Opened 3 years ago

Closed 2 years ago

#5076 closed enhancement (fixed)

OpenSSL-3.0.4

Reported by: Douglas R. Reno Owned by: lfs-book
Priority: high Milestone: 11.2
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version


Changes between 3.0.3 and 3.0.4 [21 June 2022]

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed.

When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.

This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068)

Case insensitive string comparison no longer uses locales. It has instead been directly implemented.

Change History (8)

comment:1 by Xi Ruoyao, 3 years ago

A lot tests fail for me. A debug session shows the failure may be AVX512 specific, so perhaps "me only" problem.

I'll bisect and make a "friendly communication" with upstream.

Version 0, edited 3 years ago by Xi Ruoyao (next)

comment:2 by Xi Ruoyao, 3 years ago

Created https://github.com/openssl/openssl/issues/18625.

I'm not sure what we should do for this update. It's an "emergency" update but OTOH I'm pretty sure it will blow up on any machine with AVX-512...

comment:3 by Xi Ruoyao, 2 years ago

Summary: OpenSSL-3.0.4OpenSSL-3.0.4 (wait for upstream consensus)

Maybe a new patch version will be released. If not, we'll need to inject the fix as a sed.

comment:4 by Xi Ruoyao, 2 years ago

SA 11.1-066 issued. Need to be updated once we finish this ticket.

Last edited 2 years ago by Xi Ruoyao (previous) (diff)

comment:5 by Bruce Dubbs, 2 years ago

The upstream commit can be fixed with a sed, but I think we should wait a couple more days for a 3.0.5 release.

sed -e '/bn_reduce.*m1/i\    factor_size /= sizeof(BN_ULONG) * 8;' \
    -i crypto/bn/rsaz_exp_x2.c

I do not have a avx512 capable system, but the results of the tests give:

All tests successful. Files=243, Tests=3295, 190 wallclock secs ( 3.25 usr 0.16 sys + 167.68 cusr 23.74 csys = 194.83 CPU) Result: PASS

in reply to:  5 comment:6 by Xi Ruoyao, 2 years ago

Replying to Bruce Dubbs:

I think we should wait a couple more days for a 3.0.5 release.

Distro and downstream maintainers (including I) are trying to convince the upstream to release 3.0.5 ASAP. But I don't know we'll succeed or not.

comment:7 by Xi Ruoyao, 2 years ago

Summary: OpenSSL-3.0.4 (wait for upstream consensus)OpenSSL-3.0.4

The sed tested OK, and we don't want to sit up here waiting.

comment:8 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: newclosed

Fixed at commit 0d80e532d2ee91c69a0a0545f6d0f6ec55f35d6c

Update to OpenSSL-3.0.4.
Update to kbd-2.5.1.
Update to linux-5.18.8.
Update to bc-5.3.3.
Note: See TracTickets for help on using tickets.