From 39f800af50db23de7aa01ebd56c8132589ad36a8 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 1 Nov 2022 18:23:58 +0100 Subject: [PATCH] CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow Resolves: CVE-2022-3602 Resolves: CVE-2022-3786 --- 0079-CVE-2022-3602.patch | 399 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 13 +- 2 files changed, 411 insertions(+), 1 deletion(-) create mode 100644 0079-CVE-2022-3602.patch diff --git a/0079-CVE-2022-3602.patch b/0079-CVE-2022-3602.patch new file mode 100644 index 0000000..4f935e4 --- /dev/null +++ b/0079-CVE-2022-3602.patch @@ -0,0 +1,399 @@ +diff --git a/crypto/punycode.c b/crypto/punycode.c +index 385b4b1df4..b9b4e3d785 100644 +--- a/crypto/punycode.c ++++ b/crypto/punycode.c +@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, + unsigned int bias = initial_bias; + size_t processed_in = 0, written_out = 0; + unsigned int max_out = *pout_length; +- + unsigned int basic_count = 0; + unsigned int loop; + +@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, + n = n + i / (written_out + 1); + i %= (written_out + 1); + +- if (written_out > max_out) ++ if (written_out >= max_out) + return 0; + + memmove(pDecoded + i + 1, pDecoded + i, +- (written_out - i) * sizeof *pDecoded); ++ (written_out - i) * sizeof(*pDecoded)); + pDecoded[i] = n; + i++; + written_out++; +@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) + */ + char *outptr = out; + const char *inptr = in; +- size_t size = 0; ++ size_t size = 0, maxsize; + int result = 1; +- ++ unsigned int i, j; + unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */ +- if (out == NULL) ++ ++ if (out == NULL) { + result = 0; ++ maxsize = 0; ++ } else { ++ maxsize = *outlen; ++ } ++ ++#define PUSHC(c) \ ++ do \ ++ if (size++ < maxsize) \ ++ *outptr++ = c; \ ++ else \ ++ result = 0; \ ++ while (0) + + while (1) { + char *tmpptr = strchr(inptr, '.'); +- size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr); ++ size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr); + + if (strncmp(inptr, "xn--", 4) != 0) { +- size += delta + 1; +- +- if (size >= *outlen - 1) +- result = 0; +- +- if (result > 0) { +- memcpy(outptr, inptr, delta + 1); +- outptr += delta + 1; +- } ++ for (i = 0; i < delta + 1; i++) ++ PUSHC(inptr[i]); + } else { + unsigned int bufsize = LABEL_BUF_SIZE; +- unsigned int i; + + if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) + return -1; +@@ -286,26 +290,15 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) + for (i = 0; i < bufsize; i++) { + unsigned char seed[6]; + size_t utfsize = codepoint2utf8(seed, buf[i]); ++ + if (utfsize == 0) + return -1; + +- size += utfsize; +- if (size >= *outlen - 1) +- result = 0; +- +- if (result > 0) { +- memcpy(outptr, seed, utfsize); +- outptr += utfsize; +- } ++ for (j = 0; j < utfsize; j++) ++ PUSHC(seed[j]); + } + +- if (tmpptr != NULL) { +- *outptr = '.'; +- outptr++; +- size++; +- if (size >= *outlen - 1) +- result = 0; +- } ++ PUSHC(tmpptr != NULL ? '.' : '\0'); + } + + if (tmpptr == NULL) +@@ -313,7 +306,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) + + inptr = tmpptr + 1; + } ++#undef PUSHC + ++ *outlen = size; + return result; + } + +@@ -327,12 +322,11 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) + + int ossl_a2ucompare(const char *a, const char *u) + { +- char a_ulabel[LABEL_BUF_SIZE]; ++ char a_ulabel[LABEL_BUF_SIZE + 1]; + size_t a_size = sizeof(a_ulabel); + +- if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) { ++ if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) + return -1; +- } + +- return (strcmp(a_ulabel, u) == 0) ? 