Opened 2 years ago
Closed 2 years ago
#5076 closed enhancement (fixed)
OpenSSL-3.0.4
Reported by: | Douglas R. Reno | Owned by: | lfs-book |
---|---|---|---|
Priority: | high | Milestone: | 11.2 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version
Changes between 3.0.3 and 3.0.4 [21 June 2022]
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed.
When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068)
Case insensitive string comparison no longer uses locales. It has instead been directly implemented.
Change History (8)
comment:2 by , 2 years ago
Created https://github.com/openssl/openssl/issues/18625.
I'm not sure what we should do for this update. It's an "emergency" update but OTOH I'm pretty sure it will blow up on any machine with AVX-512...
comment:3 by , 2 years ago
Summary: | OpenSSL-3.0.4 → OpenSSL-3.0.4 (wait for upstream consensus) |
---|
Maybe a new patch version will be released. If not, we'll need to inject the fix as a sed.
follow-up: 6 comment:5 by , 2 years ago
The upstream commit can be fixed with a sed, but I think we should wait a couple more days for a 3.0.5 release.
sed -e '/bn_reduce.*m1/i\ factor_size /= sizeof(BN_ULONG) * 8;' \ -i crypto/bn/rsaz_exp_x2.c
I do not have a avx512 capable system, but the results of the tests give:
All tests successful. Files=243, Tests=3295, 190 wallclock secs ( 3.25 usr 0.16 sys + 167.68 cusr 23.74 csys = 194.83 CPU) Result: PASS
comment:6 by , 2 years ago
Replying to Bruce Dubbs:
I think we should wait a couple more days for a 3.0.5 release.
Distro and downstream maintainers (including I) are trying to convince the upstream to release 3.0.5 ASAP. But I don't know we'll succeed or not.
comment:7 by , 2 years ago
Summary: | OpenSSL-3.0.4 (wait for upstream consensus) → OpenSSL-3.0.4 |
---|
The sed tested OK, and we don't want to sit up here waiting.
comment:8 by , 2 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Fixed at commit 0d80e532d2ee91c69a0a0545f6d0f6ec55f35d6c
Update to OpenSSL-3.0.4. Update to kbd-2.5.1. Update to linux-5.18.8. Update to bc-5.3.3.
A lot tests fail for me. A debug session shows the failure may be AVX512 specific, so perhaps "me only" problem.
I'll bisect and make a "friendly communication" with upstream.