On Sat, 22 Jul 2023 16:25:36 +0000 "Jacob .." <sirkilam...@msn.com> wrote:> Started the process of
adding a patch to wolfssl_4.6.0+p1-0+deb11u1.1.dsc.
Based on the same upstream commit, I am uploading an unstable fix as NMU
so I can forward your upload to proposed-updates.
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog 2023-02-06 14:41:53.000000000 +0000
+++ wolfssl-5.5.4/debian/changelog 2023-10-23 17:46:16.000000000 +0000
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-3724. (see #1041699)
+
+ -- Bastian Germann <b...@debian.org> Mon, 23 Oct 2023 17:46:16 +0000
+
wolfssl (5.5.4-2) unstable; urgency=medium
* Clarify in README.Debian and in the package descriptions that wolfssl is
diff -Nru wolfssl-5.5.4/debian/patches/cve-2023-3724.patch
wolfssl-5.5.4/debian/patches/cve-2023-3724.patch
--- wolfssl-5.5.4/debian/patches/cve-2023-3724.patch 1970-01-01
00:00:00.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/cve-2023-3724.patch 2023-10-23
17:46:16.000000000 +0000
@@ -0,0 +1,47 @@
+Origin: backport, 00f1eddee429ff51390b20caadd2eb6afe51e1aa
+From: Jacob Barthelmeh <ja...@wolfssl.com>
+Date: Mon, 15 May 2023 15:49:44 -0700
+Subject: add tls extension sanity check
+
+---
+ src/tls.c | 3 +++
+ src/tls13.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/tls.c b/src/tls.c
+index bced9f9b13f..9bbabfb14e2 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -8475,6 +8475,9 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input,
word16 length,
+ if (!WOLFSSL_NAMED_GROUP_IS_PQC(group))
+ #endif
+ ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
++
++ if (ret == 0)
++ ssl->session->namedGroup = ssl->namedGroup = group;
+ }
+ else {
+ /* Not a message type that is allowed to have this extension. */
+diff --git a/src/tls13.c b/src/tls13.c
+index e5360790b3b..0f1bbc1aad1 100644
+--- a/src/tls13.c
++++ b/src/tls13.c
+@@ -5236,8 +5236,18 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input,
word32* inOutIdx,
+ }
+ #endif
+
++ /* sanity check on PSK / KSE */
++ if (
++ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
++ ssl->options.pskNegotiated == 0 &&
++ #endif
++ ssl->session->namedGroup == 0) {
++ return EXT_MISSING;
++ }
++
+ ssl->keys.encryptionOn = 1;
+ ssl->options.serverState = SERVER_HELLO_COMPLETE;
++
+ }
+ else {
+ ssl->options.tls1_3 = 1;
diff -Nru wolfssl-5.5.4/debian/patches/series
wolfssl-5.5.4/debian/patches/series
--- wolfssl-5.5.4/debian/patches/series 2022-11-07 17:38:12.000000000 +0000
+++ wolfssl-5.5.4/debian/patches/series 2023-10-23 17:46:16.000000000 +0000
@@ -4,3 +4,4 @@
fix-hurd-i386-flags.patch
disable-crl-monitor.patch
disable-jobserver.patch
+cve-2023-3724.patch
