!244 fix CVE-2023-3446

From: @hzero1996 Reviewed-by: @zcfsite Signed-off-by: @zcfsite
2023-07-24 06:20:31 +00:00 · 2023-07-24 06:20:31 +00:00 · f9ba7bcdc5
commit f9ba7bcdc5
parent 392e7d1d9f 6c3ef00c5c
4 changed files with 308 additions and 1 deletions
--- a/backport-Add-a-test-for-CVE-2023-3446.patch
+++ b/backport-Add-a-test-for-CVE-2023-3446.patch
@ -0,0 +1,61 @@
 From e9ddae17e302a7e6a0daf00f25efed7c70f114d4 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 7 Jul 2023 14:39:48 +0100
 Subject: [PATCH] Add a test for CVE-2023-3446
 Confirm that the only errors DH_check() finds with DH parameters with an
 excessively long modulus is that the modulus is too large. We should not
 be performing time consuming checks using that modulus.
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21452)
 ---
 test/dhtest.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/test/dhtest.c b/test/dhtest.c
 index 9d5609b943..00b3c47101 100644
 --- a/test/dhtest.c
 +++ b/test/dhtest.c
@@ -63,7 +63,7 @@ static int dh_test(void)
         || !TEST_true(DH_set0_pqg(dh, p, q, g)))
         goto err1;
 -    if (!DH_check(dh, &i))
 +    if (!TEST_true(DH_check(dh, &i)))
         goto err2;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
@@ -123,6 +123,17 @@ static int dh_test(void)
     /* check whether the public key was calculated correctly */
     TEST_uint_eq(BN_get_word(pub_key2), 3331L);
 +    /* Modulus of size: dh check max modulus bits + 1 */
 +    if (!TEST_true(BN_set_word(p, 1))
 +            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
 +        goto err3;
 +
 +    /*
 +     * We expect no checks at all for an excessively large modulus
 +     */
 +    if (!TEST_false(DH_check(dh, &i)))
 +        goto err3;
 +
     /*
      * II) key generation
      */
@@ -137,7 +148,7 @@ static int dh_test(void)
         goto err3;
     /* ... and check whether it is valid */
 -    if (!DH_check(a, &i))
 +    if (!TEST_true(DH_check(a, &i)))
         goto err3;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
 -- 
 2.36.1
--- a/backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
+++ b/backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
@ -0,0 +1,130 @@
 From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Thu, 6 Jul 2023 16:36:35 +0100
 Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
 The DH_check() function checks numerous aspects of the key or parameters
 that have been supplied. Some of those checks use the supplied modulus
 value even if it is excessively large.
 There is already a maximum DH modulus size (10,000 bits) over which
 OpenSSL will not generate or derive keys. DH_check() will however still
 perform various tests for validity on such a large modulus. We introduce a
 new maximum (32,768) over which DH_check() will just fail.
 An application that calls DH_check() and supplies a key or parameters
 obtained from an untrusted source could be vulnerable to a Denial of
 Service attack.
 The function DH_check() is itself called by a number of other OpenSSL
 functions. An application calling any of those other functions may
 similarly be affected. The other functions affected by this are
 DH_check_ex() and EVP_PKEY_param_check().
 CVE-2023-3446
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21452)
 ---
 crypto/dh/dh_check.c    | 6 ++++++
 crypto/dh/dh_err.c      | 3 ++-
 crypto/err/openssl.txt  | 3 ++-
 include/openssl/dh.h    | 3 +++
 include/openssl/dherr.h | 3 ++-
 5 files changed, 15 insertions(+), 3 deletions(-)
 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
 index 4ac169e75c..e5f9dd5030 100644
 --- a/crypto/dh/dh_check.c
 +++ b/crypto/dh/dh_check.c
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
     BN_CTX *ctx = NULL;
     BIGNUM *t1 = NULL, *t2 = NULL;
 +    /* Don't do any checks at all with an excessively large modulus */
 +    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
 +        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
 +        return 0;
 +    }
 +
     if (!DH_check_params(dh, ret))
         return 0;
 diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
 index 7285587b4a..92800d3fcc 100644
 --- a/crypto/dh/dh_err.c
 +++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
      "dh_builtin_genparams"},
 +    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
 diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
 index 9f91a4a811..c0a3cd720b 100644
 --- a/crypto/err/openssl.txt
 +++ b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
 -# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
 +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
 DH_F_COMPUTE_KEY:102:compute_key
 DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
 DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
 +DH_F_DH_CHECK:126:DH_check
 DH_F_DH_CHECK_EX:121:DH_check_ex
 DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
 DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
 diff --git a/include/openssl/dh.h b/include/openssl/dh.h
 index 3527540cdd..892e31559d 100644
 --- a/include/openssl/dh.h
 +++ b/include/openssl/dh.h
@@ -29,6 +29,9 @@ extern "C" {
 # ifndef OPENSSL_DH_MAX_MODULUS_BITS
 #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
 # endif
 +# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
 +#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
 +# endif
 # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
 # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
 diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
 index 916b3bed0b..528c819856 100644
 --- a/include/openssl/dherr.h
 +++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
 #  define DH_F_COMPUTE_KEY                                 102
 #  define DH_F_DHPARAMS_PRINT_FP                           101
 #  define DH_F_DH_BUILTIN_GENPARAMS                        106
 +#  define DH_F_DH_CHECK                                    126
 #  define DH_F_DH_CHECK_EX                                 121
 #  define DH_F_DH_CHECK_PARAMS_EX                          122
 #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
 -- 
 2.36.1
--- a/backport-update-expired-certificates-for-sm2.patch
+++ b/backport-update-expired-certificates-for-sm2.patch
@ -0,0 +1,110 @@
 From 0f4738ab5ef8085b27e89dba91677f892b5b3689 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Thu, 2 Jun 2022 18:12:05 +0200
 Subject: [PATCH] Update further expiring certificates that affect tests
 Namely the smime certificates used in test_cms and the
 SM2 certificates will expire soon and affect tests.
