CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

1 files changed, 17 insertions, 1 deletions

diff --git a/CHANGES b/CHANGES
index 7d5f10da6d..ff82b6957d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,23 @@
 
  Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
 
-  *)
+  *) Fixed a type confusion vulnerability relating to X.400 address processing
+     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
+     vulnerability may allow an attacker who can provide a certificate chain and
+     CRL (neither of which need have a valid signature) to pass arbitrary
+     pointers to a memcmp call, creating a possible read primitive, subject to
+     some constraints. Refer to the advisory for more information. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0286)
+
+     This issue has been fixed by changing the public header file definition of
+     GENERAL_NAME so that x400Address reflects the implementation. It was not
+     possible for any existing application to successfully use the existing
+     definition; however, if any application references the x400Address field
+     (e.g. in dead code), note that the type of this field has changed. There is
+     no ABI change.
+
+     [Hugo Landau]
 
  Changes between 1.1.1r and 1.1.1s [1 Nov 2022]