[Bug 1994165] Re: CMS_final: do not ignore CMS_dataFinal result

Gil Weis 1994165 at bugs.launchpad.net
Tue Nov 15 05:06:28 UTC 2022 

Hi,
This is a serious bug.
CMS_final() finalises the structure cms. Its purpose is to perform any operations necessary on cms.
CMS_final() call to SMIME_crlf_copy() and not checking the return value from SMIME_crlf_copy() so even SMIME_crlf_copy() fail, CMS_final() will return ok but with wrong CMS data.
SMIME_crlf_copy() copies data from in_bio to out_bio and it's used at the final op on cms structure (for example before writing or sending cms object)
SMIME_crlf_copy will fail if some data in cms is missing or wrong.

Scenario to reproduce:
Create cms signature structure without the signature value and send it to CMS_final(). CMS_final() will return ok even if the CMS_final() fails.
This causes the software to continue with incorrect information and pass it on even though it is incorrect.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1994165

Title:
  CMS_final: do not ignore CMS_dataFinal result

Status in openssl package in Ubuntu:
  Triaged
Status in openssl source package in Jammy:
  Triaged
Status in openssl source package in Kinetic:
  Triaged

Bug description:
  https://github.com/openssl/openssl/pull/18876

  The CMS_dataFinal result is important as signature may fail, however, it
  is ignored while returning success from CMS_final.

  Please add this fix to The openssl 3.0.2 "Jammy Jellyfish (supported)"

  Thanks

  Upstream commit:

  ```
  commit 67c0460b89cc1b0644a1a59af78284dfd8d720af
  Author: Alon Bar-Lev <alon.barlev at gmail.com>
  Date:   Tue Jul 26 15:17:06 2022 +0300

      Handle SMIME_crlf_copy return code
      
      Currently the SMIME_crlf_copy result is ignored in all usages. It does
      return failure when memory allocation fails.
      
      This patch handles the SMIME_crlf_copy return code in all occurrences.
      
      Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
      
      Reviewed-by: Tomas Mraz <tomas at openssl.org>
      Reviewed-by: Paul Dale <pauli at openssl.org>
      Reviewed-by: Hugo Landau <hlandau at openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/18876)
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1994165/+subscriptions

More information about the foundations-bugs mailing list