[web] master update
Matt Caswell
matt at openssl.org
Tue Aug 24 13:50:48 UTC 2021
The branch master has been updated
via 06ad477ee26f9e15dd8bc87d6bce6017ceec2342 (commit)
from e2ba17260f0cc0a1fd1b0c20bf5238a4795076df (commit)
- Log -----------------------------------------------------------------
commit 06ad477ee26f9e15dd8bc87d6bce6017ceec2342
Author: Matt Caswell <matt at openssl.org>
Date: Tue Aug 24 13:54:40 2021 +0100
Updates for the new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 1 +
news/secadv/20210824.txt | 118 +++++++++++++++++++++++++++++++++++++++++
news/vulnerabilities.xml | 134 ++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 252 insertions(+), 1 deletion(-)
create mode 100644 news/secadv/20210824.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index a756e6e..f1feacc 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -5,6 +5,7 @@
# headings. URL paths must all be absolute.
Date: Item
+24-Aug-2021: OpenSSL 1.1.1l is now available, including bug and security fixes
29-Jul-2021: Beta 2 of OpenSSL 3.0 is now available. This is a release candidate: please download and test it
17-Jun-2021: New Blog post: <a href="/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/">OpenSSL 3.0 Release Candidate</a>
17-Jun-2021: Beta 1 of OpenSSL 3.0 is now available. This is a release candidate: please download and test it
diff --git a/news/secadv/20210824.txt b/news/secadv/20210824.txt
new file mode 100644
index 0000000..f15ecd6
--- /dev/null
+++ b/news/secadv/20210824.txt
@@ -0,0 +1,118 @@
+OpenSSL Security Advisory [24 August 2021]
+==========================================
+
+SM2 Decryption Buffer Overflow (CVE-2021-3711)
+==============================================
+
+Severity: High
+
+In order to decrypt SM2 encrypted data an application is expected to call the
+API function EVP_PKEY_decrypt(). Typically an application will call this
+function twice. The first time, on entry, the "out" parameter can be NULL and,
+on exit, the "outlen" parameter is populated with the buffer size required to
+hold the decrypted plaintext. The application can then allocate a sufficiently
+sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
+value for the "out" parameter.
+
+A bug in the implementation of the SM2 decryption code means that the
+calculation of the buffer size required to hold the plaintext returned by the
+first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
+the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
+called by the application a second time with a buffer that is too small.
+
+A malicious attacker who is able present SM2 content for decryption to an
+application could cause attacker chosen data to overflow the buffer by up to a
+maximum of 62 bytes altering the contents of other data held after the
+buffer, possibly changing application behaviour or causing the application to
+crash. The location of the buffer is application dependent but is typically
+heap allocated.
+
+OpenSSL versions 1.1.1k and below are affected by this issue. Users of these
+versions should upgrade to OpenSSL 1.1.1l.
+
+OpenSSL 1.0.2 is not impacted by this issue.
+
+OpenSSL 3.0 alpha/beta releases are also affected but this issue will be
+addressed before the final release.
+
+This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix
+was developed by Matt Caswell.
+
+Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
+=============================================================
+
+Severity: Moderate
+
+ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
+structure which contains a buffer holding the string data and a field holding
+the buffer length. This contrasts with normal C strings which are repesented as
+a buffer for the string data which is terminated with a NUL (0) byte.
+
+Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
+own "d2i" functions (and other similar parsing functions) as well as any string
+whose value has been set with the ASN1_STRING_set() function will additionally
+NUL terminate the byte array in the ASN1_STRING structure.
+
+However, it is possible for applications to directly construct valid ASN1_STRING
+structures which do not NUL terminate the byte array by directly setting the
+"data" and "length" fields in the ASN1_STRING array. This can also happen by
+using the ASN1_STRING_set0() function.
+
+Numerous OpenSSL functions that print ASN.1 data have been found to assume that
+the ASN1_STRING byte array will be NUL terminated, even though this is not
+guaranteed for strings that have been directly constructed. Where an application
+requests an ASN.1 structure to be printed, and where that ASN.1 structure
+contains ASN1_STRINGs that have been directly constructed by the application
+without NUL terminating the "data" field, then a read buffer overrun can occur.
