenSSL Security Advisory [24 August 2021] ========================================== SM2 Decryption Buffer Overflow (CVE-2021-3711) ============================================== Severity: High In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l. OpenSSL 1.0.2 is not impacted by this issue. OpenSSL 3.0 alpha/beta releases are also affected but this issue will be addressed before the final release. This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix was developed by Matt Caswell. Read buffer overruns processing ASN.1 strings (CVE-2021-3712) ============================================================= Severity: Moderate ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l. OpenSSL versions 1.0.2y and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2za. Other users should upgrade to 1.1.1l. An initial instance of this issue in the X509_aux_print() function was reported to OpenSSL on 18th July 2021 by Ingo Schwarze. The bugfix was developed by Ingo Schwarze and first publicly released in OpenBSD-current on 10th July 2021 and subsequently in OpenSSL on 20th July 2021 (commit d9d838ddc). Subsequent analysis by David Benjamin on 17th August 2021 identified more instances of the same bug. Additional analysis was performed by Matt Caswell. Fixes for the additional instances of this issue were developed by Matt Caswell. Note ==== OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 1.1.1. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20210824.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html
It looks like one of them allows attackers to cause crashes or alter the contents of system memory. The other one allows for crashes or disclosure of passwords (or other items) in plaintext.
Change History (7)
comment:1 by , 19 months ago
comment:2 by , 19 months ago
If necessary I can make a patch for 1.1.1k to ensure not to break API/ABI (like Glibc sed we've done).
SM2 may be important for someone in China if his/her work is related to the goverment (it's a National Standard here).
comment:3 by , 19 months ago
A diff of installed headers:
diff --color -Naur /usr/include/openssl/e_os2.h ./Dest/usr/include/openssl/e_os2.h --- /usr/include/openssl/e_os2.h 2021-08-03 22:42:14.402856338 +0800 +++ ./Dest/usr/include/openssl/e_os2.h 2021-08-25 14:16:18.191264226 +0800 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -279,7 +279,8 @@ # define ossl_inline inline # endif -# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L +# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && \ + !defined(__cplusplus) # define ossl_noreturn _Noreturn # elif defined(__GNUC__) && __GNUC__ >= 2 # define ossl_noreturn __attribute__((noreturn)) diff --color -Naur /usr/include/openssl/opensslv.h ./Dest/usr/include/openssl/opensslv.h --- /usr/include/openssl/opensslv.h 2021-08-03 22:42:14.440857047 +0800 +++ ./Dest/usr/include/openssl/opensslv.h 2021-08-25 14:16:18.234265104 +0800 @@ -39,8 +39,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101010bfL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021" +# define OPENSSL_VERSION_NUMBER 0x101010cfL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1l 24 Aug 2021" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --color -Naur /usr/include/openssl/sslerr.h ./Dest/usr/include/openssl/sslerr.h --- /usr/include/openssl/sslerr.h 2021-08-03 22:42:14.476857718 +0800 +++ ./Dest/usr/include/openssl/sslerr.h 2021-08-25 14:16:18.272265881 +0800 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -70,6 +70,7 @@ # define SSL_F_FINAL_EMS 486 # define SSL_F_FINAL_KEY_SHARE 503 # define SSL_F_FINAL_MAXFRAGMENTLEN 557 +# define SSL_F_FINAL_PSK 639 # define SSL_F_FINAL_RENEGOTIATE 483 # define SSL_F_FINAL_SERVER_NAME 558 # define SSL_F_FINAL_SIG_ALGS 497 @@ -592,6 +593,7 @@ # define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 # define SSL_R_MISSING_FATAL 256 # define SSL_R_MISSING_PARAMETERS 290 +# define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION 310 # define SSL_R_MISSING_RSA_CERTIFICATE 168 # define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 # define SSL_R_MISSING_RSA_SIGNING_CERT 170 @@ -633,6 +635,7 @@ # define SSL_R_NO_VERIFY_COOKIE_CALLBACK 403 # define SSL_R_NULL_SSL_CTX 195 # define SSL_R_NULL_SSL_METHOD_PASSED 196 +# define SSL_R_OCSP_CALLBACK_FAILURE 294 # define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 # define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344 # define SSL_R_OVERFLOW_ERROR 237 diff --color -Naur /usr/include/openssl/x509v3err.h ./Dest/usr/include/openssl/x509v3err.h --- /usr/include/openssl/x509v3err.h 2021-08-03 22:42:14.497858109 +0800 +++ ./Dest/usr/include/openssl/x509v3err.h 2021-08-25 14:16:18.298266412 +0800 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,6 +38,7 @@ # define X509V3_F_I2S_ASN1_IA5STRING 149 # define X509V3_F_I2S_ASN1_INTEGER 120 # define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 +# define X509V3_F_I2V_AUTHORITY_KEYID 173 # define X509V3_F_LEVEL_ADD_NODE 168 # define X509V3_F_NOTICE_SECTION 132 # define X509V3_F_NREF_NOS 133 @@ -78,6 +79,7 @@ # define X509V3_F_V2I_TLS_FEATURE 165 # define X509V3_F_V3_GENERIC_EXTENSION 116 # define X509V3_F_X509V3_ADD1_I2D 140 +# define X509V3_F_X509V3_ADD_LEN_VALUE 174 # define X509V3_F_X509V3_ADD_VALUE 105 # define X509V3_F_X509V3_EXT_ADD 104 # define X509V3_F_X509V3_EXT_ADD_ALIAS 106
comment:4 by , 19 months ago
The binary interface of libssl.so and libcrypto.so has not change.
comment:5 by , 19 months ago
I'm not sure about the header change. (In theory) it may break build of downstream packages. But the fix to the CVEs seems needing to add these new error codes.
comment:6 by , 19 months ago
|Status:||new → assigned|
Move to lfs-11.0-rc3
comment:7 by , 19 months ago
|Status:||assigned → closed|
Fixed at commit 49170b0a844cd67a78b0ec76af867a7cf34d559f
Package updates for lfs-11.0-rc3 LFS-11.0-rc3 released. Update to e2fsprogs-1.46.4. Update to meson-0.59.1. Update to util-linux 2.37.2. Update to linux-5.13.12. Update to libcap-2.53.
We are a week away from our planned release. Why should this wait ?
OpenSSL has a good history of not breaking things in the same series.
Currently testing this on my systems.