qiurui
/
freebsd-doc
mirror of https://git.FreeBSD.org/doc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add EN-25:18 and SA-25:08. 

Approved by:	so
This commit is contained in:
Gordon Tetlow 2025-09-30 08:48:27 -07:00
parent 0beb2668de
commit 0a63b423fb
12 changed files with 656 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
website/data/security/advisories.toml
View File

@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
[[advisories]]
name = "FreeBSD-SA-25:08.openssl"
date = "2025-09-30"
[[advisories]]
name = "FreeBSD-SA-25:07.libarchive"
date = "2025-08-08"

4
website/data/security/errata.toml
View File

@ -1,6 +1,10 @@
# Sort errata notices by year, month and day
# $FreeBSD$
[[notices]]
name = "FreeBSD-EN-25:18.freebsd-update"
date = "2025-09-30"
[[notices]]
name = "FreeBSD-EN-25:17.bnxt"
date = "2025-09-16"

140
website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc Normal file
View File

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:18.freebsd-update Errata Notice
The FreeBSD Project
Topic: freebsd-update(8) installs libraries in incorrect order
Category: core
Module: freebsd-update
Announced: 2025-09-30
Credits: Graham Perrin
Affects: All supported versions of FreeBSD.
Corrected: 2025-09-25 19:26:37 UTC (stable/15, 15.0-ALPHA4)
2025-09-25 19:27:06 UTC (stable/14, 14.3-STABLE)
2025-09-30 15:37:15 UTC (releng/14.3, 14.3-RELEASE-p4)
2025-09-30 15:37:24 UTC (releng/14.2, 14.2-RELEASE-p7)
2025-09-25 19:27:34 UTC (stable/13, 13.5-STABLE)
2025-09-30 15:37:34 UTC (releng/13.5, 13.5-RELEASE-p5)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The freebsd-update(8) utility is used to fetch, install, and rollback
binary updates to the FreeBSD base system. In addition to security and
errata updates within a release (its original purpose), freebsd-update(8)
can be used to upgrade to a newer FreeBSD release.
II. Problem Description
When installing updates, freebsd-update(8) did not enforce ordering between
the C standard library ("libc") and the system library ("libsys") which was
introduced in FreeBSD 15.0.
III. Impact
When using freebsd-update(8) to upgrade a system from FreeBSD 13.x or 14.x to
FreeBSD 15.0, freebsd-update(8) would install a new libc which depends on
libsys before the libsys library existed. This resulted in the rest of the
update failing to install and a mostly-unusable system, with only statically
linked binaries (e.g. in /rescue) functioning.
IV. Workaround
No workaround is available, but this misbehaviour only applies to using
freebsd-update(8) to upgrade to FreeBSD 15.0; applying security and errata
updates (including this one) within a release branch is unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 8134e7f4b406 stable/15-n280326
stable/14/ e26928669f39 stable/14-n272484
releng/14.3/ 978e04ff5bcf releng/14.3-n271445
releng/14.2/ 3447fea3523b releng/14.2-n269536
stable/13/ 87eb52f1b061 stable/13-n259445
releng/13.5/ ab91dd76ff72 releng/13.5-n259177
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289769>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:18.freebsd-update.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+x0ACgkQbljekB8A
Gu8DQhAAt4nGFTHJcC4dVceeanMY4+p8zUqtrjGP1wO+dgnBbPJuHteMlaK8bi0N
A1f+XRCcbHN7OUZz0k+WgNsFOC583Zg29l+Oe6DvgRzyjUhp7q70/vgEUYbTn2eM
CeXL0GNP9h/UYcqmpot4bO0VvXf9g6qG6qBqYN31eSuDBWcRLLAOzQwbWTLxZYgB
vYDPTqMSOTygGJEiSwGDkywE45N0JvT/GA9kNiu9uh5xL0dQLgwi07BB3+bQ3rNx
hB5sK5EJSa0FcRmpSxXvtQJK5l9eIYkAcFUo0K4/UaSknIFqSOr7j4zS3MOE1PPa
7u+ZJY3SMYg9/YRlRpLs7FGe8t+Oz/1IFgjJ1bJVHZCA55kGaB9toh+wunGsSUHc
+DzPGC0PYmcVLtk75WgjjkofCRCco8Dx3QlLfEUKxzNJFL+LwfE+zi5Pk//GJcr2
V6RipeMNJGc60N/Zz2X95ut/43/tOBFh157oSXnVFdTbDJ7zc16EvjH99IIwlkEy
pasLr0i0XklormpAyUkddA3z57qy3580/sZf07QUHrQJQfy738qPf1QY6ejk560D
INBXdJk5FNJAYiogMrHyK0N1xX5WHk6qbbiAOmSefFCKcB7uL5CPcu6l8D0sAtyP
CbzuTLGqCWiDBT0aLK1xn1MNQMPT4PL7JhWqrSJnQpicgibqAsg=
=8oNH
-----END PGP SIGNATURE-----

207
website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc Normal file
View File

@ -0,0 +1,207 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:08.openssl Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSL
Category: contrib
Module: openssl
Announced: 2025-09-30
Credits: Stanislav Fort (Aisle Research)
Affects: All supported versions of FreeBSD.
Corrected: 2025-09-30 15:26:14 UTC (stable/15, 15.0-ALPHA4)
2025-09-30 15:28:38 UTC (stable/14, 14.3-STABLE)
2025-09-30 15:37:16 UTC (releng/14.3, 14.3-RELEASE-p4)
2025-09-30 15:37:25 UTC (releng/14.2, 14.2-RELEASE-p7)
2025-09-30 15:30:02 UTC (stable/13, 13.5-STABLE)
2025-09-30 15:37:35 UTC (releng/13.5, 13.5-RELEASE-p5)
CVE Name: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
also a general-purpose cryptography library.
II. Problem Description
* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230)
Affects: FreeBSD 15.x, 14.x, and 13.x
An application trying to decrypt cryptographic message syntax (CMS) messages
encrypted using password based encryption can trigger an out-of-bounds read
and write.
* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231)
Affects: FreeBSD 15.x only
A timing side-channel which could potentially allow remote recovery of the
private key exists in the SM2 algorithm implementation on 64-bit ARM
platforms.
* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232)
Affects: FreeBSD 15.x and 14.x only
An application using the OpenSSL HTTP client API functions may trigger an
out-of-bounds read if the "no_proxy" environment variable is set and the host
portion of the authority component of the HTTP URL is an IPv6 address.
III. Impact
* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230)
Affects: FreeBSD 15.x, 14.x, and 13.x
The out-of-bounds read may trigger a crash which leads to denial of service
for an application. The out-of-bounds write can cause a memory corruption
which can have various consequences including a denial of service or
execution of attacker-supplied code.
Although the consequences of a successful exploit of this vulnerability
could be severe, the probability that an attacker would be able to
perform it is low. Password based (PWRI) encryption support in CMS
messages is very rarely used.
* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231)
Affects: FreeBSD 15.x only
A timing side-channel in SM2 signature computations on 64 bit ARM platforms
could allow recovering the private key by an attacker.
OpenSSL does not directly support certificates with SM2 keys in TLS, and so
this CVE is not relevant in most TLS contexts. However, it is possible to
add support for such certificates via a custom provider.
* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232)
Affects: FreeBSD 15.x and 14.x only
An out-of-bounds read can trigger a crash which leads to denial of service
for an application.
The OpenSSL HTTP client API functions can be used directly by applications
but they are also used by the OCSP client functions and CMP (Certificate
Management Protocol) client implementation in OpenSSL. However the URLs used
by these implementations are unlikely to be controlled by an attacker.
In this vulnerable code the out of bounds read can only trigger a crash.
Furthermore the vulnerability requires an attacker-controlled URL to be
passed from an application to the OpenSSL function and the user has to have
a "no_proxy" environment variable set.
IV. Workaround
No workaround is available. Several of the issues have mitigating factors.
Please see the Impact section for more details.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch
# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch.asc
# gpg --verify openssl-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch.asc
# gpg --verify openssl-14.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch.asc
# gpg --verify openssl-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 4d6fd774b5b3 stable/15-n280387
stable/14/ 270158508d7c stable/14-n272541
releng/14.3/ 75d258af9fe9 releng/14.3-n271446
releng/14.2/ 6a0d914d9c3e releng/14.2-n269537
stable/13/ c0dbaf2b5dbd stable/13-n259448
releng/13.5/ ae7c74cfa531 releng/13.5-n259178
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://openssl-library.org/news/secadv/20250930.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9231>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9232>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:08.openssl.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+z4ACgkQbljekB8A
Gu8kgA//TsqChpypUuth9KRbWpU0noUkxkbIS1CI1YYRmZn6GF52YNhe9enKN4Gc
PeUSZOsfbABv0UGfUPbaD4VifGni/ss/bhSK5nzmfbOLDbnOX1oodLVNhspDjv9K
kJPz7C3zzUrNchCZzDRvrulMXeoYOKmqY/Mc0VViXqeg2k6IqXlCPm62jFc4Glpw
g0pvTyXNhbebuP/XGGYq4nQW2ZUX+Z6yvKqCn8d/7YHRRb48KP7c5LCryUU3UdQa
pjcHX0U8dYsJlQIqWH7HPn9RrWX87EN5v7csZN+fV030lgtnsTsFRK3TxrdTTvxt
JgyNQVXy/RTmd1tQLo1dVZRjdav5MBYVBxgmweL54VcPYngTZWjEY7HjUr0WWU32
1Fhf7Bs4q+vWalDkyA8nxyXPG4Lq018yRRxwKebsRy2fm5SqlJSK5g7TNRvo0QfM
LnfZItuya9flw6r3I9ypjKaY1WAz5Kzt83yr2be7GzLEDCuCd882JeYwmqyRnUKQ
+/IPbE7VM3oK7lzJfVuKyRxWPXWLxAaEDKNTafSNWfsz/TolyBxsF6obYaZOkw1C
mstsaaMnHdV9+GktwavCRVV6M0WK4o7xvn1nUSHPwKWpq4dfjH7syujeO483+pz3
tZoLEkWhaNn3KmIQKbl+t+CjzDRoshzZg6Xl1UVoZvrtOyX/IUY=
=nUv2
-----END PGP SIGNATURE-----

