Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 903545 (CVE-2023-0465, CVE-2023-0466) - <dev-libs/openssl-{1.1.1t-r3, 3.0.8-r3, 3.1.0-r2}: Multiple vulnerabilities
Summary: <dev-libs/openssl-{1.1.1t-r3, 3.0.8-r3, 3.1.0-r2}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-0465, CVE-2023-0466
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 903546
Blocks:
  Show dependency tree
 
Reported: 2023-03-29 14:49 UTC by Sam James
Modified: 2024-02-04 08:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-29 14:49:28 UTC 
- https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

"""
CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored [Low severity] 23 March 2023:
    Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.
    Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.
    Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
    Found by David Benjamin (Google). Fix developed by Matt Caswell.

        Fixed in OpenSSL 3.1.1 (git commit) (Affected since 3.1.0)
        Fixed in OpenSSL 3.0.9 (git commit) (Affected since 3.0.0)
        Fixed in OpenSSL 1.1.1u (git commit) (Affected since 1.1.1)
        Fixed in OpenSSL 1.0.2zh (Affected since 1.0.2)
"""

- https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466

"""
CVE-2023-0466 Certificate policy check not enabled [Low severity] 21 March 2023:
    The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.
    As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function.
    Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.
    Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
    Found by David Benjamin (Google). Fix developed by Tomas Mraz.

        Fixed in OpenSSL 3.1.1 (git commit) (Affected since 3.1.0)
        Fixed in OpenSSL 3.0.9 (git commit) (Affected since 3.0.0)
        Fixed in OpenSSL 1.1.1u (git commit) (Affected since 1.1.1)
        Fixed in OpenSSL 1.0.2zh (Affected since 1.0.2)
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-06-14 05:20:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a

commit 14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-14 05:18:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-14 05:20:29 +0000

    dev-libs/openssl: drop 3.1.0-r3
    
    Bug: https://bugs.gentoo.org/903545
    Bug: https://bugs.gentoo.org/907413
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-3.1.0-CVE-2023-0464.patch        | 214 ----------------
 .../files/openssl-3.1.0-CVE-2023-0465.patch        |  46 ----
 .../files/openssl-3.1.0-CVE-2023-0466.patch        |  41 ---
 .../files/openssl-3.1.0-CVE-2023-1255.patch        |  40 ---
 dev-libs/openssl/openssl-3.1.0-r3.ebuild           | 284 ---------------------
 6 files changed, 627 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4610dbafdc773344fd62e49e27ada4c6b6dfd2

commit 6c4610dbafdc773344fd62e49e27ada4c6b6dfd2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-14 05:17:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-14 05:20:25 +0000

    dev-libs/openssl: drop 1.1.1t-r3
    
    Bug: https://bugs.gentoo.org/903545
    Bug: https://bugs.gentoo.org/907413
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-1.1.1t-CVE-2023-0464.patch       | 215 ----------------
 .../files/openssl-1.1.1t-CVE-2023-0465.patch       |  48 ----
 .../files/openssl-1.1.1t-CVE-2023-0466.patch       |  41 ----
 dev-libs/openssl/openssl-1.1.1t-r3.ebuild          | 269 ---------------------
 5 files changed, 575 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a593ae96eb045245e5ad41879ce602f193d013f

commit 6a593ae96eb045245e5ad41879ce602f193d013f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-14 05:16:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-14 05:20:12 +0000

    dev-libs/openssl: drop 1.1.1t-r1
    
    Bug: https://bugs.gentoo.org/903545
    Bug: https://bugs.gentoo.org/907413
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/openssl-1.1.1t-r1.ebuild | 265 ------------------------------
 1 file changed, 265 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db09f5bac6ff132b69d3f723d4c93662c96ed72

commit 3db09f5bac6ff132b69d3f723d4c93662c96ed72
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-14 05:17:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-14 05:19:10 +0000

    dev-libs/openssl: drop 3.0.8-r4
    
    Bug: https://bugs.gentoo.org/903545
    Bug: https://bugs.gentoo.org/907413
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/openssl/Manifest                          |   2 -
 .../files/openssl-3.0.8-CVE-2023-0464.patch        | 214 ----------------
 .../files/openssl-3.0.8-CVE-2023-0465.patch        |  46 ----
 .../files/openssl-3.0.8-CVE-2023-0466.patch        |  41 ---
 .../files/openssl-3.0.8-CVE-2023-1255.patch        |  40 ---
 .../openssl/files/openssl-3.0.8-mips-cflags.patch  |  30 ---
 dev-libs/openssl/openssl-3.0.8-r4.ebuild           | 281 ---------------------
 7 files changed, 654 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-02-04 08:03:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f353a9a7c6ffd4dd54f9b93774d103942a88892e

commit f353a9a7c6ffd4dd54f9b93774d103942a88892e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-04 08:02:53 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-04 08:03:15 +0000

    [ GLSA 202402-08 ] OpenSSL: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/876787
    Bug: https://bugs.gentoo.org/893446
    Bug: https://bugs.gentoo.org/902779
    Bug: https://bugs.gentoo.org/903545
    Bug: https://bugs.gentoo.org/907413
    Bug: https://bugs.gentoo.org/910556
    Bug: https://bugs.gentoo.org/911560
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-08.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)