5.57 (thanks to Michael Ströder) accepted to security:Stunnel and submitted to Factory.

When this is accepted: Next step would be to submit to Leap.

Fix appears to be: 

diff --git a/src/verify.c b/src/verify.c
index ac52b65..ee49d8b 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
         s_log(LOG_INFO, "Certificate verification disabled");
         return 1; /* accept */
     }
-    if(verify_checks(c, preverify_ok, callback_ctx)) {
+    if(verify_checks(c, preverify_ok, callback_ctx))
+        return 1; /* accept */
+    if(c->opt->option.client || c->opt->protocol)
+        return 0; /* reject */
+    if(c->opt->redirect_addr.names) {
         SSL_SESSION *sess=SSL_get1_session(c->ssl);
         if(sess) {
-            int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
-                (void *)(-1));
+            int ok=SSL_SESSION_set_ex_data(sess,
+                index_session_authenticated, NULL);
             SSL_SESSION_free(sess);
             if(!ok) {
                 sslerror("SSL_SESSION_set_ex_data");
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
         }
         return 1; /* accept */
     }
-    if(c->opt->option.client || c->opt->protocol)
-        return 0; /* reject */
-    if(c->opt->redirect_addr.names)
-        return 1; /* accept */
     return 0; /* reject */
 }
 

For QA: upstream added relevant test scripts in:
tests/recipes/028_redirect_chain 
tests/recipes/029_no_redirect_chain


(In reply to Andreas Vetter from comment #1)
> When this is accepted: Next step would be to submit to Leap.

Actually this will come in via SLE maintenance...

SUSE:SLE-15:Update/stunnel -> openSUSE:Leap:15.1:Update/stunnel
SUSE:SLE-15-SP2:Update/stunnel -> openSUSE:Leap:15.1:Update/stunnel

(In reply to Andreas Stieger from comment #2)
> Actually this will come in via SLE maintenance...
> 
> SUSE:SLE-15:Update/stunnel -> openSUSE:Leap:15.1:Update/stunnel
> SUSE:SLE-15-SP2:Update/stunnel -> openSUSE:Leap:15.1:Update/stunnel

ok, will you backport or use stunnel 5.57?

Do you want maintainer rights in OBS security:Stunnel?

SUSE-SU-2021:0194-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1177580,1178533
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    stunnel-5.57-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:0160-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1177580,1178533
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    stunnel-5.57-lp152.2.3.1

That was assigned CVE-2021-20230

The redirect option was introduced in version 5.0.0. Still tracked as affected SLE15 and SSL12. SLE15-SP2 and Factory ship an already fixed version

Patch for SLE-12_Update in https://bugzilla.suse.com/show_bug.cgi?id=1182529#c12

I am testing stunnel update SUSE:Maintenance:18716:237844, and I get the resulte when running the testsuite from the rpm source code:

    # wget https://download.suse.de/ibs/SUSE:/Maintenance:/18716/SUSE_SLE-15_Update/src/stunnel-5.44-3.6.1.src.rpm
    # rpm -ivh stunnel-5.44-3.6.1.src.rpm
    # cd /usr/src/package/SPECS
    # rpmbuild -ba stunnel.spec
    # cd ../BUILD/stunnel-5.44/
    # make check
    ...
    test 010_require_cert               ok
    test 011_verify_peer                ok
    test 012_verify_chain               failed
    error logs                          logs/012_verify_chain.log
    test 013_CRL_file                   failed
    error logs                          logs/013_CRL_file.log
    test 014_PSK_secrets                ok
    test 015_p12_cert                   ok
    test 020_IPv6                       skipped
    test 021_FIPS                       ok
    test 028_redirect_chain             failed
    error logs                          logs/028_redirect_chain.log
    test 030_simple_execute             ok
    test 031_redirect                   ok
    test 032_no_redirect                failed
    error logs                          logs/032_no_redirect.log
    test 033_redirect_exec              ok
    test 034_no_redirect_exec           failed
    error logs                          logs/034_no_redirect_exec.log
    test 035_SNI                        ok
    test 036_no_SNI                     ok
    test 037_failover_prio1             ok
    test 038_failover_prio2             ok
    test 039_failover_rr                ok
    test 040_reload                     ok
    test 110_failure_require_cert       ok
    test 111_failure_verify_peer        ok
    test 112_failure_verify_chain       ok
    test 113_failure_CRL_file           ok
    test 114_failure_PSK_secrets        ok
    test 120_failure_no_cert            ok
    test 121_failure_wrong_config       ok
    summary: success 21, skip 1, fail 5

please check the line of the above output:
"error logs              logs/028_redirect_chain.log"

this test should not failed, it is from stunnel-CVE-2021-20230.patch, it is used to check this bug's fix.

Hi Jun Wang, thanks for testing this. I checked the test in SLE-15-SP2 and Factory and it was working fine there. I didn't test it in SLE-15 though. Note that, this regression test might not be useful in older versions like in SLE-15.

I just run the test now but I can't get any output. Could you paste here the error log from logs/028_redirect_chain.log? Also, check that netcat is and procps are installed during the testing and maybe other packages are required.

Looking at old test cases, the syntax for logging has changed and it seems the test didn't fail but the check for success. I'll modify the this check in 028_redirect_chain.

(In reply to Pedro Monreal Gonzalez from comment #13)
> Looking at old test cases, the syntax for logging has changed and it seems
> the test didn't fail but the check for success. I'll modify the this check
> in 028_redirect_chain.

I installed both of netcat and procps. Please also check the tests 032_no_redirect and 034_no_redirect_exec, it is successful before update.

Need to reject this update to wait your new version ?

Created attachment 847153 [details]
the fail tests log from my test host

(In reply to jun wang from comment #14)
> (In reply to Pedro Monreal Gonzalez from comment #13)
> > Looking at old test cases, the syntax for logging has changed and it seems
> > the test didn't fail but the check for success. I'll modify the this check
> > in 028_redirect_chain.
> 
> I installed both of netcat and procps. Please also check the tests
> 032_no_redirect and 034_no_redirect_exec, it is successful before update.
> 
> Need to reject this update to wait your new version ?

I would compare the outputs. But yes, you can reject it as I will have to amend the patch.

SUSE-SU-2021:0772-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1177580,1182529
CVE References: CVE-2021-20230
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    stunnel-5.57-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:0409-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1177580,1182529
CVE References: CVE-2021-20230
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    stunnel-5.57-lp152.2.6.1

Looks like bug 1182529 and bug 1177580 are duplicates.

(In reply to Andreas Stieger from comment #19)
> Looks like bug 1182529 and bug 1177580 are duplicates.

I am not sure. they are about two bugs in the same stunnel option, but fixed in two different versions of stunnel.

comment 21

After review:

1.- I think this CVE is just related to the memleak in the variable SSL_SESSION *sess, see [0]. This variable is not used in versions <= SUSE:SLE-15:Update. So, I would say we are not affected by this CVE for versions up to SLE-15.

2.- Regarding bsc#1182529, the change for versions <= SUSE:SLE-15:Update breaks ABI and I would not try to fix it since its not security-related. The only possible security implication I can think of is the use of (void *)(-1), which is just 0xFFF...FFF and unlikely to be a valid address. In the commit [1], this is substituted to NULL. I'm not aware of possible vulnerabilities regarding this but I can apply the change just for safety.

@security-team, could you confirm these two points?

[0] https://github.com/mtrojnar/stunnel/commit/80f351bc063f0e6341bfe73f0dd5efeb90b0f4e8#diff-dc0f4153465a0f2ad739d602ceef55d9289b23a928beb9e5e74cd4e837f9a92cR231

[1] https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9#diff-dc0f4153465a0f2ad739d602ceef55d9289b23a928beb9e5e74cd4e837f9a92cL220

let me split the response, to get some progress with these interruptions ...

(In reply to Pedro Monreal Gonzalez from comment #25)
> 1.- I think this CVE is just related to the memleak in the variable
> SSL_SESSION *sess, see [0]. This variable is not used in versions <=
> SUSE:SLE-15:Update. So, I would say we are not affected by this CVE for
> versions up to SLE-15.

I disagree with the assessment: I think the CVE is for the case that 'sess' was NULL in verify.c:223 [0], which would be accepted after the 'if(sess)' in verify.c:232.

IMO: the memory leak is only relevant after the update to 5.58, when if(!sess) was added in verify.c:223 [1], specifically if the call to SSL_SESSION_set_ex_data() was successful. This would otherwise leak memory on every successful validation

[0] https://github.com/mtrojnar/stunnel/blob/stunnel-5.57/src/verify.c#L223
[1] https://github.com/mtrojnar/stunnel/blob/stunnel-5.58/src/verify.c#L223

(In reply to Robert Frohl from comment #26)
> let me split the response, to get some progress with these interruptions ...
> 
> (In reply to Pedro Monreal Gonzalez from comment #25)
> > 1.- I think this CVE is just related to the memleak in the variable
> > SSL_SESSION *sess, see [0]. This variable is not used in versions <=
> > SUSE:SLE-15:Update. So, I would say we are not affected by this CVE for
> > versions up to SLE-15.
> 
> I disagree with the assessment: I think the CVE is for the case that 'sess'
> was NULL in verify.c:223 [0], which would be accepted after the 'if(sess)'
> in verify.c:232.

Your disagreement looks like a tautology to me. The variable sess was introduced in 5.57 and we have 5.44 in SLE-15.

(In reply to Robert Frohl from comment #26)
> let me split the response, to get some progress with these interruptions ...
> 
> (In reply to Pedro Monreal Gonzalez from comment #25)
> > 1.- I think this CVE is just related to the memleak in the variable
> > SSL_SESSION *sess, see [0]. This variable is not used in versions <=
> > SUSE:SLE-15:Update. So, I would say we are not affected by this CVE for
> > versions up to SLE-15.
> 
> I disagree with the assessment: I think the CVE is for the case that 'sess'
> was NULL in verify.c:223 [0], which would be accepted after the 'if(sess)'
> in verify.c:232.
> 
> IMO: the memory leak is only relevant after the update to 5.58, when
> if(!sess) was added in verify.c:223 [1], specifically if the call to
> SSL_SESSION_set_ex_data() was successful. This would otherwise leak memory
> on every successful validation
> 
> [0] https://github.com/mtrojnar/stunnel/blob/stunnel-5.57/src/verify.c#L223
> [1] https://github.com/mtrojnar/stunnel/blob/stunnel-5.58/src/verify.c#L223

I think I confused the versions, disregard that comment.

If we are still affected in SLE-15 by bsc#1182529, maybe we could bump the version. Note that, the "redirect" option was added in version 5.00, see:
    www.stunnel.org/NEWS.html

(In reply to Robert Frohl from comment #28)
> I think I confused the versions, disregard that comment.

@Pedro: just to avoid further confusions on my part, could these diffs be the other way around ? Or am I missing something obvious ?

(In reply to Pedro Monreal Gonzalez from comment #25)
> [0]
> https://github.com/mtrojnar/stunnel/commit/
> 80f351bc063f0e6341bfe73f0dd5efeb90b0f4e8#diff-
> dc0f4153465a0f2ad739d602ceef55d9289b23a928beb9e5e74cd4e837f9a92cR231
> 
> [1]
> https://github.com/mtrojnar/stunnel/commit/
> ebad9ddc4efb2635f37174c9d800d06206f1edf9#diff-
> dc0f4153465a0f2ad739d602ceef55d9289b23a928beb9e5e74cd4e837f9a92cL220

i.e.:
[0] is for bsc#1182529, because the the diff shows 5.57 -> 5.58
[1] is for bsc#1177580 (i.e. this bug/CVE-2021-20230), because 5.56 ->  5.57

(In reply to Robert Frohl from comment #30)
> (In reply to Robert Frohl from comment #28)
> > I think I confused the versions, disregard that comment.
> 
> @Pedro: just to avoid further confusions on my part, could these diffs be
> the other way around ? Or am I missing something obvious ?
> 
> (In reply to Pedro Monreal Gonzalez from comment #25)
> > [0]
> > https://github.com/mtrojnar/stunnel/commit/
> > 80f351bc063f0e6341bfe73f0dd5efeb90b0f4e8#diff-
> > dc0f4153465a0f2ad739d602ceef55d9289b23a928beb9e5e74cd4e837f9a92cR231
> > 
> > [1]
> > https://github.com/mtrojnar/stunnel/commit/
> > ebad9ddc4efb2635f37174c9d800d06206f1edf9#diff-
> > dc0f4153465a0f2ad739d602ceef55d9289b23a928beb9e5e74cd4e837f9a92cL220
> 
> i.e.:
> [0] is for bsc#1182529, because the the diff shows 5.57 -> 5.58
> [1] is for bsc#1177580 (i.e. this bug/CVE-2021-20230), because 5.56 ->  5.57

Yes, the CVE is for [1]. Do you think a version bump could be possible for SLE-15?

(In reply to Pedro Monreal Gonzalez from comment #31)
> Yes, the CVE is for [1]. Do you think a version bump could be possible for
> SLE-15?

I am afraid that wont be an option. For SLE15-SP2 it is okay, also because it was done in the past. But for LTSS not at the moment.

I will also spend more time on this now, as I only focused on the missing maintainer in the past.

Created attachment 848919 [details]
Patch for SLE-15_Update

Thanks, @Robert! I have back-ported the required additional modifications to keep ABI compatibility. Note also that, the new regression tests 028_redirect_chain and 029_no_redirect_chain have been modified to use the right port naming ${https}, which is the one used in earlier versions. I have updated the expired certificates for all the regression tests to pass. I'll submit the fix in a moment.

SUSE-SU-2021:1465-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1177580,1182529
CVE References: CVE-2021-20230
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    stunnel-5.44-3.8.1
SUSE Manager Retail Branch Server 4.0 (src):    stunnel-5.44-3.8.1
SUSE Manager Proxy 4.0 (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise Server for SAP 15 (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise Server 15-LTSS (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    stunnel-5.44-3.8.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    stunnel-5.44-3.8.1
SUSE Enterprise Storage 6 (src):    stunnel-5.44-3.8.1
SUSE CaaS Platform 4.0 (src):    stunnel-5.44-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.