From b916e0eac1358b9566087b99263049c26fceb1ed Mon Sep 17 00:00:00 2001 From: iigs <2274777+iigs@users.noreply.github.com> Date: Mon, 19 Aug 2024 17:03:24 +0000 Subject: [PATCH] openssl-1.1: CVE-2024-5535 fix --- components/library/openssl/openssl-1.1/Makefile | 2 +- .../openssl-1.1/patches/CVE-2024-5535.patch | 82 ++++++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 components/library/openssl/openssl-1.1/patches/CVE-2024-5535.patch diff --git a/components/library/openssl/openssl-1.1/Makefile b/components/library/openssl/openssl-1.1/Makefile index 6c4421e369..ff3ee844b4 100644 --- a/components/library/openssl/openssl-1.1/Makefile +++ b/components/library/openssl/openssl-1.1/Makefile @@ -31,7 +31,7 @@ COMPONENT_NAME= openssl-$(COMPONENT_VERSION_SHORT) # and HUMAN_VERSION. COMPONENT_VERSION= 1.1.1.23 HUMAN_VERSION= 1.1.1w -COMPONENT_REVISION= 2 +COMPONENT_REVISION= 3 COMPONENT_SUMMARY= OpenSSL - a Toolkit for Transport Layer (TLS v1+) protocols and general purpose cryptographic library COMPONENT_PROJECT_URL= https://www.openssl.org/ COMPONENT_SRC= openssl-$(HUMAN_VERSION) diff --git a/components/library/openssl/openssl-1.1/patches/CVE-2024-5535.patch b/components/library/openssl/openssl-1.1/patches/CVE-2024-5535.patch new file mode 100644 index 0000000000..5ba88c6946 --- /dev/null +++ b/components/library/openssl/openssl-1.1/patches/CVE-2024-5535.patch @@ -0,0 +1,82 @@ +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 8bf2a9f60..f4386d0ba 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2737,37 +2737,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG -- 2.11.4.GIT