pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2022Q4] pkgsrc/security/openssl
Module Name: pkgsrc
Committed By: bsiegert
Date: Mon Mar 13 15:12:47 UTC 2023
Modified Files:
pkgsrc/security/openssl [pkgsrc-2022Q4]: Makefile builtin.mk distinfo
Log Message:
Pullup ticket #6740 - requested by he
security/openssl: security fix
Revisions pulled up:
- security/openssl/Makefile 1.287
- security/openssl/builtin.mk 1.51
- security/openssl/distinfo 1.165
---
Module Name: pkgsrc
Committed By: jperkin
Date: Tue Feb 7 16:34:42 UTC 2023
Modified Files:
pkgsrc/security/openssl: Makefile builtin.mk distinfo
Log Message:
openssl: Update to 1.1.1t.
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
To generate a diff of this commit:
cvs rdiff -u -r1.286 -r1.286.2.1 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.49 -r1.49.2.1 pkgsrc/security/openssl/builtin.mk
cvs rdiff -u -r1.164 -r1.164.2.1 pkgsrc/security/openssl/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/openssl/Makefile
diff -u pkgsrc/security/openssl/Makefile:1.286 pkgsrc/security/openssl/Makefile:1.286.2.1
--- pkgsrc/security/openssl/Makefile:1.286 Sat Nov 5 18:42:00 2022
+++ pkgsrc/security/openssl/Makefile Mon Mar 13 15:12:47 2023
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.286 2022/11/05 18:42:00 wiz Exp $
+# $NetBSD: Makefile,v 1.286.2.1 2023/03/13 15:12:47 bsiegert Exp $
# Remember to upload-distfiles when updating OpenSSL -- otherwise it
# is not possible for users who have bootstrapped without OpenSSL
# to install it and enable HTTPS fetching.
-DISTNAME= openssl-1.1.1s
+DISTNAME= openssl-1.1.1t
CATEGORIES= security
MASTER_SITES= https://www.openssl.org/source/
Index: pkgsrc/security/openssl/builtin.mk
diff -u pkgsrc/security/openssl/builtin.mk:1.49 pkgsrc/security/openssl/builtin.mk:1.49.2.1
--- pkgsrc/security/openssl/builtin.mk:1.49 Sat Nov 5 18:43:00 2022
+++ pkgsrc/security/openssl/builtin.mk Mon Mar 13 15:12:47 2023
@@ -1,4 +1,4 @@
-# $NetBSD: builtin.mk,v 1.49 2022/11/05 18:43:00 wiz Exp $
+# $NetBSD: builtin.mk,v 1.49.2.1 2023/03/13 15:12:47 bsiegert Exp $
BUILTIN_PKG:= openssl
@@ -26,7 +26,7 @@ MAKEVARS+= IS_BUILTIN.openssl
### a package name to represent the built-in package.
###
.if !defined(BUILTIN_PKG.openssl) && \
- ${IS_BUILTIN.openssl:M[yY][eE][sS]} && \
+ ${IS_BUILTIN.openssl:tl} == yes && \
empty(H_OPENSSLV:M__nonexistent__)
BUILTIN_VERSION.openssl!= \
${AWK} 'BEGIN { hex="0123456789abcdef"; \
@@ -61,7 +61,7 @@ MAKEVARS+= BUILTIN_PKG.openssl
MAKEVARS+= BUILTIN_VERSION.openssl
.if !defined(BUILTIN_OPENSSL_HAS_THREADS) && \
- ${IS_BUILTIN.openssl:M[yY][eE][sS]} && \
+ ${IS_BUILTIN.openssl:tl} == yes && \
empty(H_OPENSSLCONF:M__nonexistent__)
