Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: open...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sebast...@breakpoint.cc
Severity: normal
Please unblock package openssl
The -2 release fixes two bugs:
- CVE-2025-4575
Minor (severity low) affecting only the "-addreject" option of the
"openssl x509" command. Only the 3.5 version is affected by this.
Since it is a CVE with an advisory I decided to include it.
- Illegal instruction on ppc64el
Some of the optimized functionality on ppc64el uses unconditionally
instructions which are only supported on POWER9+. Debian supports
POWER8 as the minimum CPU base so this counts as a regression on a
release architecture.
It affects the P-384 EC algorithm which can affect for instance ssh or
https connection if the curve is used.
The algorithm is covered by the test suite but the buildds (and the
porterbox) are POWER9 so it went undetected so far.
Both patches have been cherry-picked from the 3.5 branch.
The "openssl x509" changes look simple and they extend the current
test suite.
The ppc64el related changes were tested by the reporter.
unblock openssl/3.5.0-2
Sebastian
diff -Nru openssl-3.5.0/debian/changelog openssl-3.5.0/debian/changelog
--- openssl-3.5.0/debian/changelog 2025-04-08 21:15:30.000000000 +0200
+++ openssl-3.5.0/debian/changelog 2025-05-28 22:13:00.000000000 +0200
@@ -1,3 +1,11 @@
+openssl (3.5.0-2) unstable; urgency=medium
+
+ * Fix P-384 curve on lower-than-P9 PPC64 targets Closes: #1106516).
+ * CVE-2025-4575 ("The x509 application adds trusted use instead of
+ rejected use") (Closes: #1106322).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Wed, 28 May 2025
22:13:00 +0200
+
openssl (3.5.0-1) unstable; urgency=medium
* Import 3.5.0
diff -Nru
openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
---
openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
1970-01-01 01:00:00.000000000 +0100
+++
openssl-3.5.0/debian/patches/apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
2025-05-28 22:10:17.000000000 +0200
@@ -0,0 +1,62 @@
+From: Tomas Mraz <to...@openssl.org>
+Date: Tue, 20 May 2025 16:34:10 +0200
+Subject: apps/x509.c: Fix the -addreject option adding trust instead of
+ rejection
+
+Fixes CVE-2025-4575
+
+Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
+Reviewed-by: Paul Dale <ppz...@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/27672)
+
+(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)
+(cherry picked from commit e96d22446e633d117e6c9904cb15b4693e956eaa)
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ apps/x509.c | 2 +-
+ test/recipes/25-test_x509.t | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/apps/x509.c b/apps/x509.c
+index fdae8f383a66..0c340c15b321 100644
+--- a/apps/x509.c
++++ b/apps/x509.c
+@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
+ prog, opt_arg());
+ goto opthelp;
+ }
+- if (!sk_ASN1_OBJECT_push(trust, objtmp))
++ if (!sk_ASN1_OBJECT_push(reject, objtmp))
+ goto end;
+ trustout = 1;
+ break;
+diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
+index 09b61708ff8a..dfa0a428f5f0 100644
+--- a/test/recipes/25-test_x509.t
++++ b/test/recipes/25-test_x509.t
+@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+ setup("test_x509");
+
+-plan tests => 134;
++plan tests => 138;
+
+ # Prevent MSys2 filename munging for arguments that look like file paths but
+ # aren't
+@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey",
$key, "-subj", "/CN=EE",
+ && run(app(["openssl", "verify", "-no_check_time",
+ "-trusted", $ca, "-partial_chain", $caout])));
+
++# test trust decoration
++ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
++ "-out", "ca-trusted.pem"])));
++cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
++ 1, 'trusted use - E-mail Protection');
++ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
++ "-out", "ca-rejected.pem"])));
++cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
++ 1, 'rejected use - E-mail Protection');
++
+ subtest 'x509 -- x.509 v1 certificate' => sub {
+ tconversion( -type => 'x509', -prefix => 'x509v1',
+ -in => srctop_file("test", "testx509.pem") );
diff -Nru
openssl-3.5.0/debian/patches/Fix-P-384-curve-on-lower-than-P9-PPC64-targets.patch
openssl-3.5.0/debian/patches/Fix-P-384-curve-on-lower-than-P9-PPC64-targets.patch
---
openssl-3.5.0/debian/patches/Fix-P-384-curve-on-lower-than-P9-PPC64-targets.patch
1970-01-01 01:00:00.000000000 +0100
+++
openssl-3.5.0/debian/patches/Fix-P-384-curve-on-lower-than-P9-PPC64-targets.patch
2025-05-28 22:10:17.000000000 +0200
@@ -0,0 +1,126 @@
+From: "A. Wilcox" <awil...@wilcox-tech.com>
+Date: Thu, 17 Apr 2025 08:51:53 -0500
+Subject: Fix P-384 curve on lower-than-P9 PPC64 targets
+
+The change adding an asm implementation of p384_felem_reduce incorrectly
+uses the accelerated version on both targets that support the intrinsics
+*and* targets that don't, instead of falling back to the generics on older
+targets. This results in crashes when trying to use P-384 on < Power9.
