Bug 1220262

Summary: VUL-0: CVE-2023-50782: openssl: consider backporting implicit rejection in PKCS#1 v1.5
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Otto Hollmann <otto.hollmann>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, andreas.taschner, meissner, otto.hollmann, pdostal, pmonrealgonzalez, security-team, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387939/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1218043    
Bug Blocks:    

Description Carlos López 2024-02-23 10:36:25 UTC 
+++ This bug was initially created as a clone of Bug #1218043 +++

Description:
The fix for CVE-2020-25659 is not addressing the leakage in the RSA
decryption. Because of the API design, the fix is generally not
believed to be possible to be fully addressed. The issue can be
mitigated by using a cryptographic backed that implements implicit
rejection (Marvin workaround). Only applications that use RSA decryption with PKCS#1 v1.5 padding are affected.

Implicit rejection in RHEL has shipped in 9.3.0. Will ship in 9.2.eus,
8.6.eus, 8.8.eus, and 8.9.z. No other releases are planned

References:
https://github.com/pyca/cryptography/issues/9785
https://people.redhat.com/~hkario/marvin/
https://github.com/openssl/openssl/pull/13817

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50782
Comment 1 Carlos López 2024-02-23 10:37:26 UTC 
Newest openssl we have is 3.1.4 in Factory, we should consider backporting PKCS#1 v1.5 implicit rejection from 3.2.0
Comment 2 Pedro Monreal Gonzalez 2024-02-23 12:59:06 UTC 
This was reworked later in [0], then partially reverted in [1] and then more rework in [2] in the context of CVE-2022-4304. So, just porting the commits in the pull request [3] might not be enough.

Do we need this in SP6 and ALP? In Factory, we are planning to move to openssl version 3.2.1.

I'm assigning this to Otto.

[0] github.com/openssl/openssl/commit/b1892d21
[1] github.com/openssl/openssl/commit/4209ce68
[2] github.com/openssl/openssl/commit/f06ef165
[3] github.com/openssl/openssl/pull/13817