From df4dd7dd7feee99b0a6f9da2c0cc2538e462d019 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 30 May 2023 16:29:57 +0200
Subject: [PATCH] Fix possible DoS translating ASN.1 object identifiers

Resolves: CVE-2023-2650
---
 0122-CVE-2023-2650.patch | 30 ++++++++++++++++++++++++++++++
 openssl.spec             |  7 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 0122-CVE-2023-2650.patch

diff --git a/0122-CVE-2023-2650.patch b/0122-CVE-2023-2650.patch
new file mode 100644
index 0000000..ba56969
--- /dev/null
+++ b/0122-CVE-2023-2650.patch
@@ -0,0 +1,30 @@
+diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
+index 01cde00e98..c0e55197a0 100644
+--- a/crypto/objects/obj_dat.c
++++ b/crypto/objects/obj_dat.c
+@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
+     first = 1;
+     bl = NULL;
+ 
++    /*
++     * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
++     *
++     * > 3.5. OBJECT IDENTIFIER values
++     * >
++     * > An OBJECT IDENTIFIER value is an ordered list of non-negative
++     * > numbers. For the SMIv2, each number in the list is referred to as a
++     * > sub-identifier, there are at most 128 sub-identifiers in a value,
++     * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
++     * > decimal).
++     *
++     * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
++     * i.e. 586 bytes long.
++     *
++     * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
++     */
++    if (len > 586)
++        goto err;
++
+     while (len > 0) {
+         l = 0;
+         use_bn = 0;
diff --git a/openssl.spec b/openssl.spec
index 9dfb7f2..f6889a5 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 19%{?dist}
+Release: 20%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -194,6 +194,7 @@ Patch118: 0118-CVE-2023-1255.patch
 Patch120: 0120-RSA-PKCS15-implicit-rejection.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2160797
 Patch121: 0121-FIPS-cms-defaults.patch
+Patch122: 0122-CVE-2023-2650.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -517,6 +518,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue May 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-20
+- Fix possible DoS translating ASN.1 object identifiers
+  Resolves: CVE-2023-2650
+
 * Mon May 22 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-19
 - Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode
   Resolves: rhbz#2169757