Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
aports
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Monitor
Service Desk
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
alpine
aports
Commits
797f9176
Commit
797f9176
authored
1 year ago
by
Jakub Jirutka
Committed by
Natanael Copa
1 year ago
Browse files
Options
Downloads
Patches
Plain Diff
main/openssl: security upgrade to 3.1.2
parent
13f3cf18
No related branches found
Branches containing commit
Tags
v20200117
Tags containing commit
1 merge request
!49526
main/openssl: security upgrade to 3.1.2
Pipeline
#172932
skipped
Changes
3
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
main/openssl/APKBUILD
+5
-7
5 additions, 7 deletions
main/openssl/APKBUILD
main/openssl/CVE-2023-2975.patch
+0
-56
0 additions, 56 deletions
main/openssl/CVE-2023-2975.patch
main/openssl/CVE-2023-3446.patch
+0
-73
0 additions, 73 deletions
main/openssl/CVE-2023-3446.patch
with
5 additions
and
136 deletions
main/openssl/APKBUILD
+
5
−
7
View file @
797f9176
...
...
@@ -2,9 +2,9 @@
# Contributor: Timo Teras <timo.teras@iki.fi>
# Maintainer: Ariadne Conill <ariadne@dereferenced.org>
pkgname
=
openssl
pkgver
=
3.1.
1
pkgver
=
3.1.
2
_abiver
=
${
pkgver
%.*.*
}
pkgrel
=
3
pkgrel
=
0
pkgdesc
=
"Toolkit for Transport Layer Security (TLS)"
url
=
"https://www.openssl.org/"
arch
=
"all"
...
...
@@ -17,12 +17,12 @@ subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
libcrypto
$_abiver
:_libcrypto libssl
$_abiver
:_libssl"
source
=
"https://www.openssl.org/source/openssl-
$pkgver
.tar.gz
man-section.patch
CVE-2023-2975.patch
CVE-2023-3446.patch
"
builddir
=
"
$srcdir
/openssl-
$pkgver
"
# secfixes:
# 3.1.2-r0:
# - CVE-2023-3817
# 3.1.1-r3:
# - CVE-2023-3446
# 3.1.1-r2:
...
...
@@ -205,8 +205,6 @@ _libssl() {
}
sha512sums
=
"
8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9
openssl-3.1.
1
.tar.gz
9f41113e5537aee4c3f92711ff85fa12da080363fef0c8b8b34e5b3fc608473c6e4cadd9d8c78f2fcbe97462e51f26a0bb6781656a69ad40226e68af2cf2c762
openssl-3.1.
2
.tar.gz
8c44e990fe8a820f649631b9f81cf28225b7516065169a7f68e2dd7c067b30df9b2c6cb88fa826afbc9fcdaf156360aabf7c498d2d9ed452968815b12b004809 man-section.patch
a7bfa88c885adff916e578571e6aef6c2e20f8ca768ffedbea2d5a77dc7165859285cd78a1cccc665aa552e4c87a23f40c1d9a27db85f658d85b5cafa2c0f8fd CVE-2023-2975.patch
8841509389078570dd6e491bc3bf0778d6d4d2313d772e90b2eba8f8c47350d44ce38b345fea41f9dcf29f1d8192596ebe79d57b800d45752d500505fda9fdfd CVE-2023-3446.patch
"
This diff is collapsed.
Click to expand it.
main/openssl/CVE-2023-2975.patch
deleted
100644 → 0
+
0
−
56
View file @
13f3cf18
Patch-Source: https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
--
From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 4 Jul 2023 17:30:35 +0200
Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
The AES-SIV mode allows for multiple associated data items
authenticated separately with any of these being 0 length.
The provided implementation ignores such empty associated data
which is incorrect in regards to the RFC 5297 and is also
a security issue because such empty associated data then become
unauthenticated if an application expects to authenticate them.
Fixes CVE-2023-2975
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)
(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
---
.../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
index 45010b90db2a..b396c8651a32 100644
--- a/providers/implementations/ciphers/cipher_aes_siv.c
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -120,14 +120,18 @@
static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
if (!ossl_prov_is_running())
return 0;
- if (inl == 0) {
- *outl = 0;
- return 1;
- }
+ /* Ignore just empty encryption/decryption call and not AAD. */
+ if (out != NULL) {
+ if (inl == 0) {
+ if (outl != NULL)
+ *outl = 0;
+ return 1;
+ }
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
}
if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
This diff is collapsed.
Click to expand it.
main/openssl/CVE-2023-3446.patch
deleted
100644 → 0
+
0
−
73
View file @
13f3cf18
Patch-Source: https://github.com/openssl/openssl/commit/fc9867c1e03c22ebf56943be205202e576aabf23
--
From fc9867c1e03c22ebf56943be205202e576aabf23 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
---
crypto/dh/dh_check.c | 6 ++++++
include/openssl/dh.h | 6 +++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 0b391910d6b3..84a926998e9b 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -152,6 +152,12 @@
int DH_check(const DH *dh, int *ret)
if (nid != NID_undef)
return 1;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index ec5a493da129..499f9f7109dd 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -92,7 +92,11 @@
int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
# include <openssl/dherr.h>
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# endif
+
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
This diff is collapsed.
Click to expand it.
Natanael Copa
@ncopa
mentioned in merge request
!49500 (closed)
·
1 year ago
mentioned in merge request
!49500 (closed)
mentioned in merge request !49500
Toggle commit list
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
