Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 885797 (CVE-2022-3996) - <dev-libs/openssl-3.0.8:0/3: double locking leads to denial of service
Summary: <dev-libs/openssl-3.0.8:0/3: double locking leads to denial of service
Alias: CVE-2022-3996
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2022-12-13 17:27 UTC by John Helmert III
Modified: 2022-12-13 21:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-13 17:27:07 UTC

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.


Only affects 3.x, still masked in Gentoo. "OpenSSL 3.0 users should
upgrade to OpenSSL 3.0.8 once it is released."
Comment 1 Larry the Git Cow gentoo-dev 2022-12-13 18:18:29 UTC
The bug has been referenced in the following commit(s):

commit febf14caacb3cb7171cd6e861d9961cb6d6faaa6
Author:     Sam James <>
AuthorDate: 2022-12-13 18:16:42 +0000
Commit:     Sam James <>
CommitDate: 2022-12-13 18:16:50 +0000

    dev-libs/openssl: drop 3.0.7
    Signed-off-by: Sam James <>

 dev-libs/openssl/openssl-3.0.7.ebuild | 337 ----------------------------------
 1 file changed, 337 deletions(-)

commit ebb2a9a705c6d1cefa9c4bc94cf57da7a03f53b6
Author:     Sam James <>
AuthorDate: 2022-12-13 18:14:10 +0000
Commit:     Sam James <>
CommitDate: 2022-12-13 18:14:18 +0000

    dev-libs/openssl: fix CVE-2022-3996 for 3.0.7
    Only affects 3.x.
    Signed-off-by: Sam James <>

 .../files/openssl-3.0.7-x509-CVE-2022-3996.patch   |  35 +++
 dev-libs/openssl/openssl-3.0.7-r1.ebuild           | 338 +++++++++++++++++++++
 2 files changed, 373 insertions(+)