Bug 1208393

Summary: OpenSSL 3.0.8 breaks PKITS test 4.1.5 (which requires DSA parameter inheritance)
Product: [openSUSE] openSUSE Tumbleweed Reporter: Otto Hollmann <otto.hollmann>
Component: SecurityAssignee: Otto Hollmann <otto.hollmann>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: jayjayjazz, otto.hollmann, pmonrealgonzalez
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Otto Hollmann 2023-02-16 15:37:36 UTC 
Indeed, just decoding the certificate fails:

> openssl x509 -noout -text -in ValidDSAParameterInheritanceTest5EE.crt
The output includes

>        Subject Public Key Info:
>            Public Key Algorithm: dsaEncryption
>            Unable to load Public Key
>40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
>40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
>        X509v3 extensions:

Upstream issues:
https://github.com/openssl/openssl/issues/20233
https://github.com/openssl/openssl/issues/20309

Also it causing build failure of qca:qt5 package and thus blocking release of OpenSSL 3.0.8 with 8 CVE fixes.
Comment 1 Jazz 2023-02-18 10:32:33 UTC 
(In reply to Otto Hollmann from comment #0)
> Indeed, just decoding the certificate fails:
> 
> > openssl x509 -noout -text -in ValidDSAParameterInheritanceTest5EE.crt
> The output includes
> 
> >        Subject Public Key Info:
> >            Public Key Algorithm: dsaEncryption
> >            Unable to load Public Key
> >40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
> >40477373937F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
> >        X509v3 extensions:
> 
> Upstream issues:
> https://github.com/openssl/openssl/issues/20233
> https://github.com/openssl/openssl/issues/20309
> 
> Also it causing build failure of qca:qt5 package and thus blocking release
> of OpenSSL 3.0.8 with 8 CVE fixes.

Hi Otto,

just checked both upstream bugs.

The first one (https://github.com/openssl/openssl/issues/20233) mentions that there will be no change in upstream, as a change according to the RFC 3279 might cause CVE-2023-0217.

The second bug (https://github.com/openssl/openssl/issues/20309) was closed without change.

Is there any chance that we could have openssl-3 3.0.8 available as it fixes various CVE's? Uninstalling libopenssl3 is currently no workaround, as it will remove hundreds of other packages.
Comment 2 Otto Hollmann 2023-02-20 09:40:44 UTC 
I was about to temporarily revert one commit (fab4973) in OpenSSL but I just found that KDE upstream decided to remove failing test. So let's remove this test from our codestream as well. I will prepare submit request.


> https://invent.kde.org/libraries/qca/-/merge_requests/93
Comment 3 Otto Hollmann 2023-02-20 11:23:46 UTC 
Submitted
> https://build.opensuse.org/request/show/1066801
Comment 4 OBSbugzilla Bot 2023-02-20 14:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1208393) was mentioned in
https://build.opensuse.org/request/show/1066832 Factory / qca
Comment 5 Otto Hollmann 2023-02-21 09:07:53 UTC 
Request with OpenSSL 3.0.8 got accepted:
> https://build.opensuse.org/request/show/1063740

So I'm closing this bug.