Hi, This is a serious bug. CMS_final() finalises the structure cms. Its purpose is to perform any operations necessary on cms. CMS_final() call to SMIME_crlf_copy() and not checking the return value from SMIME_crlf_copy() so even SMIME_crlf_copy() fail, CMS_final() will return ok but with wrong CMS data. SMIME_crlf_copy() copies data from in_bio to out_bio and it's used at the final op on cms structure (for example before writing or sending cms object) SMIME_crlf_copy will fail if some data in cms is missing or wrong.
Scenario to reproduce: Create cms signature structure without the signature value and send it to CMS_final(). CMS_final() will return ok even if the CMS_final() fails. This causes the software to continue with incorrect information and pass it on even though it is incorrect. On Mon, Nov 14, 2022 at 5:40 PM Adrien Nader <1994...@bugs.launchpad.net> wrote: > Hi Gil, > > Can you explain a bit the actual impact of this bug and/or a scenario to > reproduce. The commit doesn't give us a lot of details and the issue > appears to be possibly quite serious but without diving deep into the > code and possibly writing a reproducer from scratch ourselves, it is > hard to be sure we properly understand it. > > Thanks. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1994165 > > Title: > CMS_final: do not ignore CMS_dataFinal result > > Status in openssl package in Ubuntu: > Triaged > Status in openssl source package in Jammy: > Triaged > Status in openssl source package in Kinetic: > Triaged > > Bug description: > https://github.com/openssl/openssl/pull/18876 > > The CMS_dataFinal result is important as signature may fail, however, it > is ignored while returning success from CMS_final. > > Please add this fix to The openssl 3.0.2 "Jammy Jellyfish (supported)" > > Thanks > > Upstream commit: > > ``` > commit 67c0460b89cc1b0644a1a59af78284dfd8d720af > Author: Alon Bar-Lev <alon.bar...@gmail.com> > Date: Tue Jul 26 15:17:06 2022 +0300 > > Handle SMIME_crlf_copy return code > > Currently the SMIME_crlf_copy result is ignored in all usages. It > does > return failure when memory allocation fails. > > This patch handles the SMIME_crlf_copy return code in all > occurrences. > > Signed-off-by: Alon Bar-Lev <alon.bar...@gmail.com> > > Reviewed-by: Tomas Mraz <to...@openssl.org> > Reviewed-by: Paul Dale <pa...@openssl.org> > Reviewed-by: Hugo Landau <hlan...@openssl.org> > (Merged from https://github.com/openssl/openssl/pull/18876) > ``` > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1994165/+subscriptions > > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1994165 Title: CMS_final: do not ignore CMS_dataFinal result Status in openssl package in Ubuntu: Triaged Status in openssl source package in Jammy: Triaged Status in openssl source package in Kinetic: Triaged Bug description: https://github.com/openssl/openssl/pull/18876 The CMS_dataFinal result is important as signature may fail, however, it is ignored while returning success from CMS_final. Please add this fix to The openssl 3.0.2 "Jammy Jellyfish (supported)" Thanks Upstream commit: ``` commit 67c0460b89cc1b0644a1a59af78284dfd8d720af Author: Alon Bar-Lev <alon.bar...@gmail.com> Date: Tue Jul 26 15:17:06 2022 +0300 Handle SMIME_crlf_copy return code Currently the SMIME_crlf_copy result is ignored in all usages. It does return failure when memory allocation fails. This patch handles the SMIME_crlf_copy return code in all occurrences. Signed-off-by: Alon Bar-Lev <alon.bar...@gmail.com> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Hugo Landau <hlan...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18876) ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1994165/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
