dev-libs/openssl/files/openssl-1.1.1v-CVE-2024-0727.patch - third_party/overlays/chromiumos-overlay - Git at Google

 Backport of:

 From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 19 Jan 2024 11:28:58 +0000
 Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL

 PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
 optional and can be NULL even if the "type" is a valid value. OpenSSL
 was not properly accounting for this and a NULL dereference can occur
 causing a crash.

 CVE-2024-0727

 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23362)

 (cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
 ---
  crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
  crypto/pkcs12/p12_mutl.c |  5 +++++
  crypto/pkcs12/p12_npas.c |  5 +++--
  crypto/pkcs7/pk7_mime.c  |  7 +++++--
  4 files changed, 31 insertions(+), 4 deletions(-)

 --- a/crypto/pkcs12/p12_add.c
 +++ b/crypto/pkcs12/p12_add.c
 @@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
                    PKCS12_R_CONTENT_TYPE_NOT_DATA);
          return NULL;
      }
 +
 +    if (p7->d.data == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
 +                  PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
      return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
  }

 @@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
  {
      if (!PKCS7_type_is_encrypted(p7))
          return NULL;
 +
 +    if (p7->d.encrypted == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
      return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
                                     ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
                                     pass, passlen,
 @@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes
                    PKCS12_R_CONTENT_TYPE_NOT_DATA);
          return NULL;
      }
 +
 +    if (p12->authsafes->d.data == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
 +                  PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
      return ASN1_item_unpack(p12->authsafes->d.data,
                              ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
  }
 --- a/crypto/pkcs12/p12_mutl.c
 +++ b/crypto/pkcs12/p12_mutl.c
 @@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c
          return 0;
      }

 +    if (p12->authsafes->d.data == NULL) {
 +        PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
 +        return 0;
 +    }
 +
      salt = p12->mac->salt->data;
      saltlen = p12->mac->salt->length;
      if (!p12->mac->iter)
 --- a/crypto/pkcs12/p12_npas.c
 +++ b/crypto/pkcs12/p12_npas.c
 @@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons
              bags = PKCS12_unpack_p7data(p7);
          } else if (bagnid == NID_pkcs7_encrypted) {
              bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
 -            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
 -                         &pbe_nid, &pbe_iter, &pbe_saltlen))
 +            if (p7->d.encrypted == NULL
 +                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
 +                                &pbe_nid, &pbe_iter, &pbe_saltlen))
                  goto err;
          } else {
              continue;
 --- a/crypto/pkcs7/pk7_mime.c
 +++ b/crypto/pkcs7/pk7_mime.c
 @@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p
  {
      STACK_OF(X509_ALGOR) *mdalgs;
      int ctype_nid = OBJ_obj2nid(p7->type);
 -    if (ctype_nid == NID_pkcs7_signed)
 +    if (ctype_nid == NID_pkcs7_signed) {
 +        if (p7->d.sign == NULL)
 +            return 0;
          mdalgs = p7->d.sign->md_algs;
 -    else
 +    } else {
          mdalgs = NULL;
 +    }

      flags ^= SMIME_OLDMIME;
	Backport of:

	From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
	From: Matt Caswell <matt@openssl.org>
	Date: Fri, 19 Jan 2024 11:28:58 +0000
	Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL

	PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
	optional and can be NULL even if the "type" is a valid value. OpenSSL
	was not properly accounting for this and a NULL dereference can occur
	causing a crash.

	CVE-2024-0727

	Reviewed-by: Tomas Mraz <tomas@openssl.org>
	Reviewed-by: Hugo Landau <hlandau@openssl.org>
	Reviewed-by: Neil Horman <nhorman@openssl.org>
	(Merged from https://github.com/openssl/openssl/pull/23362)

	(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
	---
	crypto/pkcs12/p12_add.c \| 18 ++++++++++++++++++
	crypto/pkcs12/p12_mutl.c \| 5 +++++
	crypto/pkcs12/p12_npas.c \| 5 +++--
	crypto/pkcs7/pk7_mime.c \| 7 +++++--
	4 files changed, 31 insertions(+), 4 deletions(-)

	--- a/crypto/pkcs12/p12_add.c
	+++ b/crypto/pkcs12/p12_add.c
	@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
	PKCS12_R_CONTENT_TYPE_NOT_DATA);
	return NULL;
	}
	+
	+ if (p7->d.data == NULL) {
	+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
	+ PKCS12_R_DECODE_ERROR);
	+ return NULL;
	+ }
	+
	return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
	}

	@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
	{
	if (!PKCS7_type_is_encrypted(p7))
	return NULL;
	+
	+ if (p7->d.encrypted == NULL) {
	+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
	+ return NULL;
	+ }
	+
	return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
	ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
	pass, passlen,
	@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes
	PKCS12_R_CONTENT_TYPE_NOT_DATA);
	return NULL;
	}
	+
	+ if (p12->authsafes->d.data == NULL) {
	+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
	+ PKCS12_R_DECODE_ERROR);
	+ return NULL;
	+ }
	+
	return ASN1_item_unpack(p12->authsafes->d.data,
	ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
	}
	--- a/crypto/pkcs12/p12_mutl.c
	+++ b/crypto/pkcs12/p12_mutl.c
	@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c
	return 0;
	}

	+ if (p12->authsafes->d.data == NULL) {
	+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
	+ return 0;
	+ }
	+
	salt = p12->mac->salt->data;
	saltlen = p12->mac->salt->length;
	if (!p12->mac->iter)
	--- a/crypto/pkcs12/p12_npas.c
	+++ b/crypto/pkcs12/p12_npas.c
	@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons
	bags = PKCS12_unpack_p7data(p7);
	} else if (bagnid == NID_pkcs7_encrypted) {
	bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
	- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
	- &pbe_nid, &pbe_iter, &pbe_saltlen))
	+ if (p7->d.encrypted == NULL
	+ \|\| !alg_get(p7->d.encrypted->enc_data->algorithm,
	+ &pbe_nid, &pbe_iter, &pbe_saltlen))
	goto err;
	} else {
	continue;
	--- a/crypto/pkcs7/pk7_mime.c
	+++ b/crypto/pkcs7/pk7_mime.c
	@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO bio, PKCS7 p
	{
	STACK_OF(X509_ALGOR) *mdalgs;
	int ctype_nid = OBJ_obj2nid(p7->type);
	- if (ctype_nid == NID_pkcs7_signed)
	+ if (ctype_nid == NID_pkcs7_signed) {
	+ if (p7->d.sign == NULL)
	+ return 0;
	mdalgs = p7->d.sign->md_algs;
	- else
	+ } else {
	mdalgs = NULL;
	+ }

	flags ^= SMIME_OLDMIME;