Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 May 2024 17:04:45 GMT
From:      Bernard Spil <brnrd@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org
Subject:   git: 8256e014b828 - 2024Q2 - security/openssl31-quictls: Security update for CVE-2024-4741
Message-ID:  <202405281704.44SH4jOX010669@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch 2024Q2 has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8256e014b8284b12cd4099040d4da50e59cd8e34

commit 8256e014b8284b12cd4099040d4da50e59cd8e34
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2024-05-28 16:57:52 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2024-05-28 17:04:18 +0000

    security/openssl31-quictls: Security update for CVE-2024-4741
    
    Security:       73a697d7-1d0f-11ef-a490-84a93843eb75
    MFH:            2024Q2
    (cherry picked from commit ae294f2b6be9c77a0516a78dd92a9f8958758c47)
---
 security/openssl31-quictls/Makefile                |  2 +-
 .../openssl31-quictls/files/patch-CVE-2024-4741    | 67 ++++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/security/openssl31-quictls/Makefile b/security/openssl31-quictls/Makefile
index 5f66ce2edc72..99afcb80ff7b 100644
--- a/security/openssl31-quictls/Makefile
+++ b/security/openssl31-quictls/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	openssl
 DISTVERSIONPREFIX=	${PORTNAME}-
 DISTVERSION=	3.1.5
-PORTREVISION=	4
+PORTREVISION=	5
 DISTVERSIONSUFFIX=	-quic1
 CATEGORIES=	security devel
 PKGNAMESUFFIX=	31-quictls
diff --git a/security/openssl31-quictls/files/patch-CVE-2024-4741 b/security/openssl31-quictls/files/patch-CVE-2024-4741
new file mode 100644
index 000000000000..75fcc6311d2c
--- /dev/null
+++ b/security/openssl31-quictls/files/patch-CVE-2024-4741
@@ -0,0 +1,67 @@
+From 704f725b96aa373ee45ecfb23f6abfe8be8d9177 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 4bcffcc41e364..1569997bea2d3 100644
+--- ssl/record/rec_layer_s3.c.orig
++++ ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index 234656bf93942..b60f71c8cb23b 100644
+--- ssl/record/record.h.orig
++++ ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index e747b7f90aa71..9088223b9f6bb 100644
+--- ssl/ssl_lib.c.orig
++++ ssl/ssl_lib.c
+@@ -5493,6 +5493,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202405281704.44SH4jOX010669>