!312 fix CVE-2024-0727

From: @lixiao2023 Reviewed-by: @zcfsite Signed-off-by: @zcfsite
2024-02-04 02:27:46 +00:00 · 2024-02-04 02:27:46 +00:00 · af2b266d5c
commit af2b266d5c
parent 442189f09c 739b0b48f8
2 changed files with 116 additions and 1 deletions
--- a/backport-CVE-2024-0727-fix-pkcs12-decoding-crashes.patch
+++ b/backport-CVE-2024-0727-fix-pkcs12-decoding-crashes.patch
@ -0,0 +1,111 @@
 From 09015a582baa980dc04f635504b16fe95dc3790b Mon Sep 17 00:00:00 2001
 From: liwei <liwei3013@126.com>
 Date: Fri, 26 Jan 2024 18:45:28 +0800
 Subject: [PATCH] fix CVE-2024-0727
 Add NULL checks where ContentInfo data can be NULL
 ---
 crypto/pkcs12/p12_add.c  | 16 ++++++++++++++++
 crypto/pkcs12/p12_mutl.c |  5 +++++
 crypto/pkcs12/p12_npas.c |  5 +++--
 crypto/pkcs7/pk7_mime.c  |  8 ++++++--
 4 files changed, 30 insertions(+), 4 deletions(-)
 diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
 index af184c86af..9b40e5384e 100644
 --- a/crypto/pkcs12/p12_add.c
 +++ b/crypto/pkcs12/p12_add.c
@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
         return NULL;
     }
 +
 +    if (p7->d.data == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
@@ -132,6 +138,11 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
 {
     if (!PKCS7_type_is_encrypted(p7))
         return NULL;
 +
 +    if (p7->d.encrypted == NULL) {
 +        return NULL;
 +    }
 +
     return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
                                    pass, passlen,
@@ -159,6 +170,11 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
         return NULL;
     }
 +    if (p12->authsafes->d.data == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     return ASN1_item_unpack(p12->authsafes->d.data,
                             ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
 }
 diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
 index 3658003fe5..766c9c1e9d 100644
 --- a/crypto/pkcs12/p12_mutl.c
 +++ b/crypto/pkcs12/p12_mutl.c
@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         return 0;
     }
 +    if (p12->authsafes->d.data == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
 +        return 0;
 +    }
 +
     salt = p12->mac->salt->data;
     saltlen = p12->mac->salt->length;
     if (!p12->mac->iter)
 diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
 index 0334289a89..130337638d 100644
 --- a/crypto/pkcs12/p12_npas.c
 +++ b/crypto/pkcs12/p12_npas.c
@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
             bags = PKCS12_unpack_p7data(p7);
         } else if (bagnid == NID_pkcs7_encrypted) {
             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
 -            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
 -                         &pbe_nid, &pbe_iter, &pbe_saltlen))
 +            if (p7->d.encrypted == NULL
 +                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
 +                                &pbe_nid, &pbe_iter, &pbe_saltlen))
                 goto err;
         } else {
             continue;
 diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
 index 19e6868148..b457108c94 100644
 --- a/crypto/pkcs7/pk7_mime.c
 +++ b/crypto/pkcs7/pk7_mime.c
@@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 {
     STACK_OF(X509_ALGOR) *mdalgs;
     int ctype_nid = OBJ_obj2nid(p7->type);
 -    if (ctype_nid == NID_pkcs7_signed)
 +
 +    if (ctype_nid == NID_pkcs7_signed) {
 +        if (p7->d.sign == NULL)
 +            return 0;
         mdalgs = p7->d.sign->md_algs;
 -    else
 +    } else {
         mdalgs = NULL;
 +    }
     flags ^= SMIME_OLDMIME;
 -- 
 2.28.0.1
--- a/openssl.spec
+++ b/openssl.spec
@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1wa
-Release:     2
+Release:     3
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://gitee.com/openeuler/openssl
@ -13,6 +13,7 @@ Patch2:      openssl-1.1.1-fips.patch
 Patch3:      Fix-FIPS-getenv-build-failure.patch
 Patch4:      skip-some-test-cases.patch
 Patch5:      backport-Fix-OPENSSL_VERSION_NUMBER-number-problem.patch
 Patch6:      backport-CVE-2024-0727-fix-pkcs12-decoding-crashes.patch
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -219,6 +220,9 @@ make test || :
 %ldconfig_scriptlets libs
 %changelog
 * Tue Jan 30 2024 lixiao<lixiao57@huawei.com> - 1:1.1.1wa-3
 - Fix CVE-2024-0727 PKCS12 Decoding crashes
 * Fri Dec 22 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1wa-2
 - Fix OPENSSL_VERSION_NUMBER number problem