+
+The same thing can also occur during name constraints processing of certificates
+(for example if a certificate has been directly constructed by the application
+instead of loading it via the OpenSSL parsing functions, and the certificate
+contains non NUL terminated ASN1_STRING structures). It can also occur in the
+X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
+
+If a malicious actor can cause an application to directly construct an
+ASN1_STRING and then process it through one of the affected OpenSSL functions
+then this issue could be hit. This might result in a crash (causing a Denial of
+Service attack). It could also result in the disclosure of private memory
+contents (such as private keys, or sensitive plaintext).
+
+OpenSSL versions 1.1.1k and below are affected by this issue. Users of these
+versions should upgrade to OpenSSL 1.1.1l.
+
+OpenSSL versions 1.0.2y and below are affected by this issue. However OpenSSL
+1.0.2 is out of support and no longer receiving public updates. Premium support
+customers of OpenSSL 1.0.2 should upgrade to 1.0.2za. Other users should upgrade
+to 1.1.1l.
+
+An initial instance of this issue in the X509_aux_print() function was reported
+to OpenSSL on 18th July 2021 by Ingo Schwarze. The bugfix was developed by Ingo
+Schwarze and first publicly released in OpenBSD-current on 10th July 2021 and
+subsequently in OpenSSL on 20th July 2021 (commit d9d838ddc). Subsequent
+analysis by David Benjamin on 17th August 2021 identified more instances of the
+same bug. Additional analysis was performed by Matt Caswell. Fixes for the
+additional instances of this issue were developed by Matt Caswell.
+
+Note
+====
+
+OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
+support is available for premium support customers:
+https://www.openssl.org/support/contracts.html
+
+OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
+The impact of these issues on OpenSSL 1.1.0 has not been analysed.
+
+Users of these versions should upgrade to OpenSSL 1.1.1.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20210824.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index ba187fd..bc380b1 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7,7 +7,139 @@
<!-- The updated attribute should be the same as the first public issue,
unless an old entry was updated. -->
-<security updated="20210325">
+<security updated="20210824">
+ <issue public="20210824">
+ <impact severity="High"/>
+ <cve name="2021-3711"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.1" version="1.1.1c"/>
+ <affects base="1.1.1" version="1.1.1d"/>
+ <affects base="1.1.1" version="1.1.1e"/>
+ <affects base="1.1.1" version="1.1.1f"/>
+ <affects base="1.1.1" version="1.1.1g"/>
+ <affects base="1.1.1" version="1.1.1h"/>
+ <affects base="1.1.1" version="1.1.1i"/>
+ <affects base="1.1.1" version="1.1.1j"/>
+ <affects base="1.1.1" version="1.1.1k"/>
+ <fixed base="1.1.1" version="1.1.1l" date="20210824">
+ <git hash="59f5e75f3bced8fc0e130d72a3f582cf7b480b46"/>
+ </fixed>
+ <problemtype>Buffer overflow</problemtype>
+ <title>SM2 Decryption Buffer Overflow</title>
+ <description>
+In order to decrypt SM2 encrypted data an application is expected to call the
+API function EVP_PKEY_decrypt(). Typically an application will call this
+function twice. The first time, on entry, the "out" parameter can be NULL and,
+on exit, the "outlen" parameter is populated with the buffer size required to
+hold the decrypted plaintext. The application can then allocate a sufficiently
+sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
+value for the "out" parameter.
+
+A bug in the implementation of the SM2 decryption code means that the
+calculation of the buffer size required to hold the plaintext returned by the
+first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
+the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
+called by the application a second time with a buffer that is too small.
+
+A malicious attacker who is able present SM2 content for decryption to an
+application could cause attacker chosen data to overflow the buffer by up to a
+maximum of 62 bytes altering the contents of other data held after the
+buffer, possibly changing application behaviour or causing the application to
+crash. The location of the buffer is application dependent but is typically
+heap allocated.
