aboutsummaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-12-09 19:25:22 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-12-09 19:25:22 +0000
commit3bde30dfeade63dd3ab4ec55e3a31e8b118b47f8 (patch)
tree82da42a071fe65169099557a519599937397d622 /share
parent3be01a475855e7511ad755b2defd2e0da5d58bbe (diff)
downloaddoc-3bde30dfeade63dd3ab4ec55e3a31e8b118b47f8.tar.gz
doc-3bde30dfeade63dd3ab4ec55e3a31e8b118b47f8.zip
Add SA-20:33.
Approved by: so
Diffstat (limited to 'share')
-rw-r--r--share/security/advisories/FreeBSD-SA-20:33.openssl.asc144
-rw-r--r--share/security/patches/SA-20:33/openssl.patch241
-rw-r--r--share/security/patches/SA-20:33/openssl.patch.asc18
-rw-r--r--share/xml/advisories.xml8
4 files changed, 411 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-20:33.openssl.asc b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
new file mode 100644
index 0000000000..e5b703dcb6
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:33.openssl.asc
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:33.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSL NULL pointer de-reference
+
+Category: contrib
+Module: openssl
+Announced: 2020-12-08
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-12-08 18:28:49 UTC (stable/12, 12.2-STABLE)
+ 2020-12-08 19:10:40 UTC (releng/12.2, 12.2-RELEASE-p2)
+ 2020-12-08 19:10:40 UTC (releng/12.1, 12.1-RELEASE-p12)
+CVE Name: CVE-2020-1971
+
+Note: The OpenSSL project has published publicly available patches for
+versions included in FreeBSD 12.x. This vulnerability is also known to
+affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL
+project is only giving patches for that version to premium support contract
+holders. The FreeBSD project does not have access to these patches and
+recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage
+up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project
+may update this advisory to include FreeBSD 11.4 should patches become
+publicly available.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
+collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
+also a general-purpose cryptography library.
+
+II. Problem Description
+
+The X.509 GeneralName type is a generic type for representing different types
+of names. One of those name types is known as EDIPartyName. OpenSSL
+provides a function GENERAL_NAME_cmp which compares different instances of a
+GENERAL_NAME to see if they are equal or not. This function behaves
+incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME.
+
+III. Impact
+
+An attacker who is able to control both items being compared can trigger a
+NULL pointer dereference and a crash may occur leading to a possible denial
+of service attack. As an example, if an attacker can trick a client of
+server to check a maliciously constructed certificate against a malicious CRL
+could trigger the NULL dereference.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:33/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368459
+releng/12.2/ r368463
+releng/12.1/ r368463
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssl.org/news/secadv/20201208.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/P6+RfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI4zQ//dy/tBaAq+kvGkWry74LzvqdZ5c0IIWH1UIrDab0wgmj8H5siP3Rpp7OB
+GKtpA+gDDmIgbe80fD+L6L5LR59wBU3sfyYPIcKIbPGl4ix2C5HK7reGns1qoX+O
+BFJd3gyPVeq4FD5/+btynyom8lcR//ta4dKKz2TERfd27iL8fM0AoLl+JI/axzJS
+d06Z2kA0gRo528DsVRsTbiZFINfhGm8wzeXYpAxwbpnedswOeukOxTsKXrdtSAy+
+BCq5BHdBxL/z4A2QLlrsYqpQH0Ty77ueGjqrq4QPFwq7dxSMDkfzz+YeGPKAvGsU
+lwyE2LlkP+531y4ueeGs5K6zRk8jDn7hJs+HfAtTy7y6d+VX9h7wRSssozC9DsV4
+87OWHkXOEj5LeDRDfrEKVLx+QBqRcOOY6mkT3mb5dB7o9bmqxtjf3CaQaA7eV7Y8
+a9QJvpO37m1ZpCC/kXACUPwmwbc5q8sjOsAcQiRAVeom6coFwDxs9u+yHX3uCLRJ
+zorgaLgce/c7yLUoQ/bA1/bfuOE7qIwxK7JosZSxv59CvavAhN/hBUcuL7CPCGrP
+u9LyYGPoYLXUj4CBKI7FmGkQVhNCLDhUYdvrVyRbTy3hihi1VtbFEZ8Dhipm4nL7
+Oko1LxjLb1dJiHEj9kHtNWRmhueuErxkgA+GWLlsJpjlGlC/YAU=
+=5e1s
