[AUTO-CHERRYPICK] Patch CVE-2024-5535 in openssl - branch main (#9905)

Author: CBL-Mariner-Bot

SPECS/openssl/CVE-2024-5535.patch

@@ -0,0 +1,108 @@
+From cf6f91f6121f4db167405db2f0de410a456f260c Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 31 May 2024 11:14:33 +0100
+Subject: [PATCH] Fix SSL_select_next_proto
+
+Ensure that the provided client list is non-NULL and starts with a valid
+entry. When called from the ALPN callback the client list should already
+have been validated by OpenSSL so this should not cause a problem. When
+called from the NPN callback the client list is locally configured and
+will not have already been validated. Therefore SSL_select_next_proto
+should not assume that it is correctly formatted.
+
+We implement stricter checking of the client protocol list. We also do the
+same for the server list while we are about it.
+
+CVE-2024-5535
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24718)
+
+(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37)
+---
+ ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index cb4e006ea7a37..e628140dfae9a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2952,37 +2952,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+                           unsigned int server_len,
+                           const unsigned char *client, unsigned int client_len)
+ {
+-    unsigned int i, j;
+-    const unsigned char *result;
+-    int status = OPENSSL_NPN_UNSUPPORTED;
++    PACKET cpkt, csubpkt, spkt, ssubpkt;
++
++    if (!PACKET_buf_init(&cpkt, client, client_len)
++            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
++            || PACKET_remaining(&csubpkt) == 0) {
++        *out = NULL;
++        *outlen = 0;
++        return OPENSSL_NPN_NO_OVERLAP;
++    }
++
++    /*
++     * Set the default opportunistic protocol. Will be overwritten if we find
++     * a match.
++     */
++    *out = (unsigned char *)PACKET_data(&csubpkt);
++    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
+ 
+     /*
+      * For each protocol in server preference order, see if we support it.
+      */
+-    for (i = 0; i < server_len;) {
+-        for (j = 0; j < client_len;) {
+-            if (server[i] == client[j] &&
+-                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
+-                /* We found a match */
+-                result = &server[i];
+-                status = OPENSSL_NPN_NEGOTIATED;
+-                goto found;
++    if (PACKET_buf_init(&spkt, server, server_len)) {
++        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
++            if (PACKET_remaining(&ssubpkt) == 0)
++                continue; /* Invalid - ignore it */
++            if (PACKET_buf_init(&cpkt, client, client_len)) {
++                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
++                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
++                                     PACKET_remaining(&ssubpkt))) {
++                        /* We found a match */
++                        *out = (unsigned char *)PACKET_data(&ssubpkt);
++                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
++                        return OPENSSL_NPN_NEGOTIATED;
++                    }
++                }
++                /* Ignore spurious trailing bytes in the client list */
++            } else {
++                /* This should never happen */
++                return OPENSSL_NPN_NO_OVERLAP;
+             }
+-            j += client[j];
+-            j++;
+         }
+-        i += server[i];
+-        i++;
++        /* Ignore spurious trailing bytes in the server list */
+     }
+ 
+-    /* There's no overlap between our protocols and the server's list. */
+-    result = client;
+-    status = OPENSSL_NPN_NO_OVERLAP;
+-
+- found:
+-    *out = (unsigned char *)result + 1;
+-    *outlen = result[0];
+-    return status;
++    /*
++     * There's no overlap between our protocols and the server's list. We use
++     * the default opportunistic protocol selected earlier
++     */
++    return OPENSSL_NPN_NO_OVERLAP;
+ }
+ 
+ #ifndef OPENSSL_NO_NEXTPROTONEG

SPECS/openssl/openssl.spec

@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        33%{?dist}
+Release:        34%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -64,6 +64,7 @@ Patch40:        openssl-1.1.1-Fix-unconstrained-session-cache-growth-in-TLSv1.3.
 Patch41:        openssl-1.1.1-pkcs1-implicit-rejection.patch
 Patch42:        openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
 Patch43:        openssl-1.1.1-jitterentropy-fix-intermittent-fips-selftest-failure.patch
+Patch44:        CVE-2024-5535.patch
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -369,6 +370,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Jul 22 2024 Suresh Thelkar <sthelkar@microsoft.com> - 1.1.1k-34
+- Patch CVE-2024-5535
+
 * Tue Jul 16 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-33
 - Fix intermittent FIPS selftest failures in jitterentropy module
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-33.cm2.aarch64.rpm
-openssl-devel-1.1.1k-33.cm2.aarch64.rpm
-openssl-libs-1.1.1k-33.cm2.aarch64.rpm
-openssl-perl-1.1.1k-33.cm2.aarch64.rpm
-openssl-static-1.1.1k-33.cm2.aarch64.rpm
+openssl-1.1.1k-34.cm2.aarch64.rpm
+openssl-devel-1.1.1k-34.cm2.aarch64.rpm
+openssl-libs-1.1.1k-34.cm2.aarch64.rpm
+openssl-perl-1.1.1k-34.cm2.aarch64.rpm
+openssl-static-1.1.1k-34.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-33.cm2.x86_64.rpm
-openssl-devel-1.1.1k-33.cm2.x86_64.rpm
-openssl-libs-1.1.1k-33.cm2.x86_64.rpm
-openssl-perl-1.1.1k-33.cm2.x86_64.rpm
-openssl-static-1.1.1k-33.cm2.x86_64.rpm
+openssl-1.1.1k-34.cm2.x86_64.rpm
+openssl-devel-1.1.1k-34.cm2.x86_64.rpm
+openssl-libs-1.1.1k-34.cm2.x86_64.rpm
+openssl-perl-1.1.1k-34.cm2.x86_64.rpm
+openssl-static-1.1.1k-34.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-33.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-33.cm2.aarch64.rpm
-openssl-devel-1.1.1k-33.cm2.aarch64.rpm
-openssl-libs-1.1.1k-33.cm2.aarch64.rpm
-openssl-perl-1.1.1k-33.cm2.aarch64.rpm
-openssl-static-1.1.1k-33.cm2.aarch64.rpm
+openssl-1.1.1k-34.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-34.cm2.aarch64.rpm
+openssl-devel-1.1.1k-34.cm2.aarch64.rpm
+openssl-libs-1.1.1k-34.cm2.aarch64.rpm
+openssl-perl-1.1.1k-34.cm2.aarch64.rpm
+openssl-static-1.1.1k-34.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-33.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-33.cm2.x86_64.rpm
-openssl-devel-1.1.1k-33.cm2.x86_64.rpm
-openssl-libs-1.1.1k-33.cm2.x86_64.rpm
-openssl-perl-1.1.1k-33.cm2.x86_64.rpm
-openssl-static-1.1.1k-33.cm2.x86_64.rpm
+openssl-1.1.1k-34.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-34.cm2.x86_64.rpm
+openssl-devel-1.1.1k-34.cm2.x86_64.rpm
+openssl-libs-1.1.1k-34.cm2.x86_64.rpm
+openssl-perl-1.1.1k-34.cm2.x86_64.rpm
+openssl-static-1.1.1k-34.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm