Date: Mon, 14 Dec 2020 21:30:05 GMT From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 925bca73c9 - Add updated text and patch for FreeBSD-SA-20:33.openssl Message-ID: <202012142130.0BELU5eO007084@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=925bca73c9bf41120bf358f0c30c69775f34fd69 commit 925bca73c9bf41120bf358f0c30c69775f34fd69 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2020-12-14 21:28:07 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2020-12-14 21:28:07 +0000 Add updated text and patch for FreeBSD-SA-20:33.openssl Approved by: so --- .../advisories/FreeBSD-SA-20:33.openssl.asc | 53 +++--- share/security/patches/SA-20:33/openssl.11.patch | 204 +++++++++++++++++++++ .../security/patches/SA-20:33/openssl.11.patch.asc | 18 ++ 3 files changed, 254 insertions(+), 21 deletions(-) diff --git a/share/security/advisories/FreeBSD-SA-20:33.openssl.asc b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc index e5b703dcb6..48c1d14f50 100644 --- a/share/security/advisories/FreeBSD-SA-20:33.openssl.asc +++ b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc @@ -14,22 +14,25 @@ Affects: All supported versions of FreeBSD. Corrected: 2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE) 2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2) 2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12) + 2020-12-10 23:43:29 UTC (stable/11, 11.4-STABLE) + 2020-12-14 21:20:55 UTC (releng/11.4, 11.4-RELEASE-p6) CVE Name: CVE-2020-1971 Note: The OpenSSL project has published publicly available patches for -versions included in FreeBSD 12.x. This vulnerability is also known to -affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL -project is only giving patches for that version to premium support contract -holders. The FreeBSD project does not have access to these patches and -recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage -up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project -may update this advisory to include FreeBSD 11.4 should patches become -publicly available. +versions included in FreeBSD 12.x. FreeBSD 11.x includes an older OpenSSL +version, and patches for that version from from the OpenSSL project are +only available to premium support contract holders. This advisory includes +an independently-developed backport of the patch for FreeBSD 11.4. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. +0. Revision History + +v1.0 2020-12-08 Initial release. +v1.1 2020-12-14 Added FreeBSD 11.4 patch. + I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a @@ -80,10 +83,16 @@ FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. +[FreeBSD 12.2, FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch.asc # gpg --verify openssl.patch.asc +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch +# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.11.patch.asc +# gpg --verify openssl.11.patch.asc + b) Apply the patch. Execute the following commands as root: # cd /usr/src @@ -104,6 +113,8 @@ Branch/path Revision stable/12/ r368459 releng/12.2/ r368463 releng/12.1/ r368463 +stable/11/ r368530 +releng/11.4/ r368643 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the @@ -126,19 +137,19 @@ The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc> -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/P6+RfFIAAAAAALgAo +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/X2AhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n -5cI4zQ//dy/tBaAq+kvGkWry74LzvqdZ5c0IIWH1UIrDab0wgmj8H5siP3Rpp7OB -GKtpA+gDDmIgbe80fD+L6L5LR59wBU3sfyYPIcKIbPGl4ix2C5HK7reGns1qoX+O -BFJd3gyPVeq4FD5/+btynyom8lcR//ta4dKKz2TERfd27iL8fM0AoLl+JI/axzJS -d06Z2kA0gRo528DsVRsTbiZFINfhGm8wzeXYpAxwbpnedswOeukOxTsKXrdtSAy+ -BCq5BHdBxL/z4A2QLlrsYqpQH0Ty77ueGjqrq4QPFwq7dxSMDkfzz+YeGPKAvGsU -lwyE2LlkP+531y4ueeGs5K6zRk8jDn7hJs+HfAtTy7y6d+VX9h7wRSssozC9DsV4 -87OWHkXOEj5LeDRDfrEKVLx+QBqRcOOY6mkT3mb5dB7o9bmqxtjf3CaQaA7eV7Y8 -a9QJvpO37m1ZpCC/kXACUPwmwbc5q8sjOsAcQiRAVeom6coFwDxs9u+yHX3uCLRJ -zorgaLgce/c7yLUoQ/bA1/bfuOE7qIwxK7JosZSxv59CvavAhN/hBUcuL7CPCGrP -u9LyYGPoYLXUj4CBKI7FmGkQVhNCLDhUYdvrVyRbTy3hihi1VtbFEZ8Dhipm4nL7 -Oko1LxjLb1dJiHEj9kHtNWRmhueuErxkgA+GWLlsJpjlGlC/YAU= -=5e1s +5cLRqQ/8DWGkrFkYn1mpbePFaWFkb2Gt9wexPjfa7oFVSPirHwEFFF1yr5p5hTNF +lPyDeSmif5DsAa1fm5CqIVDc9R+kvs8QBfuvD6dRTDW0NSSjPILtBd+7DpnejGKY +DGP9Q9aV8pniyJ029vduReF/U0VX/VtHuujYMZBBeXTcfWW1+/olMw0nkMno+3j/ +PFflN1d7Kj66b+RjqdIav72vuEmp0nzm8VlL4Sn53Im6TJuGg+24uCj2oCKmMfiR +6mrS9D6H6/8VyAEI7aFfz52TN/Cuqx5U5HjonjRsnKCN/8tST6nxZ3MQ3F6eJRU6 +Tqzd9c1iYm9bWYWTpqtDx2dASiIICQeEj8f42RavU+BfpER9rKQi/pcJk/9ISu2L +/EOmH735v1dWd5PVZiVQinx+v/Os5pCzAZEOxA4rI7prAFvnX2q7XsJI914p87FR +SGwMy/cN7b23rJFLwNp29tpAJhaz9Ac/vAJwvUKEaoGqvcEC8zOPykMcOhcHXONq +fXJWgkl/N8fkyKrSfFZkKF5r4aQGsuyaZje1YmrpWIOr/jzV9qL4CAvUhx116yJb +XelP+aaXBD82kM3J0Ddivaz+/dP5ng/XUADJvAYzZ1g7N9fxYjLGF6nRJ3eXKuno +NQfYPIYAc1TKYAU+k6pbxqQkVuYtTxHCSXdvUGMjh0scZArU8/s= +=LaWf -----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:33/openssl.11.patch b/share/security/patches/SA-20:33/openssl.11.patch new file mode 100644 index 0000000000..d3f677651d --- /dev/null +++ b/share/security/patches/SA-20:33/openssl.11.patch @@ -0,0 +1,204 @@ +--- crypto/openssl/crypto/asn1/asn1.h.orig ++++ crypto/openssl/crypto/asn1/asn1.h +@@ -1203,6 +1203,7 @@ + # define ASN1_F_ASN1_ITEM_DUP 191 + # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121 + # define ASN1_F_ASN1_ITEM_EX_D2I 120 ++# define ASN1_F_ASN1_ITEM_EX_I2D 224 + # define ASN1_F_ASN1_ITEM_I2D_BIO 192 + # define ASN1_F_ASN1_ITEM_I2D_FP 193 + # define ASN1_F_ASN1_ITEM_PACK 198 +@@ -1304,6 +1305,7 @@ + # define ASN1_R_BAD_OBJECT_HEADER 102 + # define ASN1_R_BAD_PASSWORD_READ 103 + # define ASN1_R_BAD_TAG 104 ++# define ASN1_R_BAD_TEMPLATE 221 + # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 + # define ASN1_R_BN_LIB 105 + # define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 +--- crypto/openssl/crypto/asn1/asn1_err.c.orig ++++ crypto/openssl/crypto/asn1/asn1_err.c +@@ -1,6 +1,6 @@ + /* crypto/asn1/asn1_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2020 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -103,6 +103,7 @@ + {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"}, ++ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_I2D), "ASN1_item_ex_i2d"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"}, +@@ -207,6 +208,7 @@ + {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"}, + {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"}, + {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"}, ++ {ERR_REASON(ASN1_R_BAD_TEMPLATE), "bad template"}, + {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), + "bmpstring is wrong length"}, + {ERR_REASON(ASN1_R_BN_LIB), "bn lib"}, +--- crypto/openssl/crypto/asn1/tasn_dec.c.orig ++++ crypto/openssl/crypto/asn1/tasn_dec.c +@@ -223,6 +223,15 @@ + break; + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + p = *in; + /* Just read in tag and class */ + ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, +@@ -240,6 +249,7 @@ + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); + goto err; + } ++ + /* Check tag matches bit map */ + if (!(ASN1_tag2bit(otag) & it->utype)) { + /* If OPTIONAL, assume this is OK */ +@@ -316,6 +326,15 @@ + goto err; + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + if (*pval) { +--- crypto/openssl/crypto/asn1/tasn_enc.c.orig ++++ crypto/openssl/crypto/asn1/tasn_enc.c +@@ -151,9 +151,25 @@ + break; + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) + return 0; + i = asn1_get_choice_selector(pval, it); +--- crypto/openssl/crypto/x509v3/v3_genn.c.orig ++++ crypto/openssl/crypto/x509v3/v3_genn.c +@@ -72,8 +72,9 @@ + IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) + + ASN1_SEQUENCE(EDIPARTYNAME) = { +- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), +- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) ++ /* DirectoryString is a CHOICE type so use explicit tagging */ ++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), ++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) + } ASN1_SEQUENCE_END(EDIPARTYNAME) + + IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) +@@ -107,6 +108,37 @@ + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -116,8 +148,11 @@ + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -164,8 +199,11 @@ + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -199,8 +237,10 @@ + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; diff --git a/share/security/patches/SA-20:33/openssl.11.patch.asc b/share/security/patches/SA-20:33/openssl.11.patch.asc new file mode 100644 index 0000000000..04a1f67bc2 --- /dev/null +++ b/share/security/patches/SA-20:33/openssl.11.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/X1+ZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLSXA/+POtmlmjt6rC2UhrW91eAxVENBcN8rzjtlHwMqaJuV1Hdj8lcIqcQQyKV +8XpdgcyRGIG9XDCekFkwITtamuIYCl47Mmp8BB6aoY+o8WKRn7AcwjS3Wsk45YF0 +0sbw6quT71i7CeIDTQyI/ku3ovacFnDo+aZFN4M4xJ5ESj4RwPdEno6xatsBAaeQ +3slF62D+i1oTKkC1e5dTcvB9H/dhm9tPUTIkuNXwJ7ba/UF8zacnRyfS4vyu+IxG +Tu8tTSxoPxp74Khin1JhlL3qkcVZkRP5bDjan/Jilu88Oi/OE+WAQGIYVb9ozxwj +DHrXPGw2tkqCwt+0Dz2sYPKyJc3ceGQHJqWljFNvGe8tRBIHqbg9ig1RJkTUMWw9 +y1bFILvzzEpgRT8dZe4pSarF/+0+O9CyXNBJOPQKVKpx/QOqEIWo5Ohcb6sE3cbo +n2epPYiuvpthmZQLaHJ9x/Q/CiDy31SjandK9UF4pe3rg0IdJpH1UmoxaXYLsK6l +LxbFqgv6xR/WOl+/Xhk7BQ6vC6C6wy3hgZ5XfziZJCH9jammciS13KcwGlc+s3we +1qWHtiYxJyo8GeRQQwcGnyPb1LyxQ2ELbxjceCB7nVHyPQsVFtzJkCN6fH9sl7Pl +7o+oX6amcXd5NLN8SoqH2A0yU/l5mMjky0XfD8wdkpemOMui7mo= +=2k8P +-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202012142130.0BELU5eO007084>