Debian Bug report logs -
#1034720
openssl: CVE-2023-1255 CVE-2023-0466 CVE-2023-0465 CVE-2023-0464
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1034720; Package src:openssl.
(Sat, 22 Apr 2023 17:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Sat, 22 Apr 2023 17:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openssl
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openssl.
CVE-2023-1255[0]:
| Issue summary: The AES-XTS cipher decryption implementation for 64 bit
| ARM platform contains a bug that could cause it to read past the input
| buffer, leading to a crash. Impact summary: Applications that use the
| AES-XTS algorithm on the 64 bit ARM platform can crash in rare
| circumstances. The AES-XTS algorithm is usually used for disk
| encryption. The AES-XTS cipher decryption implementation for 64 bit
| ARM platform will read past the end of the ciphertext buffer if the
| ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024
| bytes. If the memory after the ciphertext buffer is unmapped, this
| will trigger a crash which results in a denial of service. If an
| attacker can control the size and location of the ciphertext buffer
| being decrypted by an application using AES-XTS on 64 bit ARM, the
| application is affected. This is fairly unlikely making this issue a
| Low severity one.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=02ac9c9420275868472f33b01def01218742b8bb
https://www.openssl.org/news/secadv/20230420.txt
CVE-2023-0466[1]:
| The function X509_VERIFY_PARAM_add0_policy() is documented to
| implicitly enable the certificate policy check when doing certificate
| verification. However the implementation of the function does not
| enable the check which allows certificates with invalid or incorrect
| policies to pass the certificate verification. As suddenly enabling
| the policy check could break existing deployments it was decided to
| keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
| function. Instead the applications that require OpenSSL to perform
| certificate policy check need to use X509_VERIFY_PARAM_set1_policies()
| or explicitly enable the policy check by calling
| X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
| argument. Certificate policy checks are disabled by default in OpenSSL
| and are not commonly used by applications.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0)
CVE-2023-0465[2]:
| Applications that use a non-default option when verifying certificates
| may be vulnerable to an attack from a malicious CA to circumvent
| certain checks. Invalid certificate policies in leaf certificates are
| silently ignored by OpenSSL and other certificate policy checks are
| skipped for that certificate. A malicious CA could use this to
| deliberately assert invalid certificate policies in order to
| circumvent policy checking on the certificate altogether. Policy
| processing is disabled by default but can be enabled by passing the
| `-policy' argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230328.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb (openssl-3.0)
CVE-2023-0464[3]:
| A security vulnerability has been identified in all supported versions
| of OpenSSL related to the verification of X.509 certificate chains
| that include policy constraints. Attackers may be able to exploit this
| vulnerability by creating a malicious certificate chain that triggers
| exponential use of computational resources, leading to a denial-of-
| service (DoS) attack on affected systems. Policy processing is
| disabled by default but can be enabled by passing the `-policy'
| argument to the command line utilities or by calling the
| `X509_VERIFY_PARAM_set1_policies()' function.
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1 (openssl-3.0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1255
https://www.cve.org/CVERecord?id=CVE-2023-1255
[1] https://security-tracker.debian.org/tracker/CVE-2023-0466
https://www.cve.org/CVERecord?id=CVE-2023-0466
[2] https://security-tracker.debian.org/tracker/CVE-2023-0465
https://www.cve.org/CVERecord?id=CVE-2023-0465
[3] https://security-tracker.debian.org/tracker/CVE-2023-0464
https://www.cve.org/CVERecord?id=CVE-2023-0464
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Apr 2023 19:03:08 GMT) (full text, mbox, link).
Marked as found in versions openssl/3.0.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Apr 2023 19:03:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Apr 23 13:11:46 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon