fix CVE-2023-0286
This commit is contained in:
jinlun
parent
0a1a9d4461
commit
dfbc3ae056
38
backport-CVE-2023-0286.patch
Normal file
38
backport-CVE-2023-0286.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Landau <hlandau@openssl.org>
|
||||
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
||||
Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/x509v3/v3_genn.c | 2 +-
|
||||
include/openssl/x509v3.h | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
|
||||
index 87a5eff47cd9..e54ddc55c957 100644
|
||||
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
|
||||
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
|
||||
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||
return -1;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
|
||||
index 90fa3592ce58..e61c0f29d4b4 100644
|
||||
--- a/Cryptlib/Include/openssl/x509v3.h
|
||||
+++ b/Cryptlib/Include/openssl/x509v3.h
|
||||
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
|
||||
OTHERNAME *otherName; /* otherName */
|
||||
ASN1_IA5STRING *rfc822Name;
|
||||
ASN1_IA5STRING *dNSName;
|
||||
- ASN1_TYPE *x400Address;
|
||||
+ ASN1_STRING *x400Address;
|
||||
X509_NAME *directoryName;
|
||||
EDIPARTYNAME *ediPartyName;
|
||||
ASN1_IA5STRING *uniformResourceIdentifier;
|
||||
11
shim.spec
11
shim.spec
@ -25,7 +25,7 @@
|
||||
|
||||
Name: shim
|
||||
Version: 15.6
|
||||
Release: 8
|
||||
Release: 9
|
||||
Summary: First-stage UEFI bootloader
|
||||
ExclusiveArch: x86_64 aarch64
|
||||
License: BSD
|
||||
@ -46,6 +46,7 @@ Patch9:backport-0004-CVE-2020-1971.patch
|
||||
Patch10:backport-CVE-2021-23841.patch
|
||||
Patch11:backport-CVE-2021-3712.patch
|
||||
Patch12:backport-CVE-2022-0778.patch
|
||||
Patch13:backport-CVE-2023-0286.patch
|
||||
|
||||
# Feature for shim SMx support
|
||||
Patch9000:Feature-shim-openssl-add-ec-support.patch
|
||||
@ -54,7 +55,7 @@ Patch9002:Feature-shim-openssl-add-sm2-and-sm3-support.patch
|
||||
Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
|
||||
Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
|
||||
|
||||
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc
|
||||
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
|
||||
%ifarch aarch64
|
||||
BuildRequires: binutils >= 2.37-7
|
||||
%endif
|
||||
@ -146,6 +147,9 @@ install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shime
|
||||
|
||||
cd ..
|
||||
|
||||
%check
|
||||
make test
|
||||
|
||||
%files
|
||||
%license COPYRIGHT
|
||||
%{shimBOOT}/fb%{efi_arch}.efi
|
||||
@ -166,6 +170,9 @@ cd ..
|
||||
/usr/src/debug/%{name}-%{version}-%{release}/*
|
||||
|
||||
%changelog
|
||||
* Tue Feb 14 2023 jinlun <jinlun@huawei.com> - 15.6-9
|
||||
- fix CVE-2023-0286 and add code check
|
||||
|
||||
* Tue Dec 13 2022 jinlun <jinlun@huawei.com> - 15.6-8
|
||||
- add edition number
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user