diff --git a/0125-CVE-2023-2975.patch b/0125-CVE-2023-2975.patch new file mode 100644 index 0000000..4717087 --- /dev/null +++ b/0125-CVE-2023-2975.patch @@ -0,0 +1,30 @@ +diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c +index 45010b90db..b396c8651a 100644 +--- a/providers/implementations/ciphers/cipher_aes_siv.c ++++ b/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +- if (inl == 0) { +- *outl = 0; +- return 1; +- } ++ /* Ignore just empty encryption/decryption call and not AAD. */ ++ if (out != NULL) { ++ if (inl == 0) { ++ if (outl != NULL) ++ *outl = 0; ++ return 1; ++ } + +- if (outsize < inl) { +- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +- return 0; ++ if (outsize < inl) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++ return 0; ++ } + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/openssl.spec b/openssl.spec index d6b3ddd..26dae8d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -197,6 +197,7 @@ Patch121: 0121-FIPS-cms-defaults.patch Patch122: 0122-CVE-2023-2650.patch # https://github.com/openssl/openssl/pull/19386 Patch123: 0123-ibmca-atexit-crash.patch +Patch125: 0125-CVE-2023-2975.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -533,6 +534,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-1780 - Forbid explicit curves when created via EVP_PKEY_fromdata Resolves: RHEL-5304 +- AES-SIV cipher implementation contains a bug that causes it to ignore empty + associated data entries (CVE-2023-2975) + Resolves: RHEL-5302 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly