Date: Tue, 28 May 2024 17:04:42 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 39d063e67641 - 2024Q2 - security/openssl-quictls: Security update for CVE-2024-4741 Message-ID: <202405281704.44SH4grl010522@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2024Q2 has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=39d063e676417b935f22eccc3e4b46e9a7430205 commit 39d063e676417b935f22eccc3e4b46e9a7430205 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2024-05-28 16:53:49 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2024-05-28 17:01:33 +0000 security/openssl-quictls: Security update for CVE-2024-4741 Security: 73a697d7-1d0f-11ef-a490-84a93843eb75 MFH: 2024Q2 (cherry picked from commit 7f4862613c8752bfee5a51a6e75143d033ac6aed) --- security/openssl-quictls/Makefile | 2 +- security/openssl-quictls/files/patch-CVE-2024-4741 | 69 ++++++++++++++++++++++ 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/security/openssl-quictls/Makefile b/security/openssl-quictls/Makefile index dcbbe295d024..9afe495b48d4 100644 --- a/security/openssl-quictls/Makefile +++ b/security/openssl-quictls/Makefile @@ -1,7 +1,7 @@ PORTNAME= openssl DISTVERSIONPREFIX= ${PORTNAME}- DISTVERSION= 3.0.13 -PORTREVISION= 4 +PORTREVISION= 5 DISTVERSIONSUFFIX= -quic1 CATEGORIES= security devel PKGNAMESUFFIX= -${GH_ACCOUNT} diff --git a/security/openssl-quictls/files/patch-CVE-2024-4741 b/security/openssl-quictls/files/patch-CVE-2024-4741 new file mode 100644 index 000000000000..f4f5ca1069a1 --- /dev/null +++ b/security/openssl-quictls/files/patch-CVE-2024-4741 @@ -0,0 +1,69 @@ +From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 +From: Watson Ladd <watsonbladd@gmail.com> +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Neil Horman <nhorman@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) +--- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc41e364..1569997bea2d3 100644 +--- ssl/record/rec_layer_s3.c.orig ++++ ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656bf93942..b60f71c8cb23b 100644 +--- ssl/record/record.h.orig ++++ ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index eed649c6fdee9..d14c55ae557bc 100644 +--- ssl/ssl_lib.c.orig ++++ ssl/ssl_lib.c +@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202405281704.44SH4grl010522>