33650 – openssl new security issue CVE-2024-9143

Bug 33650 - openssl new security issue CVE-2024-9143

Summary: openssl new security issue CVE-2024-9143

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	33857
	Show dependency tree / graph

Reported:	2024-10-17 13:56 CEST by Nicolas Salguero
Modified:	2024-12-23 10:32 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	openssl-3.0.15-1.mga9.src.rpm
CVE:	CVE-2024-9143
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-10-17 13:56:50 CEST

OpenSSL has issued an advisory on October 16:
https://openssl-library.org/news/secadv/20241016.txt

Nicolas Salguero 2024-10-17 13:57:46 CEST

Source RPM: (none) => openssl-3.3.2-1.mga10.src.rpm, openssl-3.0.15-1.mga9.src.rpm
CVE: (none) => CVE-2024-9143
Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-10-17 14:00:01 CEST

The fixes are:
https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 (version 3.3.x)
https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 (version 3.0.x)

Comment 2 Marja Van Waes 2024-10-17 15:40:14 CEST

No registered maintainer, so assigning to all.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 Nicolas Salguero 2024-11-07 15:32:26 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Low-level invalid GF(2^m) parameters lead to OOB memory access. (CVE-2024-9143)

References:
https://openssl-library.org/news/secadv/20241016.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.15-1.1.mga9
lib(64)openssl-devel-3.0.15-1.1.mga9
lib(64)openssl-static-devel-3.0.15-1.1.mga9
openssl-3.0.15-1.1.mga9
openssl-perl-3.0.15-1.1.mga9

from SRPM:
openssl-3.0.15-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status comment: Patches available from upstream => (none)
Source RPM: openssl-3.3.2-1.mga10.src.rpm, openssl-3.0.15-1.mga9.src.rpm => openssl-3.0.15-1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs

katnatek 2024-11-07 18:58:28 CET

Keywords: (none) => advisory

Comment 4 Brian Rockwell 2024-11-07 21:03:27 CET

MGA9-32, AMD A6-3420M APU with Radeon(tm) HD Graphics, old Laptop

The following 2 packages are going to be installed:

- libopenssl3-3.0.15-1.1.mga9.i586
- openssl-3.0.15-1.1.mga9.i586

12B of additional disk space will be used.


-----

basic testing completed

$ openssl s_client -connect mageia.org:443
$ openssl ciphers -v
$ openssl version -a
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
built on: Thu Nov  7 13:51:17 2024 UTC
$ openssl genrsa -out a.key 2048

private key generated.

CC: (none) => brtians1

PC LX 2024-11-09 01:15:38 CET

CC: (none) => mageia

Comment 5 katnatek 2024-11-09 21:09:42 CET

RH x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing openssl-3.0.15-1.1.mga9.x86_64.rpm lib64openssl-devel-3.0.15-1.1.mga9.x86_64.rpm lib64openssl3-3.0.15-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64openssl3         ##################################################################################################
      2/3: openssl               ##################################################################################################
      3/3: lib64openssl-devel    ##################################################################################################
      1/3: removing openssl-3.0.15-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64openssl-devel-3.0.15-1.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64openssl3-3.0.15-1.mga9.x86_64
                                 ##################################################################################################

restart sshd and consult status look well

cat kernel-cves| openssl aes-256-cbc -e -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee' > kernel-cves.enc

openssl aes-256-cbc -d -in kernel-cves.enc -K 47bc82c4e6dd271d3a72d526bf6ac3ee520d8ec70f7a1044cd02f098f6b51162 -iv '47bc82c4e6dd271d3a72d526bf6ac3ee'

CVE-2023-52917
CVE-2024-47670
CVE-2024-47671
CVE-2024-47672
CVE-2024-47673
CVE-2024-47675
CVE-2024-47678
CVE-2024-47679
CVE-2024-47681
CVE-2024-47682
CVE-2024-47683
CVE-2024-47684
CVE-2024-47685
CVE-2024-47686