+
+Signed-off-by: Anna Wilcox <awil...@wilcox-tech.com>
+Closes: #27350
+Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on
PPC")
+
+Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
+Reviewed-by: Tomas Mraz <to...@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/27429)
+
+(cherry picked from commit 29864f2b0f1046177e8048a5b17440893d3f9425)
+(cherry picked from commit a72f753cc5a43e58087358317975f6be46c15e01)
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ crypto/ec/ecp_nistp384.c | 54 +++++++++++++++++++++++++++++-------------------
+ 1 file changed, 33 insertions(+), 21 deletions(-)
+
+diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
+index 2ceb94fe33b7..9d682f5a02cc 100644
+--- a/crypto/ec/ecp_nistp384.c
++++ b/crypto/ec/ecp_nistp384.c
+@@ -684,6 +684,22 @@ static void felem_reduce_ref(felem out, const widefelem
in)
+ out[i] = acc[i];
+ }
+
++static ossl_inline void felem_square_reduce_ref(felem out, const felem in)
++{
++ widefelem tmp;
++
++ felem_square_ref(tmp, in);
++ felem_reduce_ref(out, tmp);
++}
++
++static ossl_inline void felem_mul_reduce_ref(felem out, const felem in1,
const felem in2)
++{
++ widefelem tmp;
++
++ felem_mul_ref(tmp, in1, in2);
++ felem_reduce_ref(out, tmp);
++}
++
+ #if defined(ECP_NISTP384_ASM)
+ static void felem_square_wrapper(widefelem out, const felem in);
+ static void felem_mul_wrapper(widefelem out, const felem in1, const felem
in2);
+@@ -695,10 +711,18 @@ static void (*felem_mul_p)(widefelem out, const felem
in1, const felem in2) =
+
+ static void (*felem_reduce_p)(felem out, const widefelem in) =
felem_reduce_ref;
+
++static void (*felem_square_reduce_p)(felem out, const felem in) =
++ felem_square_reduce_ref;
++static void (*felem_mul_reduce_p)(felem out, const felem in1, const felem
in2) =
++ felem_mul_reduce_ref;
++
+ void p384_felem_square(widefelem out, const felem in);
+ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
+ void p384_felem_reduce(felem out, const widefelem in);
+
++void p384_felem_square_reduce(felem out, const felem in);
++void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
++
+ # if defined(_ARCH_PPC64)
+ # include "crypto/ppc_arch.h"
+ # endif
+@@ -710,6 +734,8 @@ static void felem_select(void)
+ felem_square_p = p384_felem_square;
+ felem_mul_p = p384_felem_mul;
+ felem_reduce_p = p384_felem_reduce;
++ felem_square_reduce_p = p384_felem_square_reduce;
++ felem_mul_reduce_p = p384_felem_mul_reduce;
+
+ return;
+ }
+@@ -718,7 +744,9 @@ static void felem_select(void)
+ /* Default */
+ felem_square_p = felem_square_ref;
+ felem_mul_p = felem_mul_ref;
+- felem_reduce_p = p384_felem_reduce;
++ felem_reduce_p = felem_reduce_ref;
++ felem_square_reduce_p = felem_square_reduce_ref;
++ felem_mul_reduce_p = felem_mul_reduce_ref;
+ }
+
+ static void felem_square_wrapper(widefelem out, const felem in)
+@@ -737,31 +765,15 @@ static void felem_mul_wrapper(widefelem out, const felem
in1, const felem in2)
+ # define felem_mul felem_mul_p
+ # define felem_reduce felem_reduce_p
+
+-void p384_felem_square_reduce(felem out, const felem in);
+-void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
+-
+-# define felem_square_reduce p384_felem_square_reduce
+-# define felem_mul_reduce p384_felem_mul_reduce
++# define felem_square_reduce felem_square_reduce_p
++# define felem_mul_reduce felem_mul_reduce_p
+ #else
+ # define felem_square felem_square_ref
+ # define felem_mul felem_mul_ref
+ # define felem_reduce felem_reduce_ref
+
+-static ossl_inline void felem_square_reduce(felem out, const felem in)
+-{
+- widefelem tmp;
+-
+- felem_square(tmp, in);
+- felem_reduce(out, tmp);
+-}
+-
+-static ossl_inline void felem_mul_reduce(felem out, const felem in1, const
felem in2)
+-{
+- widefelem tmp;
+-
+- felem_mul(tmp, in1, in2);
+- felem_reduce(out, tmp);
+-}
++# define felem_square_reduce felem_square_reduce_ref
++# define felem_mul_reduce felem_mul_reduce_ref
+ #endif
+
+ /*-
diff -Nru openssl-3.5.0/debian/patches/series
openssl-3.5.0/debian/patches/series
--- openssl-3.5.0/debian/patches/series 2025-04-08 21:15:10.000000000 +0200
+++ openssl-3.5.0/debian/patches/series 2025-05-28 22:10:17.000000000 +0200
@@ -5,3 +5,5 @@
c_rehash-compat.patch
Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
conf-Serialize-allocation-free-of-ssl_names.patch
+apps-x509.c-Fix-the-addreject-option-adding-trust-instead.patch
+Fix-P-384-curve-on-lower-than-P9-PPC64-targets.patch
