Ubuntu
openssl package

Implicit rejection of PKCS#1 v1.5 RSA

Bug #2054090 reported by David Fernandez Gonzalez on 2024-02-16

This bug affects 1 person

	Status	Importance	Assigned to
openssl (Ubuntu)	Status tracked in Noble
Trusty	Won't Fix	Undecided	Unassigned
Xenial	Fix Released	Undecided	David Fernandez Gonzalez
Bionic	Fix Released	Undecided	David Fernandez Gonzalez
Focal	Fix Released	Undecided	David Fernandez Gonzalez
Jammy	Fix Released	Undecided	David Fernandez Gonzalez
Mantic	Fix Released	Undecided	David Fernandez Gonzalez
Noble	New	Undecided	David Fernandez Gonzalez

Bug Description

OpenSSL 3.2.0 introduced a change on PKCS#1 v1.5 RSA to return random output instead of an exception when detecting wrong padding (https://github.com/openssl/openssl/pull/13817).

There are available backports already:

* 3.0 https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0120-RSA-PKCS15-implicit-rejection.patch?ref_type=heads

* 1.1.1 https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c8s/openssl-1.1.1-pkcs1-implicit-rejection.patch?ref_type=heads

This change is needed to fix CVE-2023-50782.

David Fernandez Gonzalez (litios) on 2024-02-16

Changed in openssl (Ubuntu):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Noble):
assignee:	David Fernandez Gonzalez (litios) → nobody

David Fernandez Gonzalez (litios) on 2024-02-22

Changed in openssl (Ubuntu Bionic):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Focal):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Jammy):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Mantic):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Noble):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Xenial):
assignee:	nobody → David Fernandez Gonzalez (litios)
Changed in openssl (Ubuntu Trusty):
assignee:	nobody → David Fernandez Gonzalez (litios)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-02-27:

This bug was fixed in the package openssl - 3.0.10-1ubuntu2.3

---------------
openssl (3.0.10-1ubuntu2.3) mantic-security; urgency=medium

  * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
    - debian/patches/openssl-pkcs1-implicit-rejection.patch:
      Return deterministic random output instead of an error in case
      there is a padding error in crypto/cms/cms_env.c,
      crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c,
      crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c,
      crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in,
      doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod,
      doc/man3/EVP_PKEY_decrypt.pod,
      doc/man3/RSA_padding_add_PKCS1_type_1.pod,
      doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod,
      include/crypto/rsa.h, include/openssl/core_names.h,
      include/openssl/rsa.h,
      providers/implementations/asymciphers/rsa_enc.c and
      test/recipes/30-test_evp_data/evppkey_rsa_common.txt.

-- David Fernandez Gonzalez <email address hidden> Wed, 21 Feb 2024 11:45:39 +0100

Changed in openssl (Ubuntu Mantic):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-02-27:

This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.22

---------------
openssl (1.1.1f-1ubuntu2.22) focal-security; urgency=medium

  * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
    - debian/patches/openssl-1.1.1-pkcs1-implicit-rejection.patch:
      Return deterministic random output instead of an error in case
      there is a padding error in crypto/cms/cms_env.c,
      crypto/pkcs7/pk7_doit.c, crypto/rsa/rsa_local.h,
      crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c, crypto/rsa/rsa_pmeth.c,
      doc/man1/pkeyutl.pod, doc/man1/rsautl.pod,
      doc/man3/EVP_PKEY_CTX_ctrl.pod, doc/man3/EVP_PKEY_decrypt.pod,
      doc/man3/RSA_padding_add_PKCS1_type_1.pod,
      doc/man3/RSA_public_encrypt.pod, include/openssl/rsa.h and
      test/recipes/30-test_evp_data/evppkey.txt.

-- David Fernandez Gonzalez <email address hidden> Fri, 16 Feb 2024 16:41:31 +0100

Changed in openssl (Ubuntu Focal):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-02-27:

This bug was fixed in the package openssl - 3.0.2-0ubuntu1.15

---------------
openssl (3.0.2-0ubuntu1.15) jammy-security; urgency=medium

-- David Fernandez Gonzalez <email address hidden> Fri, 16 Feb 2024 09:51:30 +0100

Changed in openssl (Ubuntu Jammy):
status:	New → Fix Released

Revision history for this message

David Fernandez Gonzalez (litios) wrote on 2024-02-27 (last edit on 2024-02-27):

Bionic released in ESM Infra, version 1.1.1-1ubuntu2.1~18.04.23+esm5

Changed in openssl (Ubuntu Bionic):
status:	New → Fix Released

Revision history for this message

David Fernandez Gonzalez (litios) wrote on 2024-02-27:

https://ubuntu.com/security/notices/USN-6663-1

Revision history for this message

David Fernandez Gonzalez (litios) wrote on 2024-03-13:

Fixed released for Xenial ESM: 1.0.2g-1ubuntu4.20+esm12

https://ubuntu.com/security/notices/USN-6663-2

Changed in openssl (Ubuntu Xenial):
status:	New → Fix Released
Changed in openssl (Ubuntu Trusty):
status:	New → Won't Fix

Revision history for this message

David Fernandez Gonzalez (litios) wrote on 2024-03-13:

Trusty would require a significant backport, marking it as won't fix to prevent possible regressions.

Changed in openssl (Ubuntu Trusty):
assignee:	David Fernandez Gonzalez (litios) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenssl package

Implicit rejection of PKCS#1 v1.5 RSA

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
openssl package