openssl: Fix CVE-2023-0465

Add patch to fix CVE-2023-0465 Link: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95 (From OE-Core rev: cbca55301bb065a6506e65cf64cc90b598e39789) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Omkar Patil <omkar.patil@kpit.com> 2023-04-26 13:17:22 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-03 04:09:42 -1000
commit: 56c03791cdbd22521733e12a0b6af7a1c04b3100 (patch)
tree: 4f837cef95e67bc10fdb740cfe0b142ab82d34a1
parent: acd638685c5a8d6ceca0592d50dd7891baf0eaff (diff)
download: poky-56c03791cdbd22521733e12a0b6af7a1c04b3100.tar.gz
2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
new file mode 100644
index 0000000000..be5068074e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
@@ -0,0 +1,60 @@
+From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 16:52:55 +0000
+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
+ certs
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+Fixes: CVE-2023-0465
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20588)
+CVE: CVE-2023-0465
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95]
+Comment: Refreshed first hunk
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+---
+ crypto/x509/x509_vfy.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 925fbb5412..1dfe4f9f31 100644
+--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@
+     }
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
+        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
+             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+                 continue;
+            cbcalled = 1;
+             if (!verify_cb_cert(ctx, x, i,
+                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
+                 return 0;
+         }
+        if (!cbcalled) {
+            /* Should not be able to get here */
+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
index 94cb458508..254cc9bc8d 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://reproducible.patch \
           file://reproducibility.patch \
           file://CVE-2023-0464.patch \
+           file://CVE-2023-0465.patch \
           "
 SRC_URI_append_class-nativesdk = " \
author	Omkar Patil <omkar.patil@kpit.com>	2023-04-26 13:17:22 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-03 04:09:42 -1000
commit	56c03791cdbd22521733e12a0b6af7a1c04b3100 (patch)
tree	4f837cef95e67bc10fdb740cfe0b142ab82d34a1
parent	acd638685c5a8d6ceca0592d50dd7891baf0eaff (diff)
download	poky-56c03791cdbd22521733e12a0b6af7a1c04b3100.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch new file mode 100644 index 0000000000..be5068074e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
@@ -0,0 +1,60 @@
		1	From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
		2	From: Matt Caswell <matt@openssl.org>
		3	Date: Tue, 7 Mar 2023 16:52:55 +0000
		4	Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
		5	certs
		6
		7	Even though we check the leaf cert to confirm it is valid, we
		8	later ignored the invalid flag and did not notice that the leaf
		9	cert was bad.
		10
		11	Fixes: CVE-2023-0465
		12
		13	Reviewed-by: Hugo Landau <hlandau@openssl.org>
		14	Reviewed-by: Tomas Mraz <tomas@openssl.org>
		15	(Merged from https://github.com/openssl/openssl/pull/20588)
		16
		17	CVE: CVE-2023-0465
		18	Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95]
		19	Comment: Refreshed first hunk
		20	Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
		21
		22	---
		23	crypto/x509/x509_vfy.c \| 11 +++++++++--
		24	1 file changed, 9 insertions(+), 2 deletions(-)
		25
		26	diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
		27	index 925fbb5412..1dfe4f9f31 100644
		28	--- a/crypto/x509/x509_vfy.c
		29	+++ b/crypto/x509/x509_vfy.c
		30	@@ -1649,18 +1649,25 @@
		31	}
		32	/* Invalid or inconsistent extensions */
		33	if (ret == X509_PCY_TREE_INVALID) {
		34	- int i;
		35	+ int i, cbcalled = 0;
		36
		37	/* Locate certificates with bad extensions and notify callback. */
		38	- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
		39	+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
		40	X509 *x = sk_X509_value(ctx->chain, i);
		41
		42	if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
		43	continue;
		44	+ cbcalled = 1;
		45	if (!verify_cb_cert(ctx, x, i,
		46	X509_V_ERR_INVALID_POLICY_EXTENSION))
		47	return 0;
		48	}
		49	+ if (!cbcalled) {
		50	+ /* Should not be able to get here */
		51	+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
		52	+ return 0;
		53	+ }
		54	+ /* The callback ignored the error so we return success */
		55	return 1;
		56	}
		57	if (ret == X509_PCY_TREE_FAILURE) {
		58	--
		59	2.34.1
		60


diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb index 94cb458508..254cc9bc8d 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
19	file://reproducible.patch \	19	file://reproducible.patch \
20	file://reproducibility.patch \	20	file://reproducibility.patch \
21	file://CVE-2023-0464.patch \	21	file://CVE-2023-0464.patch \
		22	file://CVE-2023-0465.patch \
22	"	23	"
23		24
24	SRC_URI_append_class-nativesdk = " \	25	SRC_URI_append_class-nativesdk = " \