 Fixes #15179
 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/18467)
 (cherry picked from commit 5d219937d067a761fb871483369a6020c60a3cb8)
 ---
 test/certs/sm2-ca-cert.pem        | 22 ++++----
 test/certs/sm2-root.crt           | 22 ++++----
 test/certs/sm2.pem                | 23 ++++----
 diff --git a/test/certs/sm2-ca-cert.pem b/test/certs/sm2-ca-cert.pem
 index 5677ac6c9f6a..70ce71e43091 100644
 --- a/test/certs/sm2-ca-cert.pem
 +++ b/test/certs/sm2-ca-cert.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
 -MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
 +MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
 AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
 -c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
 -Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw
 -CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
 -MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG
 -SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU
 -5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW
 -BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU
 -5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI
 -ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X
 -YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3
 +c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg
 +Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x
 +CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP
 +cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH
 +KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+
 +ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O
 +BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp
 +SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1
 +A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC
 +WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu
 -----END CERTIFICATE-----
 diff --git a/test/certs/sm2-root.crt b/test/certs/sm2-root.crt
 index 5677ac6c9f6a..70ce71e43091 100644
 --- a/test/certs/sm2-root.crt
 +++ b/test/certs/sm2-root.crt
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
 -MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
 +MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
 AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
 -c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
 -Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw
 -CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
 -MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG
 -SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU
 -5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW
 -BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU
 -5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI
 -ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X
 -YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3
 +c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg
 +Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x
 +CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP
 +cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH
 +KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+
 +ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O
 +BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp
 +SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1
 +A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC
 +WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu
 -----END CERTIFICATE-----
 diff --git a/test/certs/sm2.pem b/test/certs/sm2.pem
 index 189abb137625..daf12926aff9 100644
 --- a/test/certs/sm2.pem
 +++ b/test/certs/sm2.pem
@@ -1,13 +1,14 @@
 -----BEGIN CERTIFICATE-----
 -MIIB6DCCAY6gAwIBAgIJAKH2BR6ITHZeMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
 -AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
 -c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
 -Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMG8xCzAJBgNVBAYTAkNOMQsw
 -CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
 -MRAwDgYDVQQLDAdUZXN0IE9VMRswGQYDVQQDDBJUZXN0IFNNMiBTaWduIENlcnQw
 -WTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQwqeNkWp7fiu1KZnuDkAucpM8piEzE
 -TL1ymrcrOBvv8mhNNkeb20asbWgFQI2zOrSM99/sXGn9rM2/usM/MlcaoxowGDAJ
 -BgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA9edBnAqT
 -TNuGIUIvXsj6/nP+AzXA9HGtAIY4nrqW8LkCIHyZzhRTlxYtgfqkDl0OK5QQRCZH
 -OZOfmtx613VyzXwc
 +MIICNDCCAdugAwIBAgIUOMbsiFLCy2BCPtfHQSdG4R1+3BowCgYIKoEcz1UBg3Uw
 +aDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzER
 +MA8GA1UECgwIVGVzdCBPcmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rl
 +c3QgU00yIENBMCAXDTIyMDYwMjE1NTU0OFoYDzIxMjIwNTA5MTU1NTQ4WjBvMQsw
 +CQYDVQQGEwJDTjELMAkGA1UECAwCTE4xETAPBgNVBAcMCFNoZW55YW5nMREwDwYD
 +VQQKDAhUZXN0IE9yZzEQMA4GA1UECwwHVGVzdCBPVTEbMBkGA1UEAwwSVGVzdCBT
 +TTIgU2lnbiBDZXJ0MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMKnjZFqe34rt
 +SmZ7g5ALnKTPKYhMxEy9cpq3Kzgb7/JoTTZHm9tGrG1oBUCNszq0jPff7Fxp/azN
 +v7rDPzJXGqNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFNPl
 +u8JjXkhQPiJ5bYrrq+voqBUlMB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIpSVTlXHj/
 +Rbl0MAoGCCqBHM9VAYN1A0cAMEQCIG3gG1D7T7ltn6Gz1UksBZahgBE6jmkQ9Sp9
 +/3aY5trlAiB5adxiK0avV0LEKfbzTdff9skoZpd7vje1QTW0l0HaGg==
 -----END CERTIFICATE-----
--- a/openssl.spec
+++ b/openssl.spec
@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1m
-Release:     21
+Release:     22
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@ -60,6 +60,9 @@ Patch49:     backport-Add-a-Certificate-Policies-Test.patch
 Patch50:     backport-Generate-some-certificates-with-the-certificatePolic.patch
 Patch51:     Fix-SM4-XTS-build-failure-using-clang.patch
 Patch52:     backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch
 Patch53:     backport-Add-a-test-for-CVE-2023-3446.patch
 Patch54:     backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
 Patch55:     backport-update-expired-certificates-for-sm2.patch
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -266,6 +269,9 @@ make test || :
 %ldconfig_scriptlets libs
 %changelog
 * Sat Jul 22 2023 zcfsite <zhchf2010@126.com> - 1:1.1.1m-22
 * fix CVE-2023-3446
 * Mon Jun 12 2023 zhujianwei <zhujianwei7@huawei.com> - 1:1.1.1m-21
 - fix CVE-2023-2650