From 1dbf7b45e26a6ef990ea72387dc1195e185c5fa0 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 5 Jul 2022 22:44:41 +0200 Subject: [PATCH 1/2] openssl_3: 3.0.4 -> 3.0.5 https://www.openssl.org/news/secadv/20220705.txt We already acted on the first public disclosure, so this release removes the previous patch and upgrades to the release including the fix. Related: CVE-2022-2274 Fixes: CVE-2022-2097 --- ...lace-call-for-rsaz_mod_exp_avx512_x2.patch | 34 ------------------- .../development/libraries/openssl/default.nix | 8 ++--- 2 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch diff --git a/pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch b/pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch deleted file mode 100644 index e144a718889..00000000000 --- a/pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4d8a88c134df634ba610ff8db1eb8478ac5fd345 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao -Date: Wed, 22 Jun 2022 18:07:05 +0800 -Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for - rsaz_mod_exp_avx512_x2 - -bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size -is moduli bit size. - -Fixes #18625. - -Signed-off-by: Xi Ruoyao - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18626) ---- - crypto/bn/rsaz_exp_x2.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/bn/rsaz_exp_x2.c b/crypto/bn/rsaz_exp_x2.c -index 6b04486e3f56..f979cebd6fb7 100644 ---- a/crypto/bn/rsaz_exp_x2.c -+++ b/crypto/bn/rsaz_exp_x2.c -@@ -257,6 +257,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, - from_words52(res1, factor_size, rr1_red); - from_words52(res2, factor_size, rr2_red); - -+ /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */ -+ factor_size /= sizeof(BN_ULONG) * 8; -+ - bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); - bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); - diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index db6e0101fec..0017691d0b4 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -201,8 +201,8 @@ in { }; openssl_3 = common { - version = "3.0.4"; - sha256 = "sha256-KDGEPppmigq0eOcCCtY9LWXlH3KXdHLcc+/O+6/AwA8="; + version = "3.0.5"; + sha256 = "sha256-qn2Nm+9xrWUlxVuhHl9Dl4ic5Jwsk0nc6m0+TwsCSno="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -210,10 +210,6 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch - # https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/ - # https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345.patch - 3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch - (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) From 82da6eb46dbbedb12dc740ff54d5c73749df4780 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 5 Jul 2022 22:56:35 +0200 Subject: [PATCH 2/2] openssl_1_1: 1.1.1p -> 1.1.1q https://www.openssl.org/news/secadv/20220705.txt Fixes: CVE-2022-2097 --- pkgs/development/libraries/openssl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 0017691d0b4..74e5d318bcb 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -186,8 +186,8 @@ in { openssl_1_1 = common rec { - version = "1.1.1p"; - sha256 = "sha256-v2G2Kqpmx8djmUKpTeTJroKAwI8X1OrC5EZE2fyKzm8="; + version = "1.1.1q"; + sha256 = "sha256-15Oc5hQCnN/wtsIPDi5XAxWKSJpyslB7i9Ub+Mj9EMo="; patches = [ ./1.1/nix-ssl-cert-file.patch