From 26e55cd0ff525c2eebbeb384893508a9124157f0 Mon Sep 17 00:00:00 2001 From: Ali Date: Thu, 22 May 2025 15:31:39 +0800 Subject: [PATCH] to #19432 fix CVE-2024-4741 Project: TC2024080204 Signed-off-by: Ali --- 1007-fix-CVE-2024-4741.patch | 72 ++++++++++++++++++++++++++++++++++++ openssl.spec | 6 ++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 1007-fix-CVE-2024-4741.patch diff --git a/1007-fix-CVE-2024-4741.patch b/1007-fix-CVE-2024-4741.patch new file mode 100644 index 0000000..a47b567 --- /dev/null +++ b/1007-fix-CVE-2024-4741.patch @@ -0,0 +1,72 @@ +From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) +--- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc41e..1569997bea 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656bf93..b60f71c8cb 100644 +--- a/ssl/record/record.h ++++ b/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index eed649c6fd..d14c55ae55 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.39.3 + diff --git a/openssl.spec b/openssl.spec index 486529c..f993222 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,4 +1,4 @@ -%define anolis_release 9 +%define anolis_release 10 %global soversion 3 %define srpmhash() %{lua: @@ -109,6 +109,7 @@ Patch53: 1003-fix-CVE-2024-4603.patch Patch54: 1004-fix-CVE-2024-2511.patch Patch55: 1005-fix-CVE-2024-6119.patch Patch56: 1006-fix-CVE-2024-5535.patch +Patch57: 1007-fix-CVE-2024-4741.patch BuildRequires: gcc git coreutils perl-interpreter sed zlib-devel /usr/bin/cmp BuildRequires: lksctp-tools-devel @@ -310,6 +311,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/{openssl.cnf.dist,ct_log_list.cnf.di %doc NEWS.md README.md %changelog +* Thu May 22 2025 Ali - 1:3.0.12-10 +- fix CVE-2024-4741 + * Mon May 19 2025 Ali - 1:3.0.12-9 - fix CVE-2024-5535 -- Gitee