Untitled

Changes between 3.0.6 and 3.0.7 [1 Nov 2022]

Fixed two buffer overflows in punycode decoding functions.

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786])

An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602])

Paul Dale
Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT parameters in OpenSSL code. Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. Using these invalid names may cause algorithms to use slower methods that ignore the CRT parameters.

Shane Lontis
Fixed a regression introduced in 3.0.6 version raising errors on some stack operations.

Tomáš Mráz
Fixed a regression introduced in 3.0.6 version not refreshing the certificate data to be signed before signing the certificate.

Gibeom Gwon
Added RIPEMD160 to the default provider.

Paul Dale
Ensured that the key share group sent or accepted for the key exchange is allowed for the protocol version.

Matt Caswell