[Bug 1994165] Re: CMS_final: do not ignore CMS_dataFinal result

Gil Weis 1994165 at bugs.launchpad.net
Tue Nov 15 05:03:32 UTC 2022 

Hi,
This is a serious bug.
CMS_final() finalises the structure cms. Its purpose is to perform any
operations necessary on cms.
CMS_final() call to SMIME_crlf_copy() and not checking the return value
from SMIME_crlf_copy() so even SMIME_crlf_copy() fail, CMS_final() will
return ok but with wrong CMS data.
SMIME_crlf_copy() copies data from in_bio to out_bio and it's used at the
final op on cms structure (for example before writing or sending cms object)
SMIME_crlf_copy will fail if some data in cms is missing or wrong.

Scenario to reproduce:
Create cms signature structure without the signature value and send it to
CMS_final(). CMS_final() will return ok even if the CMS_final() fails.
This causes the software to continue with incorrect information and pass it
on even though it is incorrect.

On Mon, Nov 14, 2022 at 5:40 PM Adrien Nader <1994165 at bugs.launchpad.net>
wrote:

> Hi Gil,
>
> Can you explain a bit the actual impact of this bug and/or a scenario to
> reproduce. The commit doesn't give us a lot of details and the issue
> appears to be possibly quite serious but without diving deep into the
> code and possibly writing a reproducer from scratch ourselves, it is
> hard to be sure we properly understand it.
>
> Thanks.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1994165
>
> Title:
>   CMS_final: do not ignore CMS_dataFinal result
>
> Status in openssl package in Ubuntu:
>   Triaged
> Status in openssl source package in Jammy:
>   Triaged
> Status in openssl source package in Kinetic:
>   Triaged
>
> Bug description:
>   https://github.com/openssl/openssl/pull/18876
>
>   The CMS_dataFinal result is important as signature may fail, however, it
>   is ignored while returning success from CMS_final.
>
>   Please add this fix to The openssl 3.0.2 "Jammy Jellyfish (supported)"
>
>   Thanks
>
>   Upstream commit:
>
>   ```
>   commit 67c0460b89cc1b0644a1a59af78284dfd8d720af
>   Author: Alon Bar-Lev <alon.barlev at gmail.com>
>   Date:   Tue Jul 26 15:17:06 2022 +0300
>
>       Handle SMIME_crlf_copy return code
>
>       Currently the SMIME_crlf_copy result is ignored in all usages. It
> does
>       return failure when memory allocation fails.
>
>       This patch handles the SMIME_crlf_copy return code in all
> occurrences.
>
>       Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
>
>       Reviewed-by: Tomas Mraz <tomas at openssl.org>
>       Reviewed-by: Paul Dale <pauli at openssl.org>
>       Reviewed-by: Hugo Landau <hlandau at openssl.org>
>       (Merged from https://github.com/openssl/openssl/pull/18876)
>   ```
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1994165/+subscriptions
>
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1994165

Title:
  CMS_final: do not ignore CMS_dataFinal result

Status in openssl package in Ubuntu:
  Triaged
Status in openssl source package in Jammy:
  Triaged
Status in openssl source package in Kinetic:
  Triaged

Bug description:
  https://github.com/openssl/openssl/pull/18876

  The CMS_dataFinal result is important as signature may fail, however, it
  is ignored while returning success from CMS_final.

  Please add this fix to The openssl 3.0.2 "Jammy Jellyfish (supported)"

  Thanks

  Upstream commit:

  ```
  commit 67c0460b89cc1b0644a1a59af78284dfd8d720af
  Author: Alon Bar-Lev <alon.barlev at gmail.com>
  Date:   Tue Jul 26 15:17:06 2022 +0300

      Handle SMIME_crlf_copy return code
      
      Currently the SMIME_crlf_copy result is ignored in all usages. It does
      return failure when memory allocation fails.
      
      This patch handles the SMIME_crlf_copy return code in all occurrences.
      
      Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
      
      Reviewed-by: Tomas Mraz <tomas at openssl.org>
      Reviewed-by: Paul Dale <pauli at openssl.org>
      Reviewed-by: Hugo Landau <hlandau at openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/18876)
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1994165/+subscriptions

More information about the foundations-bugs mailing list