From owner-freebsd-security@freebsd.org Tue Aug 24 20:53:05 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 767F0660E88 for ; Tue, 24 Aug 2021 20:53:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GvLsr5lK4z4qKc; Tue, 24 Aug 2021 20:53:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838385; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=r3BmyrdJRpdLRHBRQkPgkGTn7h4XflSpOPnVp1ymhmM=; b=E6sKVEAJfpvjwAAeA8VznFsIhQb2CirhQgUnBhtWIH/cBrYR9+RPQlI1v0OgabaujtgQt9 UXTve+QrfOBq9Yuf9F7XxH9/To/6iCxUtNT06gDjQCWGbB9/PTsnhYoe+Zp3oJI/lhlzFi mclKxwQOdvFb6xIzLlek1MhJIg/3QahFBPhAphn41VpbtN8kxfmQebOzrpu0Yo12LNzdzy 7G383V/gIOEldQAqluMYyrZeZWOJJicZd1hq6OODlkxygL2kb9iH1BDqmkkAyz/aadQB0u HtrkBARNAqasObOQLeS8AlJKv0zzmVaI5YOZVMaN/xRhjGpvsWDPN7IOYvYUqg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3EC17759C; Tue, 24 Aug 2021 20:53:04 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:17.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210824205304.3EC17759C@freefall.freebsd.org> Date: Tue, 24 Aug 2021 20:53:04 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1629838385; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=r3BmyrdJRpdLRHBRQkPgkGTn7h4XflSpOPnVp1ymhmM=; b=oYOgP0QNxboqnrbLNy/hESe7hd9D980vfD/ODa81zvRU9qm1XCxREg+MI7V74K0/KamU3w kQYD7Sy/t0tzxa/hpJtiCXzRv4rXhHmVJlkLakmDmfbzQxKEDxbjL3v8B6rFJlBYyBSFRi 2hfGeV0UoURYwuMedI8zk0j+dHzQxme9FXgbfsCz9fr+lVSW2Ja6pxUthPOtU083YbdXUz WotXBqKyRGGvYuOBT8hBfc0//ptfb1QN/H21Cj2gZ3BQEISkSaqWYqB2BhEQ6tVFDwm6ya JdbthmZwGtyTlKzjwpJZcqq/QSwokvNW3T7yAgu4S3ha06pHWKUj5sFPmVj00Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1629838385; a=rsa-sha256; cv=none; b=VzfQn9xyuzi7XsSwHEHKdEwAIZdH1skWASzOoayQi6ok7dV9Xf9VxVMo0ZFAn/scVzBmZ0 X/ve8EvAMa88CAf1EvhFBtZk1d8NzziEhT2qjOGuCJSl9wq1yd9uKA3RXCFAZJ6mUnfOgN aSrx2BzowqyLz6cRIkj2yLF3IzWyqYJtLryimf3zRFlpORvwVt6H88FcLhAglU2mcmuKro rZga9mThvZaR6jmiOEszx9Z/kfyMpgtlOUjjdSDyw7mmWb+dZO1vNrHNu9LaJN1FZJmVhq epwJSElONkHk8SuX0TID4c/LwtSXhvavzLkIm1SqYlvwQHNoBjOLGWkuDWxgWA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2021 20:53:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:17.openssl Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSL Category: contrib Module: openssl Announced: 2021-08-24 Affects: FreeBSD 12.2 and FreeBSD 11.4 Corrected: 2021-02-18 23:55:09 UTC (stable/12, 12.2-STABLE) 2021-08-24 18:32:22 UTC (releng/12.2, 12.2-RELEASE-p10) 2021-02-19 16:21:03 UTC (stable/11, 11.4-STABLE) 2021-08-24 18:31:34 UTC (releng/11.4, 11.4-RELEASE-p13) CVE Name: CVE-2021-23840, CVE-2021-23841 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description This advisory covers two distinct OpenSSL issues: Calls to EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate() may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. [CVE-2021-23840] The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). [CVE-2021-23841] III. Impact The integer overflow in EVP_*Update() could cause applications to behave incorrectly or crash leading to a potential denial of service attack. The X509_issuer_and_serial_hash() issue may result in a NULL pointer dereference and a crash leading to a potential denial of service attack. IV. Workaround No workaround is available. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.12.patch # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.12.patch.asc # gpg --verify openssl.12.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:17/openssl.11.patch.asc # gpg --verify openssl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/12/ r369284 releng/12.2/ r370397 stable/11/ r369299 releng/11.4/ r370389 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmElV18ACgkQ05eS9J6n 5cIngA/9Hncs91cNHSVTuvNvrATmpxpnCyiphivR297oiDKRCOoHxA7W8AAigSQH gNM8XGZ8aANmoGfh7M86V5Dvlq0qeRn0Pe8cEus53OumEqpbSkMu97ftv7gFkM/S +uEEoNA+pK/lrupQQ7gAHwWbzaNumJwGXpH/FLh865TjngvI2hFW41TfMxHQvymf tAIzRdg/QYASnXTXBn56ad0i34v+/Z4Cz6XFJ4bBkqPJpiCvzJPWB37CSxw1D6YM 4w5yBhu7db1VJKLP89/YnRnsB4ryOE5cCGtg086pa2DdacB63XTEgc/m90UtfHYl Dk6LVr79SqFPDRukNCTBozcwkHr8aKSg1eR4o2vV3yfq5OUhHmCA9FXstyxXPYe+ DjtSG8X9m/XKiz4Eok2EIv3PwBT29M3lVnKG20kvpxoguOUTg4VLtyyDIZxKmNpY XC3OAmUViDS9iEA8uqKjUEt5YEsNvs6qIKasZHdznST04nuEimIiMUOD57odwL7M rAeJu4GBPHJqNQsfFPRddjrVimnUtGHFDW5r4JtqPP5sZZCIBplWuMzay875EYCL amYGuewZhsacUSgUktsFPrM9z8rd24k86IPn3PEIwsVbubDDz40Q1/v1McgquZ0n boUnhYSRG5qVgOItsikahk1OpQMQhsXDRo6RotGdl90pqdngNjQ= =T3/+ -----END PGP SIGNATURE-----