Bug 1207538 (CVE-2022-4450) - VUL-0: CVE-2022-4450: openssl: Double free after calling PEM_read_bio_ex
Summary: VUL-0: CVE-2022-4450: openssl: Double free after calling PEM_read_bio_ex
Status: RESOLVED FIXED
Alias: CVE-2022-4450
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/354992/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-4450:5.9:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-25 14:39 UTC by Robert Frohl
Modified: 2024-05-03 10:41 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 11 Robert Frohl 2023-02-07 16:30:23 UTC
CVE-2022-4450 Double free after calling PEM_read_bio_ex [MODERATE severity] 07 February 2023:

    The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. Reported by CarpetFuzz. Thanks to Dawei Wang. Fix developed by Kurt Roeckx. Fix developed by Matt Caswell.

        Fixed in OpenSSL 3.0.8 (Affected since 3.0.0)
        Fixed in OpenSSL 1.1.1t (Affected since 1.1.1)
Comment 13 Swamp Workflow Management 2023-02-07 20:21:38 UTC
SUSE-SU-2023:0312-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1195149,1206222,1207533,1207534,1207535,1207536,1207538,1207539,1207540,1207541
CVE References: CVE-2022-4203,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0216,CVE-2023-0217,CVE-2023-0286,CVE-2023-0401
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-3-3.0.1-150400.4.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-3-3.0.1-150400.4.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2023-02-07 20:26:53 UTC
SUSE-SU-2023:0311-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1207533,1207534,1207536,1207538
CVE References: CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
JIRA References: 
Sources used:
openSUSE Leap Micro 5.3 (src):    openssl-1_1-1.1.1l-150400.7.22.1
openSUSE Leap 15.4 (src):    openssl-1_1-1.1.1l-150400.7.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-1_1-1.1.1l-150400.7.22.1
SUSE Linux Enterprise Micro 5.3 (src):    openssl-1_1-1.1.1l-150400.7.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2023-02-07 20:33:01 UTC
SUSE-SU-2023:0310-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1121365,1198472,1207533,1207534,1207536,1207538
CVE References: CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Manager Server 4.2 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Manager Retail Branch Server 4.2 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Manager Proxy 4.2 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Server for SAP 15-SP3 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Server 15-SP3-LTSS (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Micro 5.2 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise Micro 5.1 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Enterprise Storage 7.1 (src):    openssl-1_1-1.1.1d-150200.11.57.1
SUSE Enterprise Storage 7 (src):    openssl-1_1-1.1.1d-150200.11.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2023-02-07 20:34:30 UTC
SUSE-SU-2023:0309-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1207533,1207534,1207536,1207538
CVE References: CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openssl-1_1-1.1.1d-2.75.1
SUSE OpenStack Cloud 9 (src):    openssl-1_1-1.1.1d-2.75.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openssl-1_1-1.1.1d-2.75.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openssl-1_1-1.1.1d-2.75.1
SUSE Linux Enterprise Server 12-SP5 (src):    openssl-1_1-1.1.1d-2.75.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    openssl-1_1-1.1.1d-2.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Pedro Monreal Gonzalez 2023-02-08 10:42:23 UTC
Factory submissions:
  * openssl-3:     https://build.opensuse.org/request/show/1063740
  * openssl:       https://build.opensuse.org/request/show/1063739
  * openssl-1_1:   https://build.opensuse.org/request/show/1063743
Comment 19 Otto Hollmann 2023-02-08 14:14:52 UTC
All affected codestreams fixed, assigning back to security team.

> Codestream              Package            Request
> ------------------------------------------------------------------------------------
> SUSE:SLE-15-SP5:Update  openssl-3          https://build.suse.de/request/show/289580
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/289268
> openSUSE:Factory        openssl-3          https://build.opensuse.org/request/show/1063740
> ------------------------------------------------------------------------------------
> SUSE:SLE-15-SP5:GA      openssl-1_1        https://build.suse.de/request/show/289512
> SUSE:SLE-15-SP4:Update  openssl-1_1        https://build.suse.de/request/show/289310
> SUSE:SLE-15-SP2:Update  openssl-1_1        https://build.suse.de/request/show/289308
> SUSE:SLE-15-SP1:Update  openssl-1_1        not affected
> SUSE:SLE-12-SP4:Update  openssl-1_1        https://build.suse.de/request/show/289309
> openSUSE:Factory        openssl-1_1        https://build.opensuse.org/request/show/1063743
> ------------------------------------------------------------------------------------
> SUSE:SLE-15:Update      openssl-1_0_0      not affected
> SUSE:SLE-12-SP4:Update  openssl-1_0_0      not affected
> SUSE:SLE-11-SP3:Update  openssl1           not affected
> openSUSE:Factory        openssl-1_0_0      not affected
> ------------------------------------------------------------------------------------
> SUSE:SLE-12:Update      compat-openssl098  not affected
> SUSE:SLE-11-SP1:Update  openssl            not affected
Comment 29 Robert Frohl 2024-05-03 10:41:32 UTC
done, closing