CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory

Resolves: rhbz#2089444
epel8
Dmitry Belyavskiy 2 years ago
parent b5de6bd830
commit ac312e8ff7

@ -0,0 +1,13 @@
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index 2a574fbfe6aa..16f482db68a9 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -100,6 +100,8 @@ void OPENSSL_LH_flush(OPENSSL_LHASH *lh)
}
lh->b[i] = NULL;
}
+
+ lh->num_items = 0;
}
void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data)

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 32%{?dist}
Release: 33%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -119,6 +119,8 @@ Patch60: 0060-FIPS-KAT-signature-tests.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
# https://github.com/openssl/openssl/pull/18141
Patch63: 0063-CVE-2022-1473.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -449,6 +451,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Thu May 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-33
- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
- Resolves: rhbz#2089444
* Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
- Resolves: rhbz#2083240

Loading…
Cancel
Save