[Pkg-openssl-devel] Bug#1034720: openssl: CVE-2023-1255 CVE-2023-0466 CVE-2023-0465 CVE-2023-0464
Moritz Mühlenhoff
jmm at inutil.org
Sat Apr 22 18:27:27 BST 2023
Source: openssl
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openssl.
CVE-2023-1255[0]:
| Issue summary: The AES-XTS cipher decryption implementation for 64 bit
| ARM platform contains a bug that could cause it to read past the input
| buffer, leading to a crash. Impact summary: Applications that use the
| AES-XTS algorithm on the 64 bit ARM platform can crash in rare
| circumstances. The AES-XTS algorithm is usually used for disk
| encryption. The AES-XTS cipher decryption implementation for 64 bit
| ARM platform will read past the end of the ciphertext buffer if the
| ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024
| bytes. If the memory after the ciphertext buffer is unmapped, this
| will trigger a crash which results in a denial of service. If an
| attacker can control the size and location of the ciphertext buffer
| being decrypted by an application using AES-XTS on 64 bit ARM, the
| application is affected. This is fairly unlikely making this issue a
| Low severity one.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=02ac9c9420275868472f33b01def01218742b8bb
https://www.openssl.org/news/secadv/20230420.txt
CVE-2023-0466[1]:
| The function X509_VERIFY_PARAM_add0_policy() is documented to
| implicitly enable the certificate policy check when doing certificate
| verification. However the implementation of the function does not
| enable the check which allows certificates with invalid or incorrect
| policies to pass the certificate verification. As suddenly enabling
| the policy check could break existing deployments it was decided to
| keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
| function. Instead the applications that require OpenSSL to perform
| certificate policy check need to use X509_VERIFY_PARAM_set1_policies()
| or explicitly enable the policy check by calling
| X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
| argument. Certificate policy checks are disabled by default in OpenSSL
| and are not commonly used by applications.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0)
CVE-2023-0465[2]:
| Applications that use a non-default option when verifying certificates
| may be vulnerable to an attack from a malicious CA to circumvent
| certain checks. Invalid certificate policies in leaf certificates are
| silently ignored by OpenSSL and other certificate policy checks are
| skipped for that certificate. A malicious CA could use this to
| deliberately assert invalid certificate policies in order to
| circumvent policy checking on the certificate altogether. Policy
| processing is disabled by default but can be enabled by passing the
| `-policy' argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb (openssl-3.0)
CVE-2023-0464[3]:
| A security vulnerability has been identified in all supported versions
| of OpenSSL related to the verification of X.509 certificate chains
| that include policy constraints. Attackers may be able to exploit this
| vulnerability by creating a malicious certificate chain that triggers
| exponential use of computational resources, leading to a denial-of-
| service (DoS) attack on affected systems. Policy processing is
| disabled by default but can be enabled by passing the `-policy'
| argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1 (openssl-3.0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1255
https://www.cve.org/CVERecord?id=CVE-2023-1255
[1] https://security-tracker.debian.org/tracker/CVE-2023-0466
https://www.cve.org/CVERecord?id=CVE-2023-0466
[2] https://security-tracker.debian.org/tracker/CVE-2023-0465
https://www.cve.org/CVERecord?id=CVE-2023-0465
[3] https://security-tracker.debian.org/tracker/CVE-2023-0464
https://www.cve.org/CVERecord?id=CVE-2023-0464
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-openssl-devel
mailing list