From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 9 Jan 2024 17:08:22 +0000 (+0100)
Subject: Add CHANGES.md and NEWS.md entries for CVE-2023-6237
X-Git-Tag: openssl-3.0.13~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5149deb832bc98cd908c4fca345c6f1150f4e286;p=thirdparty%2Fopenssl.git

Add CHANGES.md and NEWS.md entries for CVE-2023-6237

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)

(cherry picked from commit 38b2508f638787842750aec9a75745e1d8786743)
---

diff --git a/CHANGES.md b/CHANGES.md
index 8be8124fd88..2ba6c980772 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,28 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.12 and 3.0.13 [xx XXX xxxx]
 
+ * When function EVP_PKEY_public_check() is called on RSA public keys,
+   a computation is done to confirm that the RSA modulus, n, is composite.
+   For valid RSA keys, n is a product of two or more large primes and this
+   computation completes quickly. However, if n is an overly large prime,
+   then this computation would take a long time.
+
+   An application that calls EVP_PKEY_public_check() and supplies an RSA key
+   obtained from an untrusted source could be vulnerable to a Denial of Service
+   attack.
+
+   The function EVP_PKEY_public_check() is not called from other OpenSSL
+   functions however it is called from the OpenSSL pkey command line
+   application. For that reason that application is also vulnerable if used
+   with the "-pubin" and "-check" options on untrusted data.
+
+   To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
+   now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
+
+   ([CVE-2023-6237])
+
+   *TomÃ¡Å¡ MrÃ¡z*
+
  * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
    have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
    rather than SM2.
@@ -19782,6 +19804,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
diff --git a/NEWS.md b/NEWS.md
index 2cbfc6f3fb6..550464a4114 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,7 +20,9 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [under development]
 
-  * Fix POLY1305 MAC implementation corrupting vector registers on PowerPC
+  * Fixed Excessive time spent checking invalid RSA public keys
+    ([CVE-2023-6237])
+  * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
     CPUs which support PowerISA 2.07
     ([CVE-2023-6129])
   * Fix excessive time spent in DH check / generation with large Q parameter
@@ -1466,6 +1468,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363