BUILTIN_OPENSSL_HAS_THREADS!= \
${AWK} 'BEGIN { ans = "no" } \
@@ -82,15 +82,15 @@ USE_BUILTIN.openssl= no
. else
USE_BUILTIN.openssl= ${IS_BUILTIN.openssl}
. if defined(BUILTIN_PKG.openssl) && \
- ${IS_BUILTIN.openssl:M[yY][eE][sS]}
+ ${IS_BUILTIN.openssl:tl} == yes
USE_BUILTIN.openssl= yes
### take care builtin check case, BUILDLINK_API_DEPENDS may not be defined yet.
CHECK_BUILTIN.openssl?= no
-. if ${CHECK_BUILTIN.openssl:M[yY][eE][sS]}
+. if ${CHECK_BUILTIN.openssl:tl} == yes
BUILDLINK_API_DEPENDS.openssl?= openssl>=1.1.1
. endif
. for dep_ in ${BUILDLINK_API_DEPENDS.openssl}
-. if ${USE_BUILTIN.openssl:M[yY][eE][sS]}
+. if ${USE_BUILTIN.openssl:tl} == yes
USE_BUILTIN.openssl!= \
if ${PKG_ADMIN} pmatch ${dep_:Q} ${BUILTIN_PKG.openssl:Q}; then \
${ECHO} yes; \
@@ -100,7 +100,7 @@ USE_BUILTIN.openssl!= \
. endif
. endfor
. endif
-. if ${IS_BUILTIN.openssl:M[yY][eE][sS]} && \
+. if ${IS_BUILTIN.openssl:tl} == yes && \
defined(USE_FEATURES.openssl)
. if !empty(USE_FEATURES.openssl:Mthreads) && \
!empty(BUILTIN_OPENSSL_HAS_THREADS:M[nN][oO])
@@ -116,9 +116,9 @@ MAKEVARS+= USE_BUILTIN.openssl
### solely to determine whether a built-in implementation exists.
###
CHECK_BUILTIN.openssl?= no
-.if ${CHECK_BUILTIN.openssl:M[nN][oO]}
+.if ${CHECK_BUILTIN.openssl:tl} == no
-. if ${USE_BUILTIN.openssl:M[yY][eE][sS]}
+. if ${USE_BUILTIN.openssl:tl} == yes
. if empty(H_OPENSSLV:M__nonexistent__)
. if !empty(H_OPENSSLV:M/usr/sfw/*)
BUILDLINK_PREFIX.openssl= /usr/sfw
@@ -135,7 +135,7 @@ BUILDLINK_PREFIX.openssl= /boot/common
. if defined(PKG_SYSCONFDIR.openssl)
SSLDIR= ${PKG_SYSCONFDIR.openssl}
-. elif ${USE_BUILTIN.openssl:M[yY][eE][sS]}
+. elif ${USE_BUILTIN.openssl:tl} == yes
. if ${OPSYS} == "NetBSD"
SSLDIR= /etc/openssl
. elif ${OPSYS} == "Linux"
@@ -174,7 +174,7 @@ BUILD_DEFS+= SSLDIR SSLCERTS SSLCERTBUND
# create pc files for builtin version; other versions assumed to contain them
# If we are using the builtin version, check whether it has a *.pc
# files or not. If the latter, generate fake ones.
-. if ${USE_BUILTIN.openssl:M[Yy][Ee][Ss]}
+. if ${USE_BUILTIN.openssl:tl} == yes
BUILDLINK_TARGETS+= openssl-fake-pc
. if !defined(HAS_OPENSSL_FAKE_PC)
Index: pkgsrc/security/openssl/distinfo
diff -u pkgsrc/security/openssl/distinfo:1.164 pkgsrc/security/openssl/distinfo:1.164.2.1
--- pkgsrc/security/openssl/distinfo:1.164 Sat Nov 5 18:42:00 2022
+++ pkgsrc/security/openssl/distinfo Mon Mar 13 15:12:47 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.164 2022/11/05 18:42:00 wiz Exp $
+$NetBSD: distinfo,v 1.164.2.1 2023/03/13 15:12:47 bsiegert Exp $
-BLAKE2s (openssl-1.1.1s.tar.gz) = 745dcf07ed1abea12b4c7aa5cc9cb9edb724c4f1117499b87f251ac01f0ffada
-SHA512 (openssl-1.1.1s.tar.gz) = 2ef983f166b5e1bf456ca37938e7e39d58d4cd85e9fc4b5174a05f5c37cc5ad89c3a9af97a6919bcaab128a8a92e4bdc8a045e5d9156d90768da8f73ac67c5b9
-Size (openssl-1.1.1s.tar.gz) = 9868981 bytes
+BLAKE2s (openssl-1.1.1t.tar.gz) = ef41c557d0e29387b2e6e41349054c1f45e0ab6a208070450c42bc0491ec7b2e
+SHA512 (openssl-1.1.1t.tar.gz) = 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c
+Size (openssl-1.1.1t.tar.gz) = 9881866 bytes
SHA1 (patch-Configurations_shared-info.pl) = 0e835f6e343b5d05ef9a0e6ef2a195201262d15c
SHA1 (patch-Configurations_unix-Makefile.tmpl) = 3f47dd453381485aeb6c37dc53f932428fdcef50
SHA1 (patch-Configure) = 479f1bc826f7721f6b44d6b5a6cf460432924bf2
Home |
Main Index |
Thread Index |
Old Index