File openssl-CVE-2023-0286.patch of Package openssl-1_0_0.28538
commit a72082b1fd459bc6355c0d6e0ac5f28a34ae73b0
Author: Hugo Landau <hlandau@openssl.org>
Date: Tue Jan 17 17:45:42 2023 +0000
CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
---
CHANGES | 18 ++++++++++++++++++
crypto/x509v3/v3_genn.c | 2 +-
crypto/x509v3/x509v3.h | 2 +-
3 files changed, 20 insertions(+), 2 deletions(-)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,24 @@
Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
+ *) Fixed a type confusion vulnerability relating to X.400 address processing
+ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+ but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
+ vulnerability may allow an attacker who can provide a certificate chain and
+ CRL (neither of which need have a valid signature) to pass arbitrary
+ pointers to a memcmp call, creating a possible read primitive, subject to
+ some constraints. Refer to the advisory for more information. Thanks to
+ David Benjamin for discovering this issue. (CVE-2023-0286)
+
+ This issue has been fixed by changing the public header file definition of
+ GENERAL_NAME so that x400Address reflects the implementation. It was not
+ possible for any existing application to successfully use the existing
+ definition; however, if any application references the x400Address field
+ (e.g. in dead code), note that the type of this field has changed. There is
+ no ABI change.
+
+ [Hugo Landau]
+
*) Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -148,7 +148,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE
return -1;
switch (a->type) {
case GEN_X400:
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
break;
case GEN_EDIPARTY:
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -190,7 +190,7 @@ typedef struct GENERAL_NAME_st {
OTHERNAME *otherName; /* otherName */
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;