+ </description>
+ <advisory url="/news/secadv/20210824.txt"/>
+ <reported source="John Ouyang"/>
+ </issue>
+ <issue public="20210824">
+ <impact severity="Moderate"/>
+ <cve name="2021-3712"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.1" version="1.1.1a"/>
+ <affects base="1.1.1" version="1.1.1b"/>
+ <affects base="1.1.1" version="1.1.1c"/>
+ <affects base="1.1.1" version="1.1.1d"/>
+ <affects base="1.1.1" version="1.1.1e"/>
+ <affects base="1.1.1" version="1.1.1f"/>
+ <affects base="1.1.1" version="1.1.1g"/>
+ <affects base="1.1.1" version="1.1.1h"/>
+ <affects base="1.1.1" version="1.1.1i"/>
+ <affects base="1.1.1" version="1.1.1j"/>
+ <affects base="1.1.1" version="1.1.1k"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <affects base="1.0.2" version="1.0.2n"/>
+ <affects base="1.0.2" version="1.0.2o"/>
+ <affects base="1.0.2" version="1.0.2p"/>
+ <affects base="1.0.2" version="1.0.2q"/>
+ <affects base="1.0.2" version="1.0.2r"/>
+ <affects base="1.0.2" version="1.0.2s"/>
+ <affects base="1.0.2" version="1.0.2t"/>
+ <affects base="1.0.2" version="1.0.2u"/>
+ <affects base="1.0.2" version="1.0.2v"/>
+ <affects base="1.0.2" version="1.0.2w"/>
+ <affects base="1.0.2" version="1.0.2x"/>
+ <affects base="1.0.2" version="1.0.2y"/>
+ <fixed base="1.1.1" version="1.1.1j" date="20210824">
+ <git hash="94d23fcff9b2a7a8368dfe52214d5c2569882c11"/>
+ </fixed>
+ <fixed base="1.0.2" version="1.0.2za" date="20210824">
+ <git hash="ccb0a11145ee72b042d10593a64eaf9e8a55ec12"/>
+ </fixed>
+ <problemtype>Buffer overflow</problemtype>
+ <title>Read buffer overruns processing ASN.1 strings</title>
+ <description>
+ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
+structure which contains a buffer holding the string data and a field holding
+the buffer length. This contrasts with normal C strings which are repesented as
+a buffer for the string data which is terminated with a NUL (0) byte.
+
+Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
+own "d2i" functions (and other similar parsing functions) as well as any string
+whose value has been set with the ASN1_STRING_set() function will additionally
+NUL terminate the byte array in the ASN1_STRING structure.
+
+However, it is possible for applications to directly construct valid ASN1_STRING
+structures which do not NUL terminate the byte array by directly setting the
+"data" and "length" fields in the ASN1_STRING array. This can also happen by
+using the ASN1_STRING_set0() function.
+
+Numerous OpenSSL functions that print ASN.1 data have been found to assume that
+the ASN1_STRING byte array will be NUL terminated, even though this is not
+guaranteed for strings that have been directly constructed. Where an application
+requests an ASN.1 structure to be printed, and where that ASN.1 structure
+contains ASN1_STRINGs that have been directly constructed by the application
+without NUL terminating the "data" field, then a read buffer overrun can occur.
+
+The same thing can also occur during name constraints processing of certificates
+(for example if a certificate has been directly constructed by the application
+instead of loading it via the OpenSSL parsing functions, and the certificate
+contains non NUL terminated ASN1_STRING structures). It can also occur in the
+X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
+
+If a malicious actor can cause an application to directly construct an
+ASN1_STRING and then process it through one of the affected OpenSSL functions
+then this issue could be hit. This might result in a crash (causing a Denial of
+Service attack). It could also result in the disclosure of private memory
+contents (such as private keys, or sensitive plaintext).
+ </description>
+ <advisory url="/news/secadv/20210824.txt"/>
+ <reported source="Ingo Schwarze"/>
+ </issue>
<issue public="20210325">
<impact severity="High"/>
<cve name="2021-3450"/>
More information about the openssl-commits
mailing list