openssl-cmake icon indicating copy to clipboard operation
openssl-cmake copied to clipboard
verified publisher icon janbar

openssl update

Open CoSunshine opened this issue 2 months ago • 9 comments

There may be vulnerabilities in the current inherited openssl: https://github.com/janbar/openssl-cmake/blob/master/ssl/statem/statem_srvr.c#L55 and https://github.com/janbar/openssl-cmake/blob/master/ssl/statem/statem_clnt.c#L85 as indicated by this commit: https://github.com/openssl/openssl/commit/50a0af2e41ea61a79c19c17f9e87541e283ba8bf

CoSunshine avatar Oct 27 '25 03:10 CoSunshine

There may be potential memory leak in current https://github.com/janbar/openssl-cmake/blob/master/ssl/ssl_lib.c#L4746 as mentioned by https://github.com/openssl/openssl/commit/a435d786046fabc85acdb89cbf47f154a09796e1

CoSunshine avatar Oct 27 '25 03:10 CoSunshine

https://github.com/janbar/openssl-cmake/blob/master/ssl/statem/statem_srvr.c#L404 and https://github.com/janbar/openssl-cmake/blob/master/ssl/statem/statem_clnt.c#L404 as patched by https://github.com/openssl/openssl/commit/feb9e31c40c49de6384dd0413685e9b5a15adc99

CoSunshine avatar Oct 27 '25 03:10 CoSunshine

https://github.com/janbar/openssl-cmake/blob/master/demos/bio/server-arg.c#L23 , https://github.com/janbar/openssl-cmake/blob/master/demos/bio/saccept.c#L48, https://github.com/janbar/openssl-cmake/blob/master/demos/bio/server-cmod.c#L22, https://github.com/janbar/openssl-cmake/blob/master/demos/bio/server-conf.c#L24, https://github.com/janbar/openssl-cmake/blob/master/demos/bio/server-arg.c#L23,

This function is vulnerable to memory overflow as indicated by the previous patch: https://github.com/openssl/openssl/commit/f9afb3a07eb72428b98e3e31384380564a236700

CoSunshine avatar Oct 27 '25 03:10 CoSunshine

Similar for this function: https://github.com/janbar/openssl-cmake/blob/master/crypto/cms/cms_sd.c#L729 is vulnerable and already patched by https://github.com/openssl/openssl/commit/81777339e9ed62cd3b801bf225fa1f2aba4b30dd

CoSunshine avatar Oct 27 '25 04:10 CoSunshine

https://github.com/janbar/openssl-cmake/blob/master/apps/pkeyutl.c#L78 is vulnerable and patched by https://github.com/openssl/openssl/commit/849450746f38a5658ef783abb0a8c79ae2861464

CoSunshine avatar Oct 27 '25 04:10 CoSunshine

https://github.com/janbar/openssl-cmake/blob/master/ssl/ssl_sess.c#L106 and https://github.com/janbar/openssl-cmake/blob/master/ssl/ssl_sess.c#L750 is vulnerable and patched by openssl https://github.com/openssl/openssl/commit/eee2a6a718151336534d15a61d8d11209d4dfb1e

CoSunshine avatar Oct 27 '25 04:10 CoSunshine

https://github.com/janbar/openssl-cmake/blob/master/crypto/pem/pem_pkey.c#L95 is also vulnerable and already patched by https://github.com/openssl/openssl/commit/373d90128042cb0409e347827d80b50a99d3965a

CoSunshine avatar Oct 27 '25 04:10 CoSunshine

https://github.com/janbar/openssl-cmake/blob/master/crypto/ec/ec_asn1.c#L1217 is vulnerable and already patched by https://github.com/openssl/openssl/commit/8ac42a5f418cbe2797bc423b694ac5af605b5c7a

CoSunshine avatar Oct 27 '25 04:10 CoSunshine

Hi,

My intention with this repository is to provide a way to build libcrypto and libssl 1.1.1 using CMake for my other CMake projects. The goal here is not to continue maintaining OpenSSL 1.1.1w, which is no longer supported.

As you know, OpenSSL3 can no longer build with a pure CMake project like here, because they use many Perl scripts to generate main headers. That is a choice of the OpenSSL teams for some reasons. So if we need the latest version (3) we have to use their build system and import the generated binaries for the targeted platform. This is a pity, but it is like that.

Applying OpenSSL3 patches without rigorous testing carries risks. Would you rather have your application crash or suffer a sensitive data leak?

janbar avatar Oct 29 '25 07:10 janbar