Accepting request 1189030 from home:pmonrealgonzalez:branches:security:tls

- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
  security vulnerability. Calling the function SSL_free_buffers()
  potentially caused memory to be accessed that was previously
  freed in some situations and a malicious attacker could attempt
  to engineer a stituation where this occurs to facilitate a
  denial-of-service attack. [CVE-2024-4741, bsc#1225551]

OBS-URL: https://build.opensuse.org/request/show/1189030
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=107

openssl-3.changes

@@ -16,6 +16,16 @@ Mon Jul 15 05:52:07 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
 - Add reproducible.patch to fix bsc#1223336
   aes-gcm-avx512.pl: fix non-reproducibility issue
 
+-------------------------------------------------------------------
+Thu Jun  6 15:12:10 UTC 2024 - Peter Simons <psimons@suse.com>
+
+- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
+  security vulnerability. Calling the function SSL_free_buffers()
+  potentially caused memory to be accessed that was previously
+  freed in some situations and a malicious attacker could attempt
+  to engineer a stituation where this occurs to facilitate a
+  denial-of-service attack. [CVE-2024-4741, bsc#1225551]
+
 -------------------------------------------------------------------
 Wed May 29 13:30:21 UTC 2024 - Martin Wilck <mwilck@suse.com>
 

openssl-3.spec

@@ -94,10 +94,12 @@ Patch29:        openssl-CVE-2024-4603.patch
 # PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to handshake failure
 Patch30:        openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
 Patch31:        openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
+# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers
+Patch32:        openssl-CVE-2024-4741.patch
 # PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue
-Patch32:        reproducible.patch
+Patch33:        reproducible.patch
 # PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread
-Patch33:        openssl-CVE-2024-5535.patch
+Patch34:        openssl-CVE-2024-5535.patch
 BuildRequires:  pkgconfig
 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
 BuildRequires:  ulp-macros

openssl-CVE-2024-4741.patch

@@ -0,0 +1,28 @@
+@@ -, +, @@ 
+---
+ ssl/record/methods/tls_common.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- openssl-3.0.8/ssl/record/ssl3_buffer.c	
++++ openssl-3.0.8/ssl/record/ssl3_buffer.c	
+@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
+         OPENSSL_cleanse(b->buf, b->len);
+     OPENSSL_free(b->buf);
+     b->buf = NULL;
++    s->rlayer.packet = NULL;
++    s->rlayer.packet_length = 0;
+     return 1;
+ }
+--- openssl-3.0.8/ssl/record/rec_layer_s3.c	
++++ openssl-3.0.8/ssl/record/rec_layer_s3.c	
+@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
+         s->rlayer.packet_length = 0;
+         /* ... now we can act as if 'extend' was set */
+     }
++    if (!ossl_assert(s->rlayer.packet != NULL)) {
++        /* does not happen */
++        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++        return -1;
++    }
+ 
+     len = s->rlayer.packet_length;
+     pkt = rb->buf + align;