Fix CVE-2022-4450

(cherry picked from commit 62201a7ceaed138fc0b84cfc590a0896fb9a64b3)
2023-12-25 09:43:23 +08:00 · 2023-12-25 09:43:23 +08:00 · 3827424024
commit 3827424024
parent 5b08e17fe7
2 changed files with 47 additions and 1 deletions
--- a/backport-CVE-2022-4450.patch
+++ b/backport-CVE-2022-4450.patch
@ -0,0 +1,41 @@
+From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 14:54:55 +0000
+Subject: [PATCH] Avoid dangling ptrs in header and data params for
+ PEM_read_bio_ex
+
+In the event of a failure in PEM_read_bio_ex() we free the buffers we
+allocated for the header and data buffers. However we were not clearing
+the ptrs stored in *header and *data. Since, on success, the caller is
+responsible for freeing these ptrs this can potentially lead to a double
+free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+---
+ crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
+index d416d939ea..328c30cdbb 100644
+--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
+@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+     *data = pem_malloc(len, flags);
+     if (*header == NULL || *data == NULL) {
+         pem_free(*header, flags, 0);
+        *header = NULL;
+         pem_free(*data, flags, 0);
+        *data = NULL;
+         goto end;
+     }
+     BIO_read(headerB, *header, headerlen);
+-- 
+2.34.1
+
--- a/openresty-openssl111.spec
+++ b/openresty-openssl111.spec
@ -1,6 +1,6 @@
 Name:               openresty-openssl111
 Version:            1.1.1h
-Release:            3
+Release:            4
 Summary:            OpenSSL library for OpenResty

 Group:              Development/Libraries
@ -13,6 +13,7 @@ Source0:            https://www.openssl.org/source/openssl-%{version}.tar.gz
 Patch0:             openssl-1.1.1f-sess_set_get_cb_yield.patch
 Patch99:            0099-copy-dir.sh.patch
 Patch100:           CVE-2021-23841.patch
+Patch101:           backport-CVE-2022-4450.patch

 BuildRoot:          %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

@ -117,6 +118,7 @@ Provides C header and static library for the debug version of OpenResty's OpenSS
 %patch0 -p1
 %patch99 -p1
 %patch100 -p1
+%patch101 -p1

 %build
 bash ./copy-dir.sh
@ -259,6 +261,9 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a

 %changelog
+* Sat Dec 23 2023 liningjie <liningjie@xfusion.com> - 1.1.1h-4
+- Fix CVE-2022-4450
+
 * Fri Dec 22 2023 wangxinjian <wangxinjian@xfusion.com> - 1.1.1h-3
 - fix CVE-2021-23841