OESA-2023-1135

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1135
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1135.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1135
Upstream
Published
2023-03-04T11:04:59Z
Modified
2025-08-12T05:15:47.053749Z
Summary
edk2 security update
Details

EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.

Security Fix(es):

The public API function BIOnewNDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIOfasn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIOpop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64writeASN1() which may cause BIOnewNDEF() to be called and will subsequently call BIOpop() on the BIO. This internal function is in turn called by the public API functions PEMwritebioASN1stream, PEMwritebioCMSstream, PEMwritebioPKCS7stream, SMIMEwriteASN1, SMIMEwriteCMS and SMIMEwritePKCS7. Other public API functions that may be impacted by this include i2dASN1biostream, BIOnewCMS, BIOnewPKCS7, i2dCMSbiostream and i2dPKCS7bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215)

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but the public structure definition for GENERALNAME incorrectly specified the type of the x400Address field as ASN1TYPE. This field is subsequently interpreted by the OpenSSL function GENERALNAMEcmp as an ASN1TYPE rather than an ASN1STRING. When CRL checking is enabled (i.e. the application sets the X509VFLAGCRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286)

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.(CVE-2023-0401)

The function PEMreadbioex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "nameout", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEMreadbioex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEMreadbio() and PEMread() are simple wrappers around PEMreadbioex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEMX509INFOreadbioex() and SSLCTXuseserverinfofile() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEMreadbioex() returns a failure code. These locations include the PEMreadbioTYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / edk2

Package

Name
edk2
Purl
pkg:rpm/openEuler/edk2&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
202002-15.oe1

Ecosystem specific 

{
    "src": [
        "edk2-202002-15.oe1.src.rpm"
    ],
    "x86_64": [
        "edk2-devel-202002-15.oe1.x86_64.rpm",
        "edk2-debuginfo-202002-15.oe1.x86_64.rpm",
        "edk2-debugsource-202002-15.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "edk2-debugsource-202002-15.oe1.aarch64.rpm",
        "edk2-debuginfo-202002-15.oe1.aarch64.rpm",
        "edk2-devel-202002-15.oe1.aarch64.rpm"
    ],
    "noarch": [
        "python3-edk2-devel-202002-15.oe1.noarch.rpm",
        "edk2-ovmf-202002-15.oe1.noarch.rpm",
        "edk2-help-202002-15.oe1.noarch.rpm",
        "edk2-aarch64-202002-15.oe1.noarch.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / edk2

Package

Name
edk2
Purl
pkg:rpm/openEuler/edk2&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
202002-15.oe1

Ecosystem specific 

{
    "src": [
        "edk2-202002-15.oe1.src.rpm"
    ],
    "x86_64": [
        "edk2-devel-202002-15.oe1.x86_64.rpm",
        "edk2-debugsource-202002-15.oe1.x86_64.rpm",
        "edk2-debuginfo-202002-15.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "edk2-debuginfo-202002-15.oe1.aarch64.rpm",
        "edk2-devel-202002-15.oe1.aarch64.rpm",
        "edk2-debugsource-202002-15.oe1.aarch64.rpm"
    ],
    "noarch": [
        "edk2-aarch64-202002-15.oe1.noarch.rpm",
        "edk2-ovmf-202002-15.oe1.noarch.rpm",
        "edk2-help-202002-15.oe1.noarch.rpm",
        "python3-edk2-devel-202002-15.oe1.noarch.rpm"
    ]
}

openEuler:22.03-LTS / edk2

Package

Name
edk2
Purl
pkg:rpm/openEuler/edk2&distro=openEuler-22.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
202011-11.oe2203sp1

Ecosystem specific 

{
    "src": [
        "edk2-202011-11.oe2203.src.rpm",
        "edk2-202011-11.oe2203sp1.src.rpm"
    ],
    "x86_64": [
        "edk2-debugsource-202011-11.oe2203.x86_64.rpm",
        "edk2-debuginfo-202011-11.oe2203.x86_64.rpm",
        "edk2-devel-202011-11.oe2203.x86_64.rpm",
        "edk2-debugsource-202011-11.oe2203sp1.x86_64.rpm",
        "edk2-debuginfo-202011-11.oe2203sp1.x86_64.rpm",
        "edk2-devel-202011-11.oe2203sp1.x86_64.rpm"
    ],
    "aarch64": [
        "edk2-debugsource-202011-11.oe2203.aarch64.rpm",
        "edk2-debuginfo-202011-11.oe2203.aarch64.rpm",
        "edk2-devel-202011-11.oe2203.aarch64.rpm",
        "edk2-debuginfo-202011-11.oe2203sp1.aarch64.rpm",
        "edk2-debugsource-202011-11.oe2203sp1.aarch64.rpm",
        "edk2-devel-202011-11.oe2203sp1.aarch64.rpm"
    ],
    "noarch": [
        "python3-edk2-devel-202011-11.oe2203.noarch.rpm",
        "edk2-aarch64-202011-11.oe2203.noarch.rpm",
        "edk2-ovmf-202011-11.oe2203.noarch.rpm",
        "edk2-help-202011-11.oe2203.noarch.rpm",
        "edk2-ovmf-202011-11.oe2203sp1.noarch.rpm",
        "edk2-aarch64-202011-11.oe2203sp1.noarch.rpm",
        "edk2-help-202011-11.oe2203sp1.noarch.rpm",
        "python3-edk2-devel-202011-11.oe2203sp1.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / edk2

Package

Name
edk2
Purl
pkg:rpm/openEuler/edk2&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
202011-11.oe2203sp1

Ecosystem specific 

{
    "src": [
        "edk2-202011-11.oe2203sp1.src.rpm"
    ],
    "x86_64": [
        "edk2-debugsource-202011-11.oe2203sp1.x86_64.rpm",
        "edk2-debuginfo-202011-11.oe2203sp1.x86_64.rpm",
        "edk2-devel-202011-11.oe2203sp1.x86_64.rpm"
    ],
    "aarch64": [
        "edk2-debuginfo-202011-11.oe2203sp1.aarch64.rpm",
        "edk2-debugsource-202011-11.oe2203sp1.aarch64.rpm",
        "edk2-devel-202011-11.oe2203sp1.aarch64.rpm"
    ],
    "noarch": [
        "edk2-ovmf-202011-11.oe2203sp1.noarch.rpm",
        "edk2-aarch64-202011-11.oe2203sp1.noarch.rpm",
        "edk2-help-202011-11.oe2203sp1.noarch.rpm",
        "python3-edk2-devel-202011-11.oe2203sp1.noarch.rpm"
    ]
}