openssl-1_1/openssl-CVE-2024-4741.patch

@@ -, +, @@ 
---
 ssl/record/methods/tls_common.c | 8 ++++++++
 1 file changed, 8 insertions(+)
Index: openssl-1.1.1w/ssl/record/ssl3_buffer.c
===================================================================
--- openssl-1.1.1w.orig/ssl/record/ssl3_buffer.c	2023-09-11 14:08:11.000000000 +0000
+++ openssl-1.1.1w/ssl/record/ssl3_buffer.c	2024-06-12 07:58:27.817211675 +0000
@@ -179,5 +179,7 @@ int ssl3_release_read_buffer(SSL *s)
     b = RECORD_LAYER_get_rbuf(&s->rlayer);
     OPENSSL_free(b->buf);
     b->buf = NULL;
+    s->rlayer.packet = NULL;
+    s->rlayer.packet_length = 0;
     return 1;
 }
Index: openssl-1.1.1w/ssl/record/rec_layer_s3.c
===================================================================
--- openssl-1.1.1w.orig/ssl/record/rec_layer_s3.c	2023-09-11 14:08:11.000000000 +0000
+++ openssl-1.1.1w/ssl/record/rec_layer_s3.c	2024-06-12 07:58:27.817211675 +0000
@@ -17,6 +17,7 @@
 #include "record_local.h"
 #include "../packet_local.h"
 #include "internal/cryptlib.h"
+#include "internal/cryptlib.h"
 
 #if     defined(OPENSSL_SMALL_FOOTPRINT) || \
         !(      defined(AESNI_ASM) &&   ( \
@@ -238,6 +239,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t
         s->rlayer.packet_length = 0;
         /* ... now we can act as if 'extend' was set */
     }
+    if (!ossl_assert(s->rlayer.packet != NULL)) {
+        /* does not happen */
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
+                 ERR_R_INTERNAL_ERROR);
+        return -1;
+    }
 
     len = s->rlayer.packet_length;
     pkt = rb->buf + align;
- Build with no-afalgeng [bsc#1226463] - Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=164 2024-07-25 10:07:48 +02:00			`@@ -, +, @@`
			`---`
			`ssl/record/methods/tls_common.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`
			`Index: openssl-1.1.1w/ssl/record/ssl3_buffer.c`
			`===================================================================`
			`--- openssl-1.1.1w.orig/ssl/record/ssl3_buffer.c 2023-09-11 14:08:11.000000000 +0000`
			`+++ openssl-1.1.1w/ssl/record/ssl3_buffer.c 2024-06-12 07:58:27.817211675 +0000`
			`@@ -179,5 +179,7 @@ int ssl3_release_read_buffer(SSL *s)`
			`b = RECORD_LAYER_get_rbuf(&s->rlayer);`
			`OPENSSL_free(b->buf);`
			`b->buf = NULL;`
			`+ s->rlayer.packet = NULL;`
			`+ s->rlayer.packet_length = 0;`
			`return 1;`
			`}`
			`Index: openssl-1.1.1w/ssl/record/rec_layer_s3.c`
			`===================================================================`
			`--- openssl-1.1.1w.orig/ssl/record/rec_layer_s3.c 2023-09-11 14:08:11.000000000 +0000`
			`+++ openssl-1.1.1w/ssl/record/rec_layer_s3.c 2024-06-12 07:58:27.817211675 +0000`
			`@@ -17,6 +17,7 @@`
			`#include "record_local.h"`
			`#include "../packet_local.h"`
			`#include "internal/cryptlib.h"`
			`+#include "internal/cryptlib.h"`

			`#if defined(OPENSSL_SMALL_FOOTPRINT) \|\| \`
			`!( defined(AESNI_ASM) && ( \`
			`@@ -238,6 +239,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t`
			`s->rlayer.packet_length = 0;`
			`/* ... now we can act as if 'extend' was set */`
			`}`
			`+ if (!ossl_assert(s->rlayer.packet != NULL)) {`
			`+ /* does not happen */`
			`+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,`
			`+ ERR_R_INTERNAL_ERROR);`
			`+ return -1;`
			`+ }`

			`len = s->rlayer.packet_length;`
			`pkt = rb->buf + align;`