f68dd54569
CVE-2018-0739 CVE-2019-1563 CVE-2020-1971 CVE-2021-23840 CVE-2021-23841 CVE-2022-0778 CVE-2021-3712 (cherry picked from commit a582068887203f626772052e466343c6ef2d0719)
41 lines
1.6 KiB
Diff
41 lines
1.6 KiB
Diff
Backport of:
|
|
|
|
From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001
|
|
From: Matt Caswell <matt@openssl.org>
|
|
Date: Wed, 10 Feb 2021 16:10:36 +0000
|
|
Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash()
|
|
|
|
The OpenSSL public API function X509_issuer_and_serial_hash() attempts
|
|
to create a unique hash value based on the issuer and serial number data
|
|
contained within an X509 certificate. However it fails to correctly
|
|
handle any errors that may occur while parsing the issuer field (which
|
|
might occur if the issuer field is maliciously constructed). This may
|
|
subsequently result in a NULL pointer deref and a crash leading to a
|
|
potential denial of service attack.
|
|
|
|
The function X509_issuer_and_serial_hash() is never directly called by
|
|
OpenSSL itself so applications are only vulnerable if they use this
|
|
function directly and they use it on certificates that may have been
|
|
obtained from untrusted sources.
|
|
|
|
CVE-2021-23841
|
|
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0)
|
|
---
|
|
crypto/x509/x509_cmp.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
--- a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c
|
|
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c
|
|
@@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has
|
|
|
|
EVP_MD_CTX_init(&ctx);
|
|
f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
|
|
+ if (f == NULL)
|
|
+ goto err;
|
|
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
|
goto err;
|
|
if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f)))
|