32
website/static/security/patches/EN-25:18/freebsd-update.patch Normal file
View File

@ -0,0 +1,32 @@
--- usr.sbin/freebsd-update/freebsd-update.sh.orig
+++ usr.sbin/freebsd-update/freebsd-update.sh
@@ -3111,10 +3111,28 @@
grep -E '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' > INDEX-NEW
install_from_index INDEX-NEW || return 1
- # Install new shared libraries next
+ # Next, in order, libsys, libc, and libthr.
grep -vE '^/boot/' $1/INDEX-NEW |
grep -vE '^[^|]+\|d\|' |
grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
+ grep -E '^[^|]*/lib/libsys\.so\.[0-9]+\|' > INDEX-NEW
+ install_from_index INDEX-NEW || return 1
+ grep -vE '^/boot/' $1/INDEX-NEW |
+ grep -vE '^[^|]+\|d\|' |
+ grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
+ grep -E '^[^|]*/lib/libc\.so\.[0-9]+\|' > INDEX-NEW
+ install_from_index INDEX-NEW || return 1
+ grep -vE '^/boot/' $1/INDEX-NEW |
+ grep -vE '^[^|]+\|d\|' |
+ grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
+ grep -E '^[^|]*/lib/libthr\.so\.[0-9]+\|' > INDEX-NEW
+ install_from_index INDEX-NEW || return 1
+
+ # Install the rest of the shared libraries next
+ grep -vE '^/boot/' $1/INDEX-NEW |
+ grep -vE '^[^|]+\|d\|' |
+ grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
+ grep -vE '^[^|]*/lib/(libsys|libc|libthr)\.so\.[0-9]+\|' |
grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW
install_from_index INDEX-NEW || return 1

16
website/static/security/patches/EN-25:18/freebsd-update.patch.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+yMACgkQbljekB8A
Gu85Mw/9HtHqy0ZseVpE6OhJy4+6pG00tCnQq/ERCbycGkyZziJakwCQFviEx0MO
MUSta9g8MhysdMLNTRl9wwaiEGoXxXZvRaEEFB0Crf4Fvt4V4QLzU7WUxgbfa4kp
wQOad+xzfe/7KLiUk70OHh1ODfYydC8NVPCoIT+pbkHzdGvaqEKXR8vtjs7Myf7V
M7Y6GhRs9tDvA63TEBWEVLP1wVTJ3sYGopeyzKU7xNBEngih5LaP17BOXMlA74rR
zrNxIkRTJe+gPAbMUyZ7OdmbdtzeYtcbwZN+7uf4Vd2xSP0VjqNlC8goKdPNw2kN
71mrGpejtDSqvT23RCPA3ek5dqDFsl+2h2MfUstNLofnKSO4H6pq0I61PZbYDDkY
VVgNdybqzs/lFsL4VNFS5dbaoa6OiBpX2yo2b7AUwaqtP4n6qKSaO2yTBsZfxoAs
nTZkCzbVCzlqP4JXCDdmjvnAhaf0DxEx7QsSj5YCp5RihIqXaE+XZ4LlQFt0HgDr
2iLLX2V9g3g966CKcXI0vVt/vzOqpakrcBpnslW0b6+rhthe1MTIhgdDLvpmJ5DX
a35bUeKqqxCq9yiPDKE0RpABnxSKEWGB+asVErLNRga97wf5fUojTmtLURALMIY8
OSCW9nsI8iCX/4+eB3OfuWPpW9Z9IGB19CDMgdnVUnozBgjv0cM=
=saMY
-----END PGP SIGNATURE-----

11
website/static/security/patches/SA-25:08/openssl-13.patch Normal file
View File

@ -0,0 +1,11 @@
--- crypto/openssl/crypto/cms/cms_pwri.c.orig
+++ crypto/openssl/crypto/cms/cms_pwri.c
@@ -215,7 +215,7 @@
/* Check byte failure */
goto err;
}
- if (inlen < (size_t)(tmp[0] - 4)) {
+ if (inlen < 4 + (size_t)tmp[0]) {
/* Invalid length value */
goto err;
}

16
website/static/security/patches/SA-25:08/openssl-13.patch.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+0IACgkQbljekB8A
Gu+lIg/+Lolkw+WssmbgxxZdypCud/7HTk/+M4YdBPMtoZYFec/Mzpw9ok+MUs2O
7Ev1mc0rQ9Rcfw5PEe6tKvC3MMFtWOcHNr3QqkkvkAA2nsxCeEPIBHyQiEm347PU
ntraIANMy+MbmaegU5+vyzpZQxBl6erAc+9p7eyMFBJtFzRCZV2SIPV4lUrgYsKq
WyjM7o7jRfOcn7aZ6X+pPnUjQY6jkJQIiHqytdG8XTIkzDvcpy88g9Yg1qxBwi//
ESgZWIHdU4kbChQJPFfYGYUFZ2tn15iMRjmjQA6SKCWpJNq56r3PLNCQ7Z99KCe8
dAs0Uw0ZPQZuZVMNb3XV4W/MEDWc+2I9HUXwJfA6RFDbm71sj9XTwBYskEDPcD+q
w3OMkG184EUgqrZazaO2MLas+X7aaMwn7Dvr+zCjREfKp8s6Qar5nKgjP7XoBmTg
ewez2FEUmjdt7SIq5K81Xjmnd7Qu069Yztw/YavCHcQOpwf7Iea1etH9ynMQ0jEb
zAgO++HJJiN6+Noahcauet8L5TsjJIoZd8DTB2g0fONt1S5HCtklnBptyDfispBO
pWf059PG079wiTmL/qT1x4UnYnyZs32HghR9+R4tOkSFs3RiVMaGk8ZnIL+Nmp3v
sRx3so9zFU0TBVww9eRe9/ve4MKd+AqJJe8X1iioDvk7l8JyUTw=
=NXRd
-----END PGP SIGNATURE-----

21
website/static/security/patches/SA-25:08/openssl-14.patch Normal file
View File

@ -0,0 +1,21 @@
--- crypto/openssl/crypto/cms/cms_pwri.c.orig
+++ crypto/openssl/crypto/cms/cms_pwri.c
@@ -228,7 +228,7 @@
/* Check byte failure */
goto err;
}
- if (inlen < (size_t)(tmp[0] - 4)) {
+ if (inlen < 4 + (size_t)tmp[0]) {
/* Invalid length value */
goto err;
}
--- crypto/openssl/crypto/http/http_lib.c.orig
+++ crypto/openssl/crypto/http/http_lib.c
@@ -267,6 +267,7 @@
/* strip leading '[' and trailing ']' from escaped IPv6 address */
sl -= 2;
strncpy(host, server + 1, sl);
+ host[sl] = '\0';
server = host;
}

16
website/static/security/patches/SA-25:08/openssl-14.patch.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+0MACgkQbljekB8A
Gu8Mrg//Wx7TovEbu7hCYrBcs3+LwhVEQh2S6V7APXHtoXIY6Tp56b0ii60F5nBY
a8LSKYqb+sZlTgRt2IHU/gFAzHJAPB5zb2Vc+//T6l192mS8sI+Z3lgJQ8IvWaW5
g3RI/iukDMo2He7xrXgtGukJjKOen/Y0gphb5kXApBgdw5I/yPXFhbF1WmfB13aN
M8gfhr7fuRBd+BXQ6S/q0WSNg0cwQkiA1fy0iE6xaIfeX6I44sxGBU7yKWnxfGfS
crExJdfVFTv+9duMRIjQovDAEheQBAd5ZJLnTUHmJX0pCP9Qv1Mg0rGchvVzKlSg
Q0GXLABmuyq81XwMHz9enW0xzTWmp1/9gCyL9+O/x5EeQnYqOSarWDxFg3G9qYyF
1TGAX7oj3PJ3s7HkHoBKKN3tR7pHjIi+EHkXFnbpA8Pik8rLY54kwMPHXSL153o7
DNKyn41sx76+yBckiWKvNq6yIzRiFCcuQ8IwOVMNZ+bkw4M14HjSRs0+aDlmkvgG
Hs5tqWH0qdo5wMMp09aVizlXgTfTSZhdRxW/cUdS+XPBKJ7ogvTI/M9TDn33BzuP
oex1SeoBIRInKKMW6EipisAE9B6jnvfH5gsh2f0XpUDqX5vWBjOpxiF4hZLmPvti
nt18T+/ScdIwHebnKUob70hf3mTGxLpnPNH5eM8SdkMsJORGook=
=DhAy
-----END PGP SIGNATURE-----

173
website/static/security/patches/SA-25:08/openssl-15.patch Normal file
View File

@ -0,0 +1,173 @@
--- crypto/openssl/crypto/cms/cms_pwri.c.orig
+++ crypto/openssl/crypto/cms/cms_pwri.c
@@ -242,7 +242,7 @@
/* Check byte failure */
goto err;
}
- if (inlen < (size_t)(tmp[0] - 4)) {
+ if (inlen < 4 + (size_t)tmp[0]) {
/* Invalid length value */
goto err;
}
--- crypto/openssl/crypto/ec/ecp_sm2p256.c.orig
+++ crypto/openssl/crypto/ec/ecp_sm2p256.c
@@ -56,10 +56,6 @@
0xffffffffffffffff, 0xffffffff00000000,
0xffffffffffffffff, 0xfffffffeffffffff
};
-ALIGN32 static const BN_ULONG def_ord[P256_LIMBS] = {
- 0x53bbf40939d54123, 0x7203df6b21c6052b,
- 0xffffffffffffffff, 0xfffffffeffffffff
-};
ALIGN32 static const BN_ULONG ONE[P256_LIMBS] = {1, 0, 0, 0};
@@ -177,13 +173,6 @@
BN_MOD_INV(out, in, ecp_sm2p256_div_by_2, ecp_sm2p256_sub, def_p);
}
-/* Modular inverse mod order |out| = |in|^(-1) % |ord|. */
-static ossl_inline void ecp_sm2p256_mod_ord_inverse(BN_ULONG* out,
- const BN_ULONG* in) {
- BN_MOD_INV(out, in, ecp_sm2p256_div_by_2_mod_ord, ecp_sm2p256_sub_mod_ord,
- def_ord);
-}
-
/* Point double: R <- P + P */
static void ecp_sm2p256_point_double(P256_POINT *R, const P256_POINT *P)
{
@@ -454,52 +443,6 @@
}
#endif
-/*
- * Convert Jacobian coordinate point into affine coordinate (x,y)
- */
-static int ecp_sm2p256_get_affine(const EC_GROUP *group,
- const EC_POINT *point,
- BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
-{
- ALIGN32 BN_ULONG z_inv2[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG z_inv3[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG x_aff[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG y_aff[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG point_x[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG point_y[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG point_z[P256_LIMBS] = {0};
-
- if (EC_POINT_is_at_infinity(group, point)) {
- ECerr(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
- return 0;
- }
-
- if (ecp_sm2p256_bignum_field_elem(point_x, point->X) <= 0
- || ecp_sm2p256_bignum_field_elem(point_y, point->Y) <= 0
- || ecp_sm2p256_bignum_field_elem(point_z, point->Z) <= 0) {
- ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
- return 0;
- }
-
- ecp_sm2p256_mod_inverse(z_inv3, point_z);
- ecp_sm2p256_sqr(z_inv2, z_inv3);
-
- if (x != NULL) {
- ecp_sm2p256_mul(x_aff, point_x, z_inv2);
- if (!bn_set_words(x, x_aff, P256_LIMBS))
- return 0;
- }
-
- if (y != NULL) {
- ecp_sm2p256_mul(z_inv3, z_inv3, z_inv2);
- ecp_sm2p256_mul(y_aff, point_y, z_inv3);
- if (!bn_set_words(y, y_aff, P256_LIMBS))
- return 0;
- }
-
- return 1;
-}
-
/* r = sum(scalar[i]*point[i]) */
static int ecp_sm2p256_windowed_mul(const EC_GROUP *group,
P256_POINT *r,
@@ -689,44 +632,6 @@
return 1;
}
-static int ecp_sm2p256_inv_mod_ord(const EC_GROUP *group, BIGNUM *r,
- const BIGNUM *x, BN_CTX *ctx)
-{
- int ret = 0;
- ALIGN32 BN_ULONG t[P256_LIMBS] = {0};
- ALIGN32 BN_ULONG out[P256_LIMBS] = {0};
-
- if (bn_wexpand(r, P256_LIMBS) == NULL) {
- ECerr(ERR_LIB_EC, ERR_R_BN_LIB);
- goto err;
- }
-
- if ((BN_num_bits(x) > 256) || BN_is_negative(x)) {
- BIGNUM *tmp;
-
- if ((tmp = BN_CTX_get(ctx)) == NULL
- || !BN_nnmod(tmp, x, group->order, ctx)) {
- ECerr(ERR_LIB_EC, ERR_R_BN_LIB);
- goto err;
- }
- x = tmp;
- }
-
- if (!ecp_sm2p256_bignum_field_elem(t, x)) {
- ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
- goto err;
- }
-
- ecp_sm2p256_mod_ord_inverse(out, t);
-
- if (!bn_set_words(r, out, P256_LIMBS))
- goto err;
-
- ret = 1;
-err:
- return ret;
-}
-
const EC_METHOD *EC_GFp_sm2p256_method(void)
{
static const EC_METHOD ret = {
@@ -747,7 +652,7 @@
ossl_ec_GFp_simple_point_copy,
ossl_ec_GFp_simple_point_set_to_infinity,
ossl_ec_GFp_simple_point_set_affine_coordinates,
- ecp_sm2p256_get_affine,
+ ossl_ec_GFp_simple_point_get_affine_coordinates,
0, 0, 0,
ossl_ec_GFp_simple_add,
ossl_ec_GFp_simple_dbl,
@@ -763,7 +668,7 @@
ecp_sm2p256_field_mul,
ecp_sm2p256_field_sqr,
0 /* field_div */,
- 0 /* field_inv */,
+ ossl_ec_GFp_simple_field_inv,
0 /* field_encode */,
0 /* field_decode */,
0 /* field_set_to_one */,
@@ -779,7 +684,7 @@
ossl_ecdsa_simple_sign_setup,
ossl_ecdsa_simple_sign_sig,
ossl_ecdsa_simple_verify_sig,
- ecp_sm2p256_inv_mod_ord,
+ 0, /* use constanttime fallback for inverse mod order */
0, /* blind_coordinates */
0, /* ladder_pre */
0, /* ladder_step */
--- crypto/openssl/crypto/http/http_lib.c.orig
+++ crypto/openssl/crypto/http/http_lib.c
@@ -263,6 +263,7 @@
/* strip leading '[' and trailing ']' from escaped IPv6 address */
sl -= 2;
strncpy(host, server + 1, sl);
+ host[sl] = '\0';
server = host;
}

