From 817fd2e0629e99c12a37297f92a9abad29e5ba15 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Tue, 7 Sep 2021 00:56:28 +0300 Subject: [PATCH] Fix CVE-2021-3712 --- 0089-CVE-2021-3712.patch | 67 ++++++++++++++++++++++++++++++++++++++++ libressl.spec | 12 ++++++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 0089-CVE-2021-3712.patch diff --git a/0089-CVE-2021-3712.patch b/0089-CVE-2021-3712.patch new file mode 100644 index 0000000..2cea2ea --- /dev/null +++ b/0089-CVE-2021-3712.patch @@ -0,0 +1,67 @@ +From 89d74f9b9c8c0b042e81aecb6c286253a51659d8 Mon Sep 17 00:00:00 2001 +From: benno <> +Date: Fri, 20 Aug 2021 19:54:16 +0000 +Subject: [PATCH] In LibreSSL, printing a certificate can result in a crash in + X509_CERT_AUX_print(). + +Commit in -current: + +CVSROOT: /cvs +Module name: src +Changes by: schwarze@cvs.openbsd.org 2021/07/10 11:45:16 + +Modified files: + lib/libcrypto/asn1: t_x509a.c + +Log message: +Fix a read buffer overrun in X509_CERT_AUX_print(3), +which by implication also affects X509_print(3). + +The ASN1_STRING_get0_data(3) manual explitely cautions the reader +that the data is not necessarily NUL-terminated, and the function +X509_alias_set1(3) does not sanitize the data passed into it in +any way either, so we must assume the alias->data field is merely +a byte array and not necessarily a string in the sense of the C +language. + +I found this bug while writing manual pages for these functions. + +OK tb@ + +As an aside, note that the function still produces incomplete and +misleading results when the data contains a NUL byte in the middle +and that error handling is consistently absent throughout, even +though the function provides an "int" return value obviously intended +to be 1 for success and 0 for failure, and even though this function +is called by another function that also wants to return 1 for success +and 0 for failure and even does so in many of its code paths, though +not in others. But let's stay focussed. Many things would be nice +to have in the wide wild world, but a buffer overflow must not be +allowed to remain in our backyard. + +This is patches/6.8/common/029_x509.patch.sig +--- + src/lib/libcrypto/asn1/t_x509a.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c +index fd68211b84..173465b295 100644 +--- a/src/lib/libcrypto/asn1/t_x509a.c ++++ b/src/lib/libcrypto/asn1/t_x509a.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */ ++/* $OpenBSD: t_x509a.c,v 1.8.18.1 2021/08/20 19:54:16 benno Exp $ */ + /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 1999. + */ +@@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) + } else + BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); + if (aux->alias) +- BIO_printf(out, "%*sAlias: %s\n", indent, "", +- aux->alias->data); ++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", ++ aux->alias->length, aux->alias->data); + if (aux->keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); + for (i = 0; i < aux->keyid->length; i++) diff --git a/libressl.spec b/libressl.spec index a82f762..1289eba 100644 --- a/libressl.spec +++ b/libressl.spec @@ -76,7 +76,7 @@ Summary: LibreSSL utils and libs coexisting with OpenSSL Name: libressl Version: 3.2.0 -Release: 7 +Release: 8 # The code is distributed under ISC license except of original OpenSSL code License: ISC and BSD-like Group: System/Base @@ -201,7 +201,17 @@ Patch0086: 0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch Patch0087: 0087-ssl-add-support-for-TLSTREE-rekeying.patch # https://www.opennet.ru/opennews/art.shtml?num=54233 # https://github.com/libressl-portable/openbsd/commit/f22d7684aed13a9ae9ea6554b7a3e52fdfa4f193 +# From LibreSSL 3.2.3 Patch0088: 0088-CVE-2020-1971.patch +# https://www.opennet.ru/opennews/art.shtml?num=55683 +# https://github.com/libressl-portable/openbsd/commit/89d74f9b9c8c0b042e81aecb6c286253a51659d8 +# From LibreSSL 3.2.6 +Patch0089: 0089-CVE-2021-3712.patch + +# TODO: +# https://www.opennet.ru/opennews/art.shtml?num=54774 +# https://github.com/libressl-portable/openbsd/commit/5f00b800749f246861e892a17d9012bd25fc06ba (LibreSSL 3.2.5) +# Code is different in our version, investigation if backport is required is required. # Patches for portable, from lumag@ # ( for i in *PORTABLE*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $2}'): $i ; done ) | sed -e 's,^Patch0,Patch2,g' | sort -h