Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 885797 (CVE-2022-3996)

Summary: <dev-libs/openssl-3.0.8:0/3: double locking leads to denial of service
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openssl.org/news/secadv/20221213.txt
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-13 17:27:07 UTC 
CVE-2022-3996:

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

Patch: https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7

Only affects 3.x, still masked in Gentoo. "OpenSSL 3.0 users should
upgrade to OpenSSL 3.0.8 once it is released."
Comment 1 Larry the Git Cow gentoo-dev 2022-12-13 18:18:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=febf14caacb3cb7171cd6e861d9961cb6d6faaa6

commit febf14caacb3cb7171cd6e861d9961cb6d6faaa6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-13 18:16:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 18:16:50 +0000

    dev-libs/openssl: drop 3.0.7
    
    Bug: https://bugs.gentoo.org/885797
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/openssl-3.0.7.ebuild | 337 ----------------------------------
 1 file changed, 337 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebb2a9a705c6d1cefa9c4bc94cf57da7a03f53b6

commit ebb2a9a705c6d1cefa9c4bc94cf57da7a03f53b6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-13 18:14:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 18:14:18 +0000

    dev-libs/openssl: fix CVE-2022-3996 for 3.0.7
    
    Only affects 3.x.
    
    Bug: https://bugs.gentoo.org/885797
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssl-3.0.7-x509-CVE-2022-3996.patch   |  35 +++
 dev-libs/openssl/openssl-3.0.7-r1.ebuild           | 338 +++++++++++++++++++++
 2 files changed, 373 insertions(+)