CVE-2023-2650 about OpenSSL on SFOS

CVE-2023-2650

Published 2023-05-30T14:15:00

Just reporting here for your acknowledgement

#
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.
#

At the end of the vulnerability description:

[…]

The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer’s certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

This means that only large-scale servers and clusters can be strongly affected by this vulnerability, and definitely this is not the case with smartphones.

However, in some other niches, this can be a sensitive problem, especially if it impacts the overall performance of the system, pushing it out of specifications about latency and jittering.

If this happens, the vulnerability is not the root cause, but having not provided real-time levels of running for those applications and kernel threads that require it.


At the moment this is the current state of SailFish OS:

[root@redfishos ~]# pkcon search openssl
Searching by details                                                                                                                                                                     
Starting                                                                                                                                                                                 
Querying                                                                                                                                                                                
Finished                                                                                                                                                                                
Available   	openssl-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla)            	Utilities from the general purpose cryptography library with TLS implementation
Available   	openssl-debuginfo-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla)  	Debug information for package openssl
Available   	openssl-debugsource-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla)	Debug sources for package openssl
Available   	openssl-devel-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla)      	Files for development of applications which will use OpenSSL
Installed   	openssl-libs-1.1.1s+git1-1.11.1.jolla.aarch64 (installed)   	A general purpose cryptography library with TLS implementation
Available   	openssl-perl-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla)       	Perl scripts provided with OpenSSL
Available   	openssl-static-1.1.1s+git1-1.11.1.jolla.aarch64 (jolla)     	Libraries for static linking of applications which will use OpenSSL
Installed   	openvpn-2.5.5+git1-1.10.1.jolla.aarch64 (installed)         	A full-featured SSL VPN solution
Available   	pkcs11-helper-1.27+git1-1.4.3.jolla.aarch64 (jolla)         	A library for using PKCS#11 providers
Available   	python-M2Crypto-0.37.1+git2-1.4.5.jolla.aarch64 (jolla)     	Support for using OpenSSL in python scripts
Available   	python3-openssl-19.1.0+git2-1.6.2.jolla.aarch64 (jolla)     	Python wrapper module around the OpenSSL library
Available   	python3-openssl-debuginfo-19.1.0+git2-1.6.2.jolla.aarch64 (jolla)	Debug information for package python3-openssl
Available   	python3-openssl-debugsource-19.1.0+git2-1.6.2.jolla.aarch64 (jolla)	Debug sources for package python3-openssl
Available   	rubygem-openssl-2.1.3-1.8.1.jolla.aarch64 (jolla)           	OpenSSL provides SSL, TLS and general purpose cryptography
Available   	sqlcipher-4.5.0+git2-1.5.4.jolla.aarch64 (jolla)            	AES encryption for SQLite databases

About the OpenSSL version, here below shown:

[root@redfishos ~]# yes 1 | pkcon download . openssl
[root@redfishos ~]# rpm -qi ./openssl-1.1.1s+git1-1.11.1.jolla.aarch64.rpm

warning: ./openssl-1.1.1s+git1-1.11.1.jolla.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID 47394f23: NOKEY
Name        : openssl
Version     : 1.1.1s+git1
Release     : 1.11.1.jolla
Architecture: aarch64
Install Date: (not installed)
Group       : Unspecified
Size        : 690314
License     : OpenSSL
Signature   : RSA/SHA256, Mon 13 Feb 2023 17:32:00 CET, Key ID 5b1e398947394f23
Source RPM  : openssl-1.1.1s+git1-1.11.1.jolla.src.rpm
Build Date  : Mon 13 Feb 2023 17:27:29 CET
Build Host  : phost28
Vendor      : meego
URL         : http://www.openssl.org/
Summary     : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

As you can see the package has been built three months before the CVE-2023-2650 publication therefore it is reasonable to suppose that the SFOS OpenSSL is still vulnerable.

I hope this helps, R-