#4768: openssl-1.1.1i
--------------------+-----------------------
Reporter: renodr | Owner: lfs-book
Type: task | Status: new
Priority: high | Milestone: 10.1
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
--------------------+-----------------------
Changes (by renodr):
* priority: normal => high
Comment:
{{{
OpenSSL Security Advisory [08 December 2020]
============================================
EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
======================================================
Severity: High
The X.509 GeneralName type is a generic type for representing different
types
of names. One of those name types is known as EDIPartyName. OpenSSL
provides a
function GENERAL_NAME_cmp which compares different instances of a
GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when
both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a
crash
may occur leading to a possible denial of service attack.
OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a
CRL
distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the
timestamp
authority name (exposed via the API functions TS_RESP_verify_response
and
TS_RESP_verify_token)
If an attacker can control both items being compared then that attacker
could
trigger a crash. For example if the attacker can trick a client or server
into
checking a malicious certificate against a malicious CRL then this may
occur.
Note that some applications automatically download CRLs based on a URL
embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and
verify
tools have support for the "-crl_download" option which implements
automatic
CRL downloading and this attack has been demonstrated to work against
those
tools.
Note that an unrelated bug means that affected versions of OpenSSL cannot
parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and
hence
trigger this attack.
All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other
OpenSSL
releases are out of support and have not been checked.
OpenSSL 1.1.1 users should upgrade to 1.1.1i.
OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users
should
upgrade to OpenSSL 1.1.1i.
This issue was reported to OpenSSL on 9th November 2020 by David Benjamin
(Google). Initial analysis was performed by David Benjamin with additional
analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any
kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.
Users of these versions should upgrade to OpenSSL 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20201208.txt
Note: the online version of the advisory may be updated with additional
details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4768#comment:1>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