etc

Looks good

Comment 6 katnatek 2024-11-09 23:39:17 CET

RH i586 

Updated with other pending updates

installing /var/cache/urpmi/rpms/libheif1-1.16.2-1.2.mga9.tainted.i586.rpm                                               
/var/cache/urpmi/rpms/pipewire-media-session-0.4.2-1.1.mga9.i586.rpm
/var/cache/urpmi/rpms/python3-urllib3-1.26.20-1.mga9.noarch.rpm
/var/cache/urpmi/rpms/libnspr4-4.36-1.mga9.i586.rpm
/var/cache/urpmi/rpms/libheif-1.16.2-1.2.mga9.tainted.i586.rpm
/var/cache/urpmi/rpms/libnss3-3.106.0-1.mga9.i586.rpm
//home/katnatek/qa-testing/i586/libopenssl3-3.0.15-1.1.mga9.i586.rpm
//home/katnatek/qa-testing/i586/openssl-3.0.15-1.1.mga9.i586.rpm
//home/katnatek/qa-testing/i586/libopenssl-devel-3.0.15-1.1.mga9.i586.rpm
/var/cache/urpmi/rpms/nss-3.106.0-1.mga9.i586.rpm
Preparing...                     #######################################################################################
     1/10: python3-urllib3       #######################################################################################
     2/10: libopenssl3           #######################################################################################
     3/10: libnspr4              #######################################################################################
     4/10: nss                   #######################################################################################
     5/10: libnss3               #######################################################################################
     6/10: libheif               #######################################################################################
     7/10: libheif1              #######################################################################################
     8/10: libopenssl-devel      #######################################################################################
     9/10: openssl               #######################################################################################
    10/10: pipewire-media-session
                                 #######################################################################################
     1/10: removing openssl-3.0.15-1.mga9.i586
                                 #######################################################################################
     2/10: removing libnss3-2:3.105.0-1.mga9.i586
                                 #######################################################################################
     3/10: removing nss-2:3.105.0-1.mga9.i586
                                 #######################################################################################
     4/10: removing libopenssl-devel-3.0.15-1.mga9.i586
                                 #######################################################################################
     5/10: removing libheif1-1.16.2-1.1.mga9.tainted.i586
                                 #######################################################################################
     6/10: removing libheif-1.16.2-1.1.mga9.tainted.i586
                                 #######################################################################################
     7/10: removing libopenssl3-3.0.15-1.mga9.i586
                                 #######################################################################################
     8/10: removing libnspr4-2:4.35-1.mga9.i586
                                 #######################################################################################
     9/10: removing python3-urllib3-1.26.18-4.mga9.noarch
                                 #######################################################################################
    10/10: removing pipewire-media-session-0.4.2-1.mga9.i586
                                 #######################################################################################

restart sshd and consult status look well

Comment 7 Herman Viaene 2024-11-11 11:36:27 CET

MGA9-64 Plasma Wayland on HP-Pavillion
Ref bug 33520 and testing above:
$ openssl s_client -connect mageia.org:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3
verify return:1
depth=0 CN = *.mageia.org
verify return:1
---
Certificate chain
 0 s:CN = *.mageia.org
   i:C = FR, O = Gandi, CN = Gandi RSA Domain Validation Secure Server CA 3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Feb 10 00:00:00 2024 GMT; NotAfter: Feb 10 23:59:59 2025 GMT
and a lot more .....

$ openssl version
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)

$ openssl version -a
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
built on: Thu Nov  7 13:51:00 2024 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x43d8e3bfefebffff:0x2282

$ openssl ciphers -v
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH     Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM         TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256)            Mac=AEAD
etc...

$ openssl speed rsa
Doing 512 bits private rsa's for 10s: 56524 512 bits private RSA's in 10.00s
Doing 512 bits public rsa's for 10s: 826911 512 bits public RSA's in 10.00s
Doing 1024 bits private rsa's for 10s: 16653 1024 bits private RSA's in 10.00s
Doing 1024 bits public rsa's for 10s: 269988 1024 bits public RSA's in 10.00s
Doing 2048 bits private rsa's for 10s: 2209 2048 bits private RSA's in 10.00s
etc....

In view for othere tests above, good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2024-11-11 19:28:15 CET

Comment 6 has an i586 test, too. Validating.

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Dan Fandrich 2024-11-12 07:11:58 CET

This package was pushed today but for some reason this bug wasn't automatically closed.

CC: (none) => dan
Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 10 Mageia Robot 2024-11-12 21:27:02 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0355.html

Marc Krämer 2024-12-23 10:32:42 CET

Blocks: (none) => 33857

Note You need to log in before you can comment on or make changes to this bug.