From 0a1ad6296d7fbb4b087a23efb84ef7a1969f3ee4 Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Wed, 25 Aug 2021 11:32:11 +0200 Subject: openssl: add patch for CVE-2021-3712 Change-Id: I4061cbac18ddf9c7f932a27bf2b54a2b1c2f9d99 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121029 Tested-by: Michael Stahl Reviewed-by: Michael Stahl --- external/openssl/UnpackedTarball_openssl.mk | 1 + ...cb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index ad600cce1412..e7fca1116545 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -22,6 +22,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ external/openssl/openssl-3650-masm.patch.1 \ external/openssl/openssl-fixbuild.patch.1 \ external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1 \ + external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 \ )) # vim: set noet sw=4 ts=4: diff --git a/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 new file mode 100644 index 000000000000..cf809750ecfb --- /dev/null +++ b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 @@ -0,0 +1,56 @@ +From ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 17 Aug 2021 14:41:48 +0100 +Subject: [PATCH] Fix a read buffer overrun in X509_CERT_AUX_print() + +This is a backport of commit c5dc9ab965f to 1.0.2. That commit fixed +the same bug but in master/1.1.1 it is in the function X509_aux_print(). +The original commit had the following description: + +Fix a read buffer overrun in X509_aux_print(). + +The ASN1_STRING_get0_data(3) manual explitely cautions the reader +that the data is not necessarily NUL-terminated, and the function +X509_alias_set1(3) does not sanitize the data passed into it in any +way either, so we must assume the return value from X509_alias_get0(3) +is merely a byte array and not necessarily a string in the sense +of the C language. + +I found this bug while writing manual pages for X509_print_ex(3) +and related functions. Theo Buehler checked my +patch to fix the same bug in LibreSSL, see + +http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 + +As an aside, note that the function still produces incomplete and +misleading results when the data contains a NUL byte in the middle +and that error handling is consistently absent throughout, even +though the function provides an "int" return value obviously intended +to be 1 for success and 0 for failure, and even though this function +is called by another function that also wants to return 1 for success +and 0 for failure and even does so in many of its code paths, though +not in others. But let's stay focussed. Many things would be nice +to have in the wide wild world, but a buffer overflow must not be +allowed to remain in our backyard. + +CVE-2021-3712 + +Reviewed-by: Paul Dale +--- + crypto/asn1/t_x509a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c +index d1b897a469fd..b1bc9d0cd28b 100644 +--- a/crypto/asn1/t_x509a.c ++++ b/crypto/asn1/t_x509a.c +@@ -104,7 +104,8 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) + } else + BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); + if (aux->alias) +- BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data); ++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length, ++ aux->alias->data); + if (aux->keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); + for (i = 0; i < aux->keyid->length; i++) -- cgit