Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 902779 (CVE-2023-0464)

Summary: <dev-libs/openssl-{1.1.1t-r2, 3.0.8-r2, 3.1.0-r1}: Denial of service by excessive resource usage in verifying X509 policy constraints
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openssl.org/news/secadv/20230322.txt
See Also: https://bugs.gentoo.org/show_bug.cgi?id=907413
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 903546    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-23 03:55:02 UTC 
See https://www.openssl.org/news/secadv/20230322.txt.

"""
Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464)
===========================================================================

Severity: Low

A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 2017771e (for 3.1),
commit 959c59c7 (for 3.0), commit 879f7080 (for 1.1.1) in the OpenSSL
git repository, and commit 2dcd4f1e (for 1.0.2) in the OpenSSL git
repository for premium customers.

Once they are released:

OpenSSL 3.1 users should upgrade to 3.1.1.
OpenSSL 3.0 users should upgrade to 3.0.9.
OpenSSL 1.1.1 users should upgrade to 1.1.1u.
OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support customers only).

This issue was reported on 12th January 2023 by David Benjamin (Google).
The fix was developed by Dr Paul Dale.

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-23 03:55:49 UTC 
In Gentoo, fixed in:
1.1.1t-r2, 3.0.8-r2, 3.1.0-r1.
Comment 2 Larry the Git Cow gentoo-dev 2024-02-04 08:03:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f353a9a7c6ffd4dd54f9b93774d103942a88892e

commit f353a9a7c6ffd4dd54f9b93774d103942a88892e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-04 08:02:53 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-04 08:03:15 +0000

    [ GLSA 202402-08 ] OpenSSL: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/876787
    Bug: https://bugs.gentoo.org/893446
    Bug: https://bugs.gentoo.org/902779
    Bug: https://bugs.gentoo.org/903545
    Bug: https://bugs.gentoo.org/907413
    Bug: https://bugs.gentoo.org/910556
    Bug: https://bugs.gentoo.org/911560
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-08.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)