openEuler-24.03-LTS-update-before-20241025

分支 (30)

标签 (35)

管理

管理

master

openEuler-24.03-LTS

openEuler-24.03-LTS-SP1

openEuler-24.03-LTS-Next

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-25.03

openEuler-22.03-LTS-SP1

sync-pr258-master-to-openEuler-24.09

sync-pr257-openEuler-22.03-LTS-SP3-to-openEuler-22.03-LTS-SP1

sync-pr257-openEuler-22.03-LTS-SP3-to-openEuler-22.03-LTS-SP4

openEuler-24.09

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP1

openEuler-24.03-LTS-Loongarch

openEuler-20.03-LTS-SP3

openEuler-23.09

openEuler-24.03-LTS-update-20250228

openEuler-24.03-LTS-SP1-update-20250228

openEuler-22.03-LTS-SP3-update-20250228

openEuler-22.03-LTS-SP4-update-20250228

openEuler-20.03-LTS-SP4-update-20250228

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-update-before-20241025

openEuler-22.03-LTS-SP4-before-20241025

openEuler-24.03-LTS-update-before-20241025

openEuler-20.03-LTS-SP4-update-20241025

openEuler-22.03-LTS-SP1-update-20241025

openEuler-22.03-LTS-SP3-update-20241025

openEuler-22.03-LTS-SP4-update-20241025

openEuler-24.03-LTS-update-20241025

openEuler-24.03-LTS-update-20241018

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

edk2
/
0039-Restrict-the-size-of-OBJECT-IDEN...

From 65c0eaad449b809f827a177558a880522d18dd88 Mon Sep 17 00:00:00 2001
From: Richard Levitte <[email protected]>
Date: Fri, 12 May 2023 10:00:13 +0200
Subject: [PATCH 05/11] Restrict the size of OBJECT IDENTIFIERs that
 OBJ_obj2txt will translate

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form.  For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.

To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:

> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).

Fixes otc/security#96
Fixes CVE-2023-2650

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>

reference: https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098
Signed-off-by: yexiao <[email protected]>
---
 .../openssl/crypto/objects/obj_dat.c          | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
index 46006fe6..14206390 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c
@@ -427,6 +427,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
     first = 1;
     bl = NULL;

+    /*
+     * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
+     *
+     * > 3.5. OBJECT IDENTIFIER values
+     * >
+     * > An OBJECT IDENTIFIER value is an ordered list of non-negative
+     * > numbers. For the SMIv2, each number in the list is referred to as a
+     * > sub-identifier, there are at most 128 sub-identifiers in a value,
+     * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
+     * > decimal).
+     *
+     * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
+     * i.e. 586 bytes long.
+     *
+     * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+     */
+    if (len > 586)
+        goto err;
+
     while (len > 0) {
         l = 0;
         use_bn = 0;
--
2.33.0