CVE-2022-3358: OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). Fix is 1.1.1r, 3.0.6.
commit f99733502c417e043f89f01042abec3b854d203c (origin/master, origin/HEAD) Author: Patrick McLean <chutzpah@gentoo.org> Date: Tue Oct 11 15:59:14 2022 -0700 dev-libs/openssl: add 3.0.6 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> commit 6e33789090395e63bac19f152782c3b85f5ed1b4 Author: Patrick McLean <chutzpah@gentoo.org> Date: Tue Oct 11 15:53:12 2022 -0700 dev-libs/openssl: add 1.1.1r Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
commit 17e29d72ab7d349ac79c15291d47eb1a8499265b Author: Sam James <sam@gentoo.org> Date: Thu Oct 13 00:40:05 2022 +0100 dev-libs/openssl: drop yanked, masked versions Especially important given many will be unmasking 3.x generally. Signed-off-by: Sam James <sam@gentoo.org> commit 9163b1239929bfe249d49bb24e5ccb13c27d683e Author: Sam James <sam@gentoo.org> Date: Wed Oct 12 18:28:59 2022 +0100 profiles: add link to openssl regression/bug Bug: https://github.com/openssl/openssl/issues/19389 Signed-off-by: Sam James <sam@gentoo.org> commit ea4f4da1ba175ad6e07c74d27429c0d037f41f0c Author: Sam James <sam@gentoo.org> Date: Wed Oct 12 15:40:10 2022 +0100 profiles: mask "withdrawn" openssls with a "significant regression" Upstream has withdrawn these releases because of a (yet unexplained) "significant regression". See https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html. Signed-off-by: Sam James <sam@gentoo.org>
GLSA request filed, though we're still waiting for fixed versions here. If it takes a while we can just drop it from the GLSA if necessary.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9db8cdf286ccec973fe12c1ebbb6ac75afd7e305 commit 9db8cdf286ccec973fe12c1ebbb6ac75afd7e305 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-16 14:31:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:39:36 +0000 [ GLSA 202210-02 ] Drop bug 876787, unfixed Bug: https://bugs.gentoo.org/876787 Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-02.xml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) https://gitweb.gentoo.org/data/glsa.git/commit/?id=143e8d174e14e346f2c37e8a31a4be211ac3e24c commit 143e8d174e14e346f2c37e8a31a4be211ac3e24c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:27:07 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:39:36 +0000 [ GLSA 202210-02 ] OpenSSL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/741570 Bug: https://bugs.gentoo.org/809980 Bug: https://bugs.gentoo.org/832339 Bug: https://bugs.gentoo.org/835343 Bug: https://bugs.gentoo.org/842489 Bug: https://bugs.gentoo.org/856592 Bug: https://bugs.gentoo.org/876787 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-02.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=530086715f82de12009538347725dbfd14e6b0a8 commit 530086715f82de12009538347725dbfd14e6b0a8 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-14 03:47:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:52:19 +0000 profiles: mask <openssl-1.1.1 Bug: https://bugs.gentoo.org/876787 Bug: https://bugs.gentoo.org/741570 Bug: https://bugs.gentoo.org/809980 Bug: https://bugs.gentoo.org/832339 Bug: https://bugs.gentoo.org/835343 Bug: https://bugs.gentoo.org/842489 Bug: https://bugs.gentoo.org/856592 Closes: https://github.com/gentoo/gentoo/pull/22909 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)