0 : 1; ++ return strcmp(a_ulabel, u) != 0; + } +diff --git a/test/build.info b/test/build.info +index 9d2d41e417..638f215da6 100644 +--- a/test/build.info ++++ b/test/build.info +@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}] + exptest pbetest localetest evp_pkey_ctx_new_from_name\ + evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ + evp_fetch_prov_test evp_libctx_test ossl_store_test \ +- v3nametest v3ext \ ++ v3nametest v3ext punycode_test \ + evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ + evp_fetch_prov_test v3nametest v3ext \ + crltest danetest bad_dtls_test lhash_test sparse_array_test \ +@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}] + INCLUDE[pkcs7_test]=../include ../apps/include + DEPEND[pkcs7_test]=../libcrypto libtestutil.a + ++ SOURCE[punycode_test]=punycode_test.c ++ INCLUDE[punycode_test]=../include ../apps/include ++ DEPEND[punycode_test]=../libcrypto.a libtestutil.a ++ + SOURCE[stack_test]=stack_test.c + INCLUDE[stack_test]=../include ../apps/include + DEPEND[stack_test]=../libcrypto libtestutil.a +diff --git a/test/punycode_test.c b/test/punycode_test.c +new file mode 100644 +index 0000000000..285ead6966 +--- /dev/null ++++ b/test/punycode_test.c +@@ -0,0 +1,219 @@ ++/* ++ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++ ++#include "crypto/punycode.h" ++#include "internal/nelem.h" ++#include "testutil.h" ++ ++ ++static const struct puny_test { ++ unsigned int raw[50]; ++ const char *encoded; ++} puny_cases[] = { ++ /* Test cases from RFC 3492 */ ++ { /* Arabic (Egyptian) */ ++ { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644, ++ 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F ++ }, ++ "egbpdaj6bu4bxfgehfvwxn" ++ }, ++ { /* Chinese (simplified) */ ++ { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587 ++ }, ++ "ihqwcrb4cv8a8dqg056pqjye" ++ }, ++ { /* Chinese (traditional) */ ++ { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587 ++ }, ++ "ihqwctvzc91f659drss3x8bo0yb" ++ }, ++ { /* Czech: Proprostnemluvesky */ ++ { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074, ++ 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D, ++ 0x0065, 0x0073, 0x006B, 0x0079 ++ }, ++ "Proprostnemluvesky-uyb24dma41a" ++ }, ++ { /* Hebrew */ ++ { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8, ++ 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2, ++ 0x05D1, 0x05E8, 0x05D9, 0x05EA ++ }, ++ "4dbcagdahymbxekheh6e0a7fei0b" ++ }, ++ { /* Hindi (Devanagari) */ ++ { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D, ++ 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939, ++ 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947, ++ 0x0939, 0x0948, 0x0902 ++ }, ++ "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd" ++ }, ++ { /* Japanese (kanji and hiragana) */ ++ { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092, ++ 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B ++ }, ++ "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa" ++ }, ++ { /* Korean (Hangul syllables) */ ++ { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774, ++ 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74, ++ 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C ++ }, ++ "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c" ++ }, ++ { /* Russian (Cyrillic) */ ++ { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E, ++ 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440, ++ 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A, ++ 0x0438 ++ }, ++ "b1abfaaepdrnnbgefbaDotcwatmq2g4l" ++ }, ++ { /* Spanish */ ++ { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070, ++ 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070, ++ 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061, ++ 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070, ++ 0x0061, 0x00F1, 0x006F, 0x006C ++ }, ++ "PorqunopuedensimplementehablarenEspaol-fmd56a" ++ }, ++ { /* Vietnamese */ ++ { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B, ++ 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068, ++ 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067, ++ 0x0056, 0x0069, 0x1EC7, 0x0074 ++ }, ++ "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g" ++ }, ++ { /* Japanese: 3B */ ++ { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F ++ }, ++ "3B-ww4c5e180e575a65lsy2b" ++ }, ++ { /* Japanese: -with-SUPER-MONKEYS */ ++ { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074, ++ 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D, ++ 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053 ++ }, ++ "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n" ++ }, ++ { /* Japanese: Hello-Another-Way- */ ++ { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F, ++ 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D, ++ 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240 ++ }, ++ "Hello-Another-Way--fc4qua05auwb3674vfr0b" ++ }, ++ { /* Japanese: 2 */ ++ { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032 ++ }, ++ "2-u9tlzr9756bt3uc0v" ++ }, ++ { /* Japanese: MajiKoi5 */ ++ { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059, ++ 0x308B, 0x0035, 0x79D2, 0x524D ++ }, ++ "MajiKoi5-783gue6qz075azm5e" ++ }, ++ { /* Japanese: de */ ++ { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0 ++ }, ++ "de-jg4avhby1noc0d" ++ }, ++ { /* Japanese: */ ++ { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067 ++ }, ++ "d9juau41awczczp" ++ }, ++ { /* -> $1.00 <- */ ++ { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020, ++ 0x003C, 0x002D ++ }, ++ "-> $1.00 <--" ++ } ++}; ++ ++static int test_punycode(int n) ++{ ++ const struct puny_test *tc = puny_cases + n; ++ unsigned int buffer[50]; ++ unsigned int bsize = OSSL_NELEM(buffer); ++ size_t i; ++ ++ if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded), ++ buffer, &bsize))) ++ return 0; ++ for (i = 0; i < sizeof(tc->raw); i++) ++ if (tc->raw[i] == 0) ++ break; ++ if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer), ++ tc->raw, i * sizeof(*tc->raw))) ++ return 0; ++ return 1; ++} ++ ++static int test_a2ulabel(void) ++{ ++ char out[50]; ++ size_t outlen; ++ ++ /* ++ * Test that no buffer correctly returns the true length. ++ * The punycode being passed in and parsed is malformed but we're not ++ * verifying that behaviour here. ++ */ ++ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0) ++ || !TEST_size_t_eq(outlen, 7) ++ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)) ++ return 0; ++ /* Test that a short input length returns the true length */ ++ outlen = 1; ++ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) ++ || !TEST_size_t_eq(outlen, 7) ++ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) ++ || !TEST_str_eq(out,"\xc2\x80.b.c")) ++ return 0; ++ /* Test for an off by one on the buffer size works */ ++ outlen = 6; ++ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) ++ || !TEST_size_t_eq(outlen, 7) ++ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) ++ || !TEST_str_eq(out,"\xc2\x80.b.c")) ++ return 0; ++ return 1; ++} ++ ++static int test_puny_overrun(void) ++{ ++ static const unsigned int out[] = { ++ 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F ++ }; ++ static const char *in = "3B-ww4c5e180e575a65lsy2b"; ++ unsigned int buf[OSSL_NELEM(out)]; ++ unsigned int bsize = OSSL_NELEM(buf) - 1; ++ ++ if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) { ++ if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out))) ++ TEST_error("CRITICAL: buffer overrun detected!"); ++ return 0; ++ } ++ return 1; ++} ++ ++int setup_tests(void) ++{ ++ ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases)); ++ ADD_TEST(test_a2ulabel); ++ ADD_TEST(test_puny_overrun); ++ return 1; ++} +diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t +new file mode 100644 +index 0000000000..de213c7e15 +--- /dev/null ++++ b/test/recipes/04-test_punycode.t +@@ -0,0 +1,11 @@ ++#! /usr/bin/env perl ++# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use OpenSSL::Test::Simple; ++ ++simple_test("test_punycode", "punycode_test"); diff --git a/openssl.spec b/openssl.spec index 4b4688a..b6f3471 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 41%{?dist} +Release: 43%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -162,6 +162,8 @@ Patch76: 0076-FIPS-140-3-DRBG.patch Patch77: 0077-FIPS-140-3-zeroization.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch +#https://bugzilla.redhat.com/show_bug.cgi?id=2137723 +Patch79: 0079-CVE-2022-3602.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -492,6 +494,15 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Nov 01 2022 Dmitry Belyavskiy - 1:3.0.1-43 +- CVE-2022-3602: X.509 Email Address Buffer Overflow +- CVE-2022-3786: X.509 Email Address Buffer Overflow + Resolves: CVE-2022-3602 + +* Wed Oct 26 2022 Dmitry Belyavskiy - 1:3.0.1-42 +- CVE-2022-3602: X.509 Email Address Buffer Overflow + Resolves: CVE-2022-3602 (rhbz#2137723) + * Thu Aug 11 2022 Clemens Lang - 1:3.0.1-41 - Zeroize public keys as required by FIPS 140-3 Related: rhbz#2102542