public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : f7a2c68257990f19a6dd15ea9bdfa6ceb842b86a
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2022-11-01T15:54:54+01:00
Stats : +408/-2 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/f7a2c68257990f19a6dd15ea9bdfa6ceb842b86a?branch=rebase_40beta
Log:
CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
---
diff --git a/0080-CVE-2022-3602.patch b/0080-CVE-2022-3602.patch
new file mode 100644
index 0000000..4f935e4
--- /dev/null
+++ b/0080-CVE-2022-3602.patch
@@ -0,0 +1,399 @@
+diff --git a/crypto/punycode.c b/crypto/punycode.c
+index 385b4b1df4..b9b4e3d785 100644
+--- a/crypto/punycode.c
++++ b/crypto/punycode.c
+@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
+ unsigned int bias = initial_bias;
+ size_t processed_in = 0, written_out = 0;
+ unsigned int max_out = *pout_length;
+-
+ unsigned int basic_count = 0;
+ unsigned int loop;
+
+@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
+ n = n + i / (written_out + 1);
+ i %= (written_out + 1);
+
+- if (written_out > max_out)
++ if (written_out >= max_out)
+ return 0;
+
+ memmove(pDecoded + i + 1, pDecoded + i,
+- (written_out - i) * sizeof *pDecoded);
++ (written_out - i) * sizeof(*pDecoded));
+ pDecoded[i] = n;
+ i++;
+ written_out++;
+@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
+ */
+ char *outptr = out;
+ const char *inptr = in;
+- size_t size = 0;
++ size_t size = 0, maxsize;
+ int result = 1;
+-
++ unsigned int i, j;
+ unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */
+- if (out == NULL)
++
++ if (out == NULL) {
+ result = 0;
++ maxsize = 0;
++ } else {
++ maxsize = *outlen;
++ }
++
++#define PUSHC(c) \
++ do \
++ if (size++ < maxsize) \
++ *outptr++ = c; \
++ else \
++ result = 0; \
++ while (0)
+
+ while (1) {
+ char *tmpptr = strchr(inptr, '.');
+- size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr);
++ size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr);
+
+ if (strncmp(inptr, "xn--", 4) != 0) {
+- size += delta + 1;
+-
+- if (size >= *outlen - 1)
+- result = 0;
+-
+- if (result > 0) {
+- memcpy(outptr, inptr, delta + 1);
+- outptr += delta + 1;
+- }
++ for (i = 0; i < delta + 1; i++)
++ PUSHC(inptr[i]);
+ } else {
+ unsigned int bufsize = LABEL_BUF_SIZE;
+- unsigned int i;
+
+ if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0)
+ return -1;
+@@ -286,26 +290,15 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
+ for (i = 0; i < bufsize; i++) {
+ unsigned char seed[6];
+ size_t utfsize = codepoint2utf8(seed, buf[i]);
++
+ if (utfsize == 0)
+ return -1;
+
+- size += utfsize;
+- if (size >= *outlen - 1)
+- result = 0;
+-
+- if (result > 0) {
+- memcpy(outptr, seed, utfsize);
+- outptr += utfsize;
+- }
++ for (j = 0; j < utfsize; j++)
++ PUSHC(seed[j]);
+ }
+
+- if (tmpptr != NULL) {
+- *outptr = '.';
+- outptr++;
+- size++;
+- if (size >= *outlen - 1)
+- result = 0;
+- }
++ PUSHC(tmpptr != NULL ? '.' : '\0');
+ }
+
+ if (tmpptr == NULL)
+@@ -313,7 +306,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
+
+ inptr = tmpptr + 1;
+ }
++#undef PUSHC
+
++ *outlen = size;
+ return result;
+ }
+
+@@ -327,12 +322,11 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
+
+ int ossl_a2ucompare(const char *a, const char *u)
+ {
+- char a_ulabel[LABEL_BUF_SIZE];
++ char a_ulabel[LABEL_BUF_SIZE + 1];
+ size_t a_size = sizeof(a_ulabel);
+
+- if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) {
++ if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0)
+ return -1;
+- }
+
+- return (strcmp(a_ulabel, u) == 0) ? 0 : 1;
++ return strcmp(a_ulabel, u) != 0;
+ }
+diff --git a/test/build.info b/test/build.info
+index 9d2d41e417..638f215da6 100644
+--- a/test/build.info
++++ b/test/build.info
+@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}]
+ exptest pbetest localetest evp_pkey_ctx_new_from_name\
+ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
+ evp_fetch_prov_test evp_libctx_test ossl_store_test \
+- v3nametest v3ext \
++ v3nametest v3ext punycode_test \
+ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
+ evp_fetch_prov_test v3nametest v3ext \
+ crltest danetest bad_dtls_test lhash_test sparse_array_test \
+@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}]
+ INCLUDE[pkcs7_test]=../include ../apps/include
+ DEPEND[pkcs7_test]=../libcrypto libtestutil.a
+
