Bugzilla – Bug 1207538
VUL-0: CVE-2022-4450: openssl: Double free after calling PEM_read_bio_ex
Last modified: 2024-05-03 10:41:32 UTC
CVE-2022-4450 Double free after calling PEM_read_bio_ex [MODERATE severity] 07 February 2023: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. Reported by CarpetFuzz. Thanks to Dawei Wang. Fix developed by Kurt Roeckx. Fix developed by Matt Caswell. Fixed in OpenSSL 3.0.8 (Affected since 3.0.0) Fixed in OpenSSL 1.1.1t (Affected since 1.1.1)
SUSE-SU-2023:0312-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1195149,1206222,1207533,1207534,1207535,1207536,1207538,1207539,1207540,1207541 CVE References: CVE-2022-4203,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0216,CVE-2023-0217,CVE-2023-0286,CVE-2023-0401 JIRA References: Sources used: openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.17.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openssl-3-3.0.1-150400.4.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0311-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1207533,1207534,1207536,1207538 CVE References: CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.22.1 openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.22.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.22.1 SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0310-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1121365,1198472,1207533,1207534,1207536,1207538 CVE References: CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Manager Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Manager Retail Branch Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Manager Proxy 4.2 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.57.1 SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0309-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1207533,1207534,1207536,1207538 CVE References: CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_1-1.1.1d-2.75.1 SUSE OpenStack Cloud 9 (src): openssl-1_1-1.1.1d-2.75.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): openssl-1_1-1.1.1d-2.75.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): openssl-1_1-1.1.1d-2.75.1 SUSE Linux Enterprise Server 12-SP5 (src): openssl-1_1-1.1.1d-2.75.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): openssl-1_1-1.1.1d-2.75.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Factory submissions: * openssl-3: https://build.opensuse.org/request/show/1063740 * openssl: https://build.opensuse.org/request/show/1063739 * openssl-1_1: https://build.opensuse.org/request/show/1063743
All affected codestreams fixed, assigning back to security team. > Codestream Package Request > ------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:Update openssl-3 https://build.suse.de/request/show/289580 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/289268 > openSUSE:Factory openssl-3 https://build.opensuse.org/request/show/1063740 > ------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:GA openssl-1_1 https://build.suse.de/request/show/289512 > SUSE:SLE-15-SP4:Update openssl-1_1 https://build.suse.de/request/show/289310 > SUSE:SLE-15-SP2:Update openssl-1_1 https://build.suse.de/request/show/289308 > SUSE:SLE-15-SP1:Update openssl-1_1 not affected > SUSE:SLE-12-SP4:Update openssl-1_1 https://build.suse.de/request/show/289309 > openSUSE:Factory openssl-1_1 https://build.opensuse.org/request/show/1063743 > ------------------------------------------------------------------------------------ > SUSE:SLE-15:Update openssl-1_0_0 not affected > SUSE:SLE-12-SP4:Update openssl-1_0_0 not affected > SUSE:SLE-11-SP3:Update openssl1 not affected > openSUSE:Factory openssl-1_0_0 not affected > ------------------------------------------------------------------------------------ > SUSE:SLE-12:Update compat-openssl098 not affected > SUSE:SLE-11-SP1:Update openssl not affected
done, closing