Page 1 of 1
OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Thu Jul 07, 2022 7:55 am
by artemis
https://www.cve.org/CVERecord?id=CVE-2022-2068
basically the deal here is that if someone can get openssl's c_rehash script to look at a folder they control, they can make a file with a special name that will let them make openssl run an arbitrary command for them. so it runs as whatever user c_rehash runs as.
i dont think pups from woof-ce even run this script by default, maybe some of the projects closer to stock distributions do, i dont have any to check. this doesn't really matter on a system where everything is root anyhow. mainly a problem for certain multi-user machine setups, or if someone hacks your web server or something.
This could be bad if you are affected- but are you actually affected? if nothing is running c_rehash, no. do your own research
fixed in 3.0.5, 1.1.1p, 1.0.2zf
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Tue Jul 12, 2022 11:33 am
by ozsouth
openssl 1.1.1q is now released. One moderate severity security fix plus bugfixes. openssl 3.0.5 also released & has a high severity security fix too.
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Wed Jul 13, 2022 2:46 am
by rockedge
I have compiled openssl-1.1.1q and created a PET in Bionic64-8
This is fresh off the press and is NOT tested yet. Loads in /usr/local/
Download -> openssl-1.1.1q-x86_64.pet
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Wed Jul 13, 2022 3:54 am
by Grey
rockedge wrote: ↑Wed Jul 13, 2022 2:46 am
I have compiled openssl-1.1.1q and created a PET in Bionic64-8
This is fresh off the press and is NOT tested yet. Loads in /usr/local/
Hello. What does the openssl version command output?
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Wed Jul 13, 2022 4:46 am
by rockedge
@Grey
Code: Select all
root-# openssl version
OpenSSL 1.1.1 11 Sep 2018
I have not tested the PET on this system yet. I am working with Zoneminder builds and creating a PET for ZM so I am hesitant to try the openssl-1.1.1q
I also have openssl-3.0.5-dev compiled.
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Wed Jul 13, 2022 5:14 am
by geo_c
Does that script have to be called from connected email servers for ssl to work? I compiled neo-mutt with open-ssl and I have that file in /usr/bin. I ask because root/group/others all have executable privilege.
So might unsetting those help, or does the injection cause the script to be called from root anyway, so it doesn't matter if the others/group permissions are switched off?
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Wed Jul 13, 2022 6:38 am
by williams2
Code: Select all
# grep -i puppysfs /etc/DISTRO_SPECS
DISTRO_PUPPYSFS='puppy_bionicpup64_8.0.sfs'
#
# openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
#
Code: Select all
./configure
make
make test
make install
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Wed Jul 13, 2022 6:45 am
by Grey
rockedge wrote: ↑Wed Jul 13, 2022 3:54 am
Loads in /usr/local/
As far as I remember, in the entire line of systems from Phil, the /usr/local directory does NOT have priority over /usr. Therefore, it is better to compile with --prefix=/usr
Probably @dimkr has already fixed this in woof-ce.
Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack
Posted: Thu Jul 14, 2022 12:26 am
by rockedge
@Grey
I have re-compiled openSSL 1.1.1q and built a PET in Bionic64-8 that installs in /usr