Version in base suite: 1.1.1n-0+deb11u1 Base version: openssl_1.1.1n-0+deb11u1 Target version: openssl_1.1.1n-0+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssl/openssl_1.1.1n-0+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssl/openssl_1.1.1n-0+deb11u2.dsc changelog | 6 + patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch | 72 ++++++++++++++ patches/series | 1 3 files changed, 79 insertions(+) diff -Nru openssl-1.1.1n/debian/changelog openssl-1.1.1n/debian/changelog --- openssl-1.1.1n/debian/changelog 2022-03-18 18:25:07.000000000 +0000 +++ openssl-1.1.1n/debian/changelog 2022-05-10 18:37:36.000000000 +0000 @@ -1,3 +1,9 @@ +openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium + + * CVE-2022-1292 (The c_rehash script allows command injection). + + -- Sebastian Andrzej Siewior Tue, 10 May 2022 20:37:36 +0200 + openssl (1.1.1n-0+deb11u1) bullseye; urgency=medium * New upstream version. diff -Nru openssl-1.1.1n/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch openssl-1.1.1n/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch --- openssl-1.1.1n/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1n/debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch 2022-05-10 18:37:36.000000000 +0000 @@ -0,0 +1,72 @@ +From: Tomas Mraz +Date: Tue, 26 Apr 2022 12:40:24 +0200 +Subject: c_rehash: Do not use shell to invoke openssl + +Except on VMS where it is safe. + +This fixes CVE-2022-1292. + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Matt Caswell +--- + tools/c_rehash.in | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index a7e538a72d7d..914be03da14f 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -149,6 +149,23 @@ sub check_file { + return ($is_cert, $is_crl); + } + ++sub compute_hash { ++ my $fh; ++ if ( $^O eq "VMS" ) { ++ # VMS uses the open through shell ++ # The file names are safe there and list form is unsupported ++ if (!open($fh, "-|", join(' ', @_))) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } else { ++ if (!open($fh, "-|", @_)) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } ++ return (<$fh>, <$fh>); ++} + + # Link a certificate to its subject name hash value, each hash is of + # the form . where n is an integer. If the hash value already exists +@@ -159,10 +176,12 @@ sub check_file { + sub link_hash_cert { + my $fname = $_[0]; + my $x509hash = $_[1] || '-subject_hash'; +- $fname =~ s/\"/\\\"/g; +- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; ++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; +@@ -210,10 +229,12 @@ sub link_hash_crl_old { + sub link_hash_crl { + my $fname = $_[0]; + my $crlhash = $_[1] || "-hash"; +- $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; ++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; diff -Nru openssl-1.1.1n/debian/patches/series openssl-1.1.1n/debian/patches/series --- openssl-1.1.1n/debian/patches/series 2022-03-18 18:25:07.000000000 +0000 +++ openssl-1.1.1n/debian/patches/series 2022-05-10 18:37:36.000000000 +0000 @@ -4,3 +4,4 @@ pic.patch c_rehash-compat.patch Set-systemwide-default-settings-for-libssl-users.patch +c_rehash-Do-not-use-shell-to-invoke-openssl.patch