++ SOURCE[punycode_test]=punycode_test.c
++ INCLUDE[punycode_test]=../include ../apps/include
++ DEPEND[punycode_test]=../libcrypto.a libtestutil.a
++
+ SOURCE[stack_test]=stack_test.c
+ INCLUDE[stack_test]=../include ../apps/include
+ DEPEND[stack_test]=../libcrypto libtestutil.a
+diff --git a/test/punycode_test.c b/test/punycode_test.c
+new file mode 100644
+index 0000000000..285ead6966
+--- /dev/null
++++ b/test/punycode_test.c
+@@ -0,0 +1,219 @@
++/*
++ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <openssl/crypto.h>
++
++#include "crypto/punycode.h"
++#include "internal/nelem.h"
++#include "testutil.h"
++
++
++static const struct puny_test {
++ unsigned int raw[50];
++ const char *encoded;
++} puny_cases[] = {
++ /* Test cases from RFC 3492 */
++ { /* Arabic (Egyptian) */
++ { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644,
++ 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F
++ },
++ "egbpdaj6bu4bxfgehfvwxn"
++ },
++ { /* Chinese (simplified) */
++ { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587
++ },
++ "ihqwcrb4cv8a8dqg056pqjye"
++ },
++ { /* Chinese (traditional) */
++ { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587
++ },
++ "ihqwctvzc91f659drss3x8bo0yb"
++ },
++ { /* Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky */
++ { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074,
++ 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D,
++ 0x0065, 0x0073, 0x006B, 0x0079
++ },
++ "Proprostnemluvesky-uyb24dma41a"
++ },
++ { /* Hebrew */
++ { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8,
++ 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2,
++ 0x05D1, 0x05E8, 0x05D9, 0x05EA
++ },
++ "4dbcagdahymbxekheh6e0a7fei0b"
++ },
++ { /* Hindi (Devanagari) */
++ { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D,
++ 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939,
++ 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947,
++ 0x0939, 0x0948, 0x0902
++ },
++ "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd"
++ },
++ { /* Japanese (kanji and hiragana) */
++ { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092,
++ 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B
++ },
++ "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa"
++ },
++ { /* Korean (Hangul syllables) */
++ { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774,
++ 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74,
++ 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C
++ },
++ "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c"
++ },
++ { /* Russian (Cyrillic) */
++ { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E,
++ 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440,
++ 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A,
++ 0x0438
++ },
++ "b1abfaaepdrnnbgefbaDotcwatmq2g4l"
++ },
++ { /* Spanish */
++ { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070,
++ 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070,
++ 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061,
++ 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070,
++ 0x0061, 0x00F1, 0x006F, 0x006C
++ },
++ "PorqunopuedensimplementehablarenEspaol-fmd56a"
++ },
++ { /* Vietnamese */
++ { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B,
++ 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068,
++ 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067,
++ 0x0056, 0x0069, 0x1EC7, 0x0074
++ },
++ "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g"
++ },
++ { /* Japanese: 3<nen>B<gumi><kinpachi><sensei> */
++ { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
++ },
++ "3B-ww4c5e180e575a65lsy2b"
++ },
++ { /* Japanese: <amuro><namie>-with-SUPER-MONKEYS */
++ { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074,
++ 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D,
++ 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053
++ },
++ "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n"
++ },
++ { /* Japanese: Hello-Another-Way-<sorezore><no><basho> */
++ { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F,
++ 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D,
++ 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240
++ },
++ "Hello-Another-Way--fc4qua05auwb3674vfr0b"
++ },
++ { /* Japanese: <hitotsu><yane><no><shita>2 */
++ { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032
++ },
++ "2-u9tlzr9756bt3uc0v"
++ },
++ { /* Japanese: Maji<de>Koi<suru>5<byou><mae> */
++ { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059,
++ 0x308B, 0x0035, 0x79D2, 0x524D
++ },
++ "MajiKoi5-783gue6qz075azm5e"
++ },
++ { /* Japanese: <pafii>de<runba> */
++ { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0
++ },
++ "de-jg4avhby1noc0d"
++ },
++ { /* Japanese: <sono><supiido><de> */
++ { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067
++ },
++ "d9juau41awczczp"
++ },
++ { /* -> $1.00 <- */
++ { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020,
++ 0x003C, 0x002D
++ },
++ "-> $1.00 <--"
++ }
++};
++
++static int test_punycode(int n)
++{
++ const struct puny_test *tc = puny_cases + n;
++ unsigned int buffer[50];
++ unsigned int bsize = OSSL_NELEM(buffer);
++ size_t i;
++
++ if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded),
++ buffer, &bsize)))
++ return 0;
++ for (i = 0; i < sizeof(tc->raw); i++)
++ if (tc->raw[i] == 0)
++ break;
++ if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer),
++ tc->raw, i * sizeof(*tc->raw)))
++ return 0;
++ return 1;
++}
++
++static int test_a2ulabel(void)
++{
++ char out[50];
++ size_t outlen;
++
++ /*
++ * Test that no buffer correctly returns the true length.
++ * The punycode being passed in and parsed is malformed but we're not
++ * verifying that behaviour here.
++ */
++ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0)
++ || !TEST_size_t_eq(outlen, 7)
++ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1))
++ return 0;
++ /* Test that a short input length returns the true length */
++ outlen = 1;
++ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0)
++ || !TEST_size_t_eq(outlen, 7)
++ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)
++ || !TEST_str_eq(out,"\xc2\x80.b.c"))
++ return 0;
++ /* Test for an off by one on the buffer size works */
++ outlen = 6;
++ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0)
++ || !TEST_size_t_eq(outlen, 7)
++ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)
++ || !TEST_str_eq(out,"\xc2\x80.b.c"))
++ return 0;
++ return 1;
++}
++
++static int test_puny_overrun(void)
++{
++ static const unsigned int out[] = {
++ 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
++ };
++ static const char *in = "3B-ww4c5e180e575a65lsy2b";
++ unsigned int buf[OSSL_NELEM(out)];
++ unsigned int bsize = OSSL_NELEM(buf) - 1;
++
++ if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) {
++ if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out)))
++ TEST_error("CRITICAL: buffer overrun detected!");
++ return 0;
++ }
++ return 1;
++}
++
++int setup_tests(void)
++{
++ ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases));
++ ADD_TEST(test_a2ulabel);
++ ADD_TEST(test_puny_overrun);
++ return 1;
++}
+diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t
+new file mode 100644
+index 0000000000..de213c7e15
+--- /dev/null
++++ b/test/recipes/04-test_punycode.t
+@@ -0,0 +1,11 @@
++#! /usr/bin/env perl
++# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License"). You may not use
++# this file except in compliance with the License. You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++use OpenSSL::Test::Simple;
++
++simple_test("test_punycode", "punycode_test");
diff --git a/openssl.spec b/openssl.spec
index 6cb9542..3110d38 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.5
-Release: 5%{?dist}
+Release: 6%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -184,6 +184,8 @@ Patch77: 0077-FIPS-140-3-zeroization.patch
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182
Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
+#CVE-2022-3602
+Patch80: 0080-CVE-2022-3602.patch
License: ASL 2.0
URL: http://www.openssl.org/
@@ -521,6 +523,12 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-6
+- CVE-2022-3602: X.509 Email Address Buffer Overflow
+- CVE-2022-3786: X.509 Email Address Buffer Overflow
+ Resolves: CVE-2022-3602
+ Resolves: CVE-2022-3786
+
* Mon Sep 12 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-5
- Update patches to make ELN build happy
Resolves: rhbz#2123755
@@ -532,7 +540,6 @@ install -m644 %{SOURCE9} \
* Thu Sep 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-3
- Sync patches with RHEL
Related: rhbz#2123755
-
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox