From fb5b5623493019877666f32d7b06bb80a68b341c Mon Sep 17 00:00:00 2001 From: andy Date: Fri, 1 Aug 2025 02:30:17 +0000 Subject: [PATCH 1/2] Fix CVE-2024-4741 --- ...y-free-the-read-buffers-if-not-using.patch | 67 +++++++++++++++++++ openresty-openssl111.spec | 8 ++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch diff --git a/backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch b/backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch new file mode 100644 index 0000000..ef337ed --- /dev/null +++ b/backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch @@ -0,0 +1,67 @@ +From 704f725b96aa373ee45ecfb23f6abfe8be8d9177 Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) +--- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc41e364..1569997bea2d3 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656bf93942..b60f71c8cb23b 100644 +--- a/ssl/record/record.h ++++ b/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index e747b7f90aa71..9088223b9f6bb 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -5493,6 +5493,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } diff --git a/openresty-openssl111.spec b/openresty-openssl111.spec index 2f18add..764929e 100644 --- a/openresty-openssl111.spec +++ b/openresty-openssl111.spec @@ -1,6 +1,6 @@ Name: openresty-openssl111 Version: 1.1.1h -Release: 4 +Release: 5 Summary: OpenSSL library for OpenResty Group: Development/Libraries @@ -14,6 +14,7 @@ Patch0: openssl-1.1.1f-sess_set_get_cb_yield.patch Patch99: 0099-copy-dir.sh.patch Patch100: CVE-2021-23841.patch Patch101: backport-CVE-2022-4450.patch +Patch102: backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -119,6 +120,7 @@ Provides C header and static library for the debug version of OpenResty's OpenSS %patch99 -p1 %patch100 -p1 %patch101 -p1 +%patch102 -p1 %build bash ./copy-dir.sh @@ -261,6 +263,10 @@ rm -rf %{buildroot} %attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a %changelog +* Fri Aug 1 2025 andy - 1.1.1h-5 +- Fix CVE-2024-4741 + Only free the read buffers if we're not using them + * Sat Dec 23 2023 liningjie - 1.1.1h-4 - Fix CVE-2022-4450 -- Gitee From 147922dd4651d5a5b715c73a86307632f604ef60 Mon Sep 17 00:00:00 2001 From: andy Date: Fri, 1 Aug 2025 02:58:11 +0000 Subject: [PATCH 2/2] sync Fix CVE-2024-5535 from master to openEuler-22.03-LTS-SP3 --- ...-2024-5535-Fix-SSL_select_next_proto.patch | 108 ++++++++++++++++++ openresty-openssl111.spec | 7 +- 2 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch diff --git a/backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch b/backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch new file mode 100644 index 0000000..2be96c8 --- /dev/null +++ b/backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch @@ -0,0 +1,108 @@ +From cf6f91f6121f4db167405db2f0de410a456f260c Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) + +(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37) +--- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index cb4e006ea7a37..e628140dfae9a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2952,37 +2952,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG diff --git a/openresty-openssl111.spec b/openresty-openssl111.spec index 764929e..2e195ae 100644 --- a/openresty-openssl111.spec +++ b/openresty-openssl111.spec @@ -1,6 +1,6 @@ Name: openresty-openssl111 Version: 1.1.1h -Release: 5 +Release: 6 Summary: OpenSSL library for OpenResty Group: Development/Libraries @@ -15,6 +15,7 @@ Patch99: 0099-copy-dir.sh.patch Patch100: CVE-2021-23841.patch Patch101: backport-CVE-2022-4450.patch Patch102: backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch +Patch103: backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -121,6 +122,7 @@ Provides C header and static library for the debug version of OpenResty's OpenSS %patch100 -p1 %patch101 -p1 %patch102 -p1 +%patch103 -p1 %build bash ./copy-dir.sh @@ -263,6 +265,9 @@ rm -rf %{buildroot} %attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a %changelog +* Fri Aug 1 2025 andy - 1.1.1h-6 +- Fix CVE-2024-5535 + * Fri Aug 1 2025 andy - 1.1.1h-5 - Fix CVE-2024-4741 Only free the read buffers if we're not using them -- Gitee