Bug 759370 (CVE-2020-1971)

Summary:	[Tracker] Denial of service in OpenSSL/LibreSSL X509 parser (CVE-2020-1971)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	bugs-gentoo01
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	759079, 759175
Bug Blocks:

Description Sam James archtester

2020-12-10 17:37:08 UTC

Description:
"The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack."

Comment 1 bugs-gentoo01 2020-12-14 19:34:39 UTC

I'm running openssl-1.0.2u (https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl/openssl-1.0.2u.ebuild) with this patches from ubuntu: https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.5

What I did:

* Created a new overlay (for testing)
* Extracted debian/patches/CVE-2020-1971-*.patch from https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openssl1.0/1.0.2n-1ubuntu5.5/openssl1.0_1.0.2n-1ubuntu5.5.debian.tar.xz
* Put them in ./files dir of dev-libs/openssl
* Copied openssl-1.0.2u.ebuild to openssl-1.0.2u-r1.ebuild
* Adjusted openssl-1.0.2u-r1.ebuild
  * Added to the start of the src_prepare() section:

--cut--
epatch "${FILESDIR}"/CVE-2020-1971-1.patch
epatch "${FILESDIR}"/CVE-2020-1971-2.patch
epatch "${FILESDIR}"/CVE-2020-1971-3.patch
epatch "${FILESDIR}"/CVE-2020-1971-4.patch
epatch "${FILESDIR}"/CVE-2020-1971-5.patch
--cut--

Comment 2 John Helmert III archtester

2021-05-13 13:23:04 UTC

Dead tracker, closing.