16
website/static/security/patches/SA-25:08/openssl-15.patch.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+0QACgkQbljekB8A
Gu+tUg//daQG6OHScuUNTvwR9d3kOqeiEcA2hiaMg7BuPlaimq6+o4/Nsrxuu5z1
l2l1seZXGP1iTXAWAjxL1d8ceVBJ4mqO3yhIg5qDF3rlhCNpHf8Fphl0yu7SQohx
wBVx2RcZ8ldq+TmvgNywWeEeuuJ5D4CukPHPAjIv1+/NB/P+NsrkC37YZ88bfckF
0oAqF6b2KONV3hBVVSAjMhoR3esDOoqp7yGwpzBsiDb7EANj+wMd1aYuUtp3bOHH
dZa0uGLEBITzd2s/rGEfsF7os0UdJFv0GJ2SZXxHUV80coIyKSxccFAwnxI1/CVY
8ji20zfYtdVmwn2ZhnVCO3n95HqAsiglX35LrrXSoohC3nx9XcCQr3BlYc6G6icC
9RnCeI6sFjAQ7x46fnYy51BrfgTmmRrTmGDbbGrrwphNP8QrrrXBRD7TIaHKmQgj
nTS7VsQya/X9pnQHTIxjmOPQ6gVLrZ0w6nBRyNC8HkjcCv+jOLXcyf+8flNTI84/
dmuh9c/xDqzhXgUaEe4SHW9NtL9ohV7/l/Qt1FgXOV/VzHuK+kLtCXz9KskIsUYc
kKg0UPFuP0t0UgDimkXx3eLctEyfmJtbL/j1iLUqV442REkK+QttyJILV0GmMpQy
KvIHb9/sQnC65TpP3oyxbVcrasosNRhvaILmtzXvIInlqHC0OhQ=
=lGPI
-----END PGP SIGNATURE-----