Accepting request 1189030 from home:pmonrealgonzalez:branches:security:tls

- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] OBS-URL: https://build.opensuse.org/request/show/1189030 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=107
2024-07-22 13:04:55 +00:00 · 2024-07-22 13:04:55 +00:00 · 4bad59c768
commit 4bad59c768
parent aa970d108e
3 changed files with 42 additions and 2 deletions
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -16,6 +16,16 @@ Mon Jul 15 05:52:07 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
 - Add reproducible.patch to fix bsc#1223336
  aes-gcm-avx512.pl: fix non-reproducibility issue

+-------------------------------------------------------------------
+Thu Jun  6 15:12:10 UTC 2024 - Peter Simons <psimons@suse.com>
+
+- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
+  security vulnerability. Calling the function SSL_free_buffers()
+  potentially caused memory to be accessed that was previously
+  freed in some situations and a malicious attacker could attempt
+  to engineer a stituation where this occurs to facilitate a
+  denial-of-service attack. [CVE-2024-4741, bsc#1225551]
+
 -------------------------------------------------------------------
 Wed May 29 13:30:21 UTC 2024 - Martin Wilck <mwilck@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -94,10 +94,12 @@ Patch29:        openssl-CVE-2024-4603.patch
 # PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to handshake failure
 Patch30:        openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
 Patch31:        openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
+# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers
+Patch32:        openssl-CVE-2024-4741.patch
 # PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue
-Patch32:        reproducible.patch
+Patch33:        reproducible.patch
 # PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread
-Patch33:        openssl-CVE-2024-5535.patch
+Patch34:        openssl-CVE-2024-5535.patch
 BuildRequires:  pkgconfig
 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
 BuildRequires:  ulp-macros
--- a/openssl-CVE-2024-4741.patch
+++ b/openssl-CVE-2024-4741.patch
@ -0,0 +1,28 @@
+@@ -, +, @@ 
+---
+ ssl/record/methods/tls_common.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- openssl-3.0.8/ssl/record/ssl3_buffer.c	
+++ openssl-3.0.8/ssl/record/ssl3_buffer.c	
+@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
+         OPENSSL_cleanse(b->buf, b->len);
+     OPENSSL_free(b->buf);
+     b->buf = NULL;
+    s->rlayer.packet = NULL;
+    s->rlayer.packet_length = 0;
+     return 1;
+ }
+--- openssl-3.0.8/ssl/record/rec_layer_s3.c	
+++ openssl-3.0.8/ssl/record/rec_layer_s3.c	
+@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
+         s->rlayer.packet_length = 0;
+         /* ... now we can act as if 'extend' was set */
+     }
+    if (!ossl_assert(s->rlayer.packet != NULL)) {
+        /* does not happen */
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+        return -1;
+    }
+ 
+     len = s->rlayer.packet_length;
+     pkt = rb->buf + align;