Headline
CVE-2021-44732: Release Mbed TLS 2.16.12 · Mbed-TLS/mbedtls
Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
This is the last release of the 2.16 long-time support branch. Users who want a long-time branch should move to mbedtls-2.28, which is backward-compatible and will be supported for at least 3 years.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
Release Notes
Security
- Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection. - Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
- Stop using reserved identifiers as local variables. Fixes #4630.
- The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774. - Mark basic constraints critical as appropriate. Note that the previous
entry for this fix in the 2.16.10 changelog was in error, and it was not
included in the 2.16.10 release as was stated.
Make ‘mbedtls_x509write_crt_set_basic_constraints’ consistent with RFC
5280 4.2.1.9 which says: “Conforming CAs MUST include this extension in
all CA certificates that contain public keys used to validate digital
signatures on certificates and MUST mark the extension as critical in
such certificates.” Previous to this change, the extension was always
marked as non-critical. This was fixed by #4044. - Fix missing constraints on x86_64 assembly code for bignum multiplication
that broke some bignum operations with (at least) Clang 12.
Fixes #4116, #4786, #4917. - Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module. - Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled. - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes #4884. - Fix the build when no SHA2 module is included. Fixes #4930.
- Fix the build when only the bignum module is included. Fixes #4929.
- Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136.
Changes
- Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes #4814.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393 mbedtls-2.16.12.tar.gz
1a3169e7016e7a737ea7904a7108aac7f97668f79baee6165dee9ba596cf7c10 mbedtls-2.16.12.zip
Related news
Gentoo Linux Security Advisory 202301-8 - Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected.