[openssl/openssl] 0d50c5: Fix CVE-2022-3602 in punycode decoder.
Tomáš Mráz
noreply at github.com
Tue Nov 1 16:40:57 UTC 2022
Branch: refs/heads/openssl-3.1
Home: https://github.com/openssl/openssl
Commit: 0d50c5e28853e8ffafbf1d68cc8670d53e98dd5b
https://github.com/openssl/openssl/commit/0d50c5e28853e8ffafbf1d68cc8670d53e98dd5b
Author: Pauli <pauli at openssl.org>
Date: 2022-11-01 (Tue, 01 Nov 2022)
Changed paths:
M crypto/punycode.c
Log Message:
-----------
Fix CVE-2022-3602 in punycode decoder.
An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(cherry picked from commit fe3b639dc19b325846f4f6801f2f4604f56e3de3)
Commit: 4af7a0e48f48e5fb15bc3243ae9b135957c0236f
https://github.com/openssl/openssl/commit/4af7a0e48f48e5fb15bc3243ae9b135957c0236f
Author: Pauli <pauli at openssl.org>
Date: 2022-11-01 (Tue, 01 Nov 2022)
Changed paths:
M crypto/punycode.c
Log Message:
-----------
Fix CVE-2022-3786 in punycode decoder.
Fixed the ossl_a2ulabel() function which also contained a potential
buffer overflow, albeit without control of the contents.
This overflow could result in a crash (causing a denial of service).
The function also did not NUL-terminate the output in some cases.
The two issues fixed here were dentified and reported
by Viktor Dukhovni while researching CVE-2022-3602.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(cherry picked from commit c42165b5706e42f67ef8ef4c351a9a4c5d21639a)
Commit: 355be308eb25614dc743fc30c6b6f1b2a447d30f
https://github.com/openssl/openssl/commit/355be308eb25614dc743fc30c6b6f1b2a447d30f
Author: Pauli <pauli at openssl.org>
Date: 2022-11-01 (Tue, 01 Nov 2022)
Changed paths:
M test/build.info
A test/punycode_test.c
A test/recipes/04-test_punycode.t
Log Message:
-----------
punycode: add unit tests
These tests verify basic functionality and specifically test for
CVE-2022-3602.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(cherry picked from commit f0f530216bf93e9cdc9c2c9e3c095229d216da15)
Commit: 5e244a93778a59e756f626e3135455923ce29a22
https://github.com/openssl/openssl/commit/5e244a93778a59e756f626e3135455923ce29a22
Author: Tomas Mraz <tomas at openssl.org>
Date: 2022-11-01 (Tue, 01 Nov 2022)
Changed paths:
M CHANGES.md
M NEWS.md
Log Message:
-----------
Update CHANGES.md and NEWS.md for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit cf889ec8d9e9bb89f012b4e610c702e2656674fd)
Compare: https://github.com/openssl/openssl/compare/f1b7a6c24750...5e244a93778a
More information about the openssl-commits
mailing list