diff options
author | Tomas Mraz <tomas@openssl.org> | 2023-01-23 18:27:11 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2023-02-03 11:22:47 +0100 |
commit | a85fbb5e9614b4bd754010097da07bd14731e5a3 (patch) | |
tree | 8eff4ac479abb22052462add24b9393576c11248 | |
parent | 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 (diff) |
Add CHANGES and NEWS entries for the 1.1.1t release
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
-rw-r--r-- | CHANGES | 60 | ||||
-rw-r--r-- | NEWS | 5 |
2 files changed, 61 insertions, 4 deletions
@@ -9,7 +9,9 @@ Changes between 1.1.1s and 1.1.1t [xx XXX xxxx] - *) Fixed a type confusion vulnerability relating to X.400 address processing + *) Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and @@ -24,14 +26,66 @@ definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. - [Hugo Landau] + *) Fixed Use-after-free following BIO_new_NDEF. + + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + (CVE-2023-0215) + [Viktor Dukhovni, Matt Caswell] + + *) Fixed Double free after calling PEM_read_bio_ex. + + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + (CVE-2022-4450) + [Kurt Roeckx, Matt Caswell] + + *) Fixed Timing Oracle in RSA Decryption. + + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + (CVE-2022-4304) + [Dmitry Belyavsky, Hubert Kario] + Changes between 1.1.1r and 1.1.1s [1 Nov 2022] *) Fixed a regression introduced in 1.1.1r version not refreshing the certificate data to be signed before signing the certificate. - [Gibeom Gwon] Changes between 1.1.1q and 1.1.1r [11 Oct 2022] @@ -7,7 +7,10 @@ Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [under development] - o + o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) + o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) + o Fixed Timing Oracle in RSA Decryption (CVE-2022-4304) Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] |