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:33/openssl.patch b/share/security/patches/SA-20:33/openssl.patch
new file mode 100644
index 0000000000..b58161fddd
--- /dev/null
+++ b/share/security/patches/SA-20:33/openssl.patch
@@ -0,0 +1,241 @@
+--- crypto/openssl/crypto/asn1/asn1_err.c.orig
++++ crypto/openssl/crypto/asn1/asn1_err.c
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -49,6 +49,7 @@
+ "asn1_item_embed_d2i"},
+ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EMBED_NEW, 0),
+ "asn1_item_embed_new"},
++ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"},
+ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_FLAGS_I2D, 0),
+ "asn1_item_flags_i2d"},
+ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_I2D_BIO, 0), "ASN1_item_i2d_bio"},
+@@ -160,6 +161,7 @@
+ "asn1 sig parse error"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "aux error"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
++ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
+ "bmpstring is wrong length"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "bn lib"},
+--- crypto/openssl/crypto/asn1/tasn_dec.c.orig
++++ crypto/openssl/crypto/asn1/tasn_dec.c
+@@ -182,6 +182,15 @@
+ tag, aclass, opt, ctx);
+
+ case ASN1_ITYPE_MSTRING:
++ /*
++ * It never makes sense for multi-strings to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
++ goto err;
++ }
++
+ p = *in;
+ /* Just read in tag and class */
+ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
+@@ -199,6 +208,7 @@
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+ goto err;
+ }
++
+ /* Check tag matches bit map */
+ if (!(ASN1_tag2bit(otag) & it->utype)) {
+ /* If OPTIONAL, assume this is OK */
+@@ -215,6 +225,15 @@
+ return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
+
+ case ASN1_ITYPE_CHOICE:
++ /*
++ * It never makes sense for CHOICE types to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
++ goto err;
++ }
++
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
+ goto auxerr;
+ if (*pval) {
+--- crypto/openssl/crypto/asn1/tasn_enc.c.orig
++++ crypto/openssl/crypto/asn1/tasn_enc.c
+@@ -103,9 +103,25 @@
+ return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
+
+ case ASN1_ITYPE_MSTRING:
++ /*
++ * It never makes sense for multi-strings to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
++ return -1;
++ }
+ return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
+
+ case ASN1_ITYPE_CHOICE:
++ /*
++ * It never makes sense for CHOICE types to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
++ return -1;
++ }
+ if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
+ return 0;
+ i = asn1_get_choice_selector(pval, it);
+--- crypto/openssl/crypto/err/openssl.txt.orig
++++ crypto/openssl/crypto/err/openssl.txt
+@@ -36,6 +36,7 @@
+ ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup
+ ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i
+ ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new
++ASN1_F_ASN1_ITEM_EX_I2D:144:ASN1_item_ex_i2d
+ ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d
+ ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio
+ ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp
+@@ -1771,6 +1772,7 @@
+ ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error
+ ASN1_R_AUX_ERROR:100:aux error
+ ASN1_R_BAD_OBJECT_HEADER:102:bad object header
++ASN1_R_BAD_TEMPLATE:230:bad template
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length
+ ASN1_R_BN_LIB:105:bn lib
+ ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length
+--- crypto/openssl/crypto/x509v3/v3_genn.c.orig
++++ crypto/openssl/crypto/x509v3/v3_genn.c
+@@ -22,8 +22,9 @@
+ IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
+
+ ASN1_SEQUENCE(EDIPARTYNAME) = {
+- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
++ /* DirectoryString is a CHOICE type so use explicit tagging */
++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+ } ASN1_SEQUENCE_END(EDIPARTYNAME)
+
+ IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
+@@ -57,6 +58,37 @@
+ (char *)a);
+ }
+
++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
++{
++ int res;
++
++ if (a == NULL || b == NULL) {
++ /*
++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
++ */
++ return -1;
++ }
++ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
++ return -1;
++ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
++ return 1;
++ /* If we get here then both have nameAssigner set, or both unset */
++ if (a->nameAssigner != NULL) {
++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
++ if (res != 0)
++ return res;
++ }
++ /*
++ * partyName is required, so these should never be NULL. We treat it in
++ * the same way as the a == NULL || b == NULL case above
++ */
++ if (a->partyName == NULL || b->partyName == NULL)
++ return -1;
++
++ return ASN1_STRING_cmp(a->partyName, b->partyName);
++}
++
+ /* Returns 0 if they are equal, != 0 otherwise. */
+ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ {
+@@ -66,8 +98,11 @@
+ return -1;
+ switch (a->type) {
+ case GEN_X400:
++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++ break;
++
+ case GEN_EDIPARTY:
+- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
+ break;
+
+ case GEN_OTHERNAME:
+@@ -114,8 +149,11 @@
+ {
+ switch (type) {
+ case GEN_X400:
++ a->d.x400Address = value;
++ break;
++
+ case GEN_EDIPARTY:
+- a->d.other = value;
++ a->d.ediPartyName = value;
+ break;
+
+ case GEN_OTHERNAME:
+@@ -149,8 +187,10 @@
+ *ptype = a->type;
+ switch (a->type) {
+ case GEN_X400:
++ return a->d.x400Address;
++
+ case GEN_EDIPARTY:
+- return a->d.other;
++ return a->d.ediPartyName;
+
+ case GEN_OTHERNAME:
+ return a->d.otherName;
+--- crypto/openssl/include/openssl/asn1err.h.orig
++++ crypto/openssl/include/openssl/asn1err.h
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_ASN1ERR_H
+ # define HEADER_ASN1ERR_H
+
+-# ifndef HEADER_SYMHACKS_H
+-# include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+
+ # ifdef __cplusplus
+ extern "C"
+@@ -53,6 +51,7 @@
+ # define ASN1_F_ASN1_ITEM_DUP 191
+ # define ASN1_F_ASN1_ITEM_EMBED_D2I 120
+ # define ASN1_F_ASN1_ITEM_EMBED_NEW 121
++# define ASN1_F_ASN1_ITEM_EX_I2D 144
+ # define ASN1_F_ASN1_ITEM_FLAGS_I2D 118
+ # define ASN1_F_ASN1_ITEM_I2D_BIO 192
+ # define ASN1_F_ASN1_ITEM_I2D_FP 193
+@@ -145,6 +144,7 @@
+ # define ASN1_R_ASN1_SIG_PARSE_ERROR 204
+ # define ASN1_R_AUX_ERROR 100
+ # define ASN1_R_BAD_OBJECT_HEADER 102
++# define ASN1_R_BAD_TEMPLATE 230
+ # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
+ # define ASN1_R_BN_LIB 105
+ # define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
diff --git a/share/security/patches/SA-20:33/openssl.patch.asc b/share/security/patches/SA-20:33/openssl.patch.asc
new file mode 100644
index 0000000000..c6de85f2ed
--- /dev/null
+++ b/share/security/patches/SA-20:33/openssl.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/P6+1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLdXw//SUwKJmX7xk+EKpdbwlird/Jmo0WcvyOqtegU+Oxaq0Tg9XaovBjnPgUJ
+QPWA9qphvMMxcdmwpdlZCf5ulz0rlIrXEn41kaowPMy5t3hqF5KwF66d09wilrPG
+W89u3WCg4krKOw4UAEq1lkAOo1aFdQWkN3+0pJaERG5+HitWEqPwl5t+XpTsu82a
+0YY2HNC4vcNyzpLT35VBtSGDoIME11om/i69Kbh9eBk/Ohllw213d2TGWYv6/JqO
+ImQ9H9riYngzXOWAEauSzR5GLLVw1pxV11iXe3eXwWb6/zY5BUipXJ9Q+Jip8H/N
+RT+WMNWZVibmhu3t1gn1d4wsT3LMWXi5Ew+T2tzY71wnMTUIDWEOAaw1jdSWDe25
+5F+ygfTmSZOWEd7UmugwL28N5yjil6aI7LCH9SiM0dOZRGlXv66CIIyBOQjIjVsg
+BRw99pEiSjmNgwtBBaU0enXaZB+z25iFgJwuBZaCMd8povPWnmTE1QYQ2jPzW+kJ
+o0jXistXHYh4omjruV8Y3qssxNuuQj9juUJHgUsuhWukDyR6p36Yc9iLXozvpbT2
+bGnyvfO/QrDSgV1QfGxRCjaLhSpCltpjAfWXxV7OJeVongB/ECXjVgDEC+T4FOXX
+TCmO0eEglt7c3wIk0sg5q2LGy6+owftBK+v0e423jjVJzsphukk=
+=MbZV
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 39cc0402c0..1c246c1e9d 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -9,6 +9,14 @@
<month>
<name>12</name>
+ <day>
+ <name>8</name>
+
+ <advisory>
+ <name>FreeBSD-SA-20:33.openssl</name>
+ </advisory>
+
+ </day>
<day>
<name>1</name>