zlib、OpenSSL漏洞及解决

1. 漏洞描述

• CVE: CVE-2016-9843。 zlib 1.2.8版本中存在拒绝服务漏洞。攻击者可利用该漏洞造成受影响的应用程序崩溃，导致拒绝服务。
• CVE: CVE-2020-1967。  OpenSSL 1.1.1d版本、1.1.1e版本和1.1.1f版本中的‘SSL_check_chain()’函数存在代码问题漏洞。远程攻击者可利用该漏洞导致服务器或客户端应用程序崩溃。

2. 解决

更新版本，升级openssl前必须先升级zlib。

2.1 zlib

• 下载zlib-1.2.11，并解压

[root@vt12 ~]# wget http://www.zlib.net/zlib-1.2.11.tar.gz

[root@vt12 ~]# tar -zxvf zlib-1.2.11.tar.gz -C /usr/local/soft/

• 卸载旧库

​
[root@vt12 ~]# rpm -e --nodeps zlib-1.2.7-18.el7.x86_64

​

• 安装zlib-devel

[root@vt12 ~]# yum install zlib-devel

• 编译

[root@vt12 zlib-1.2.11]# ./configure --prefix=/usr/local/zlib && make  && make install
...
chmod 644 /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.h

• 系统配置

[root@vt12 ~]# echo "/usr/local/zlib/" > /etc/ld.so.conf.d/zlib.conf

[root@vt12 ~]# cp /usr/local/soft/zlib-1.2.11/zutil.h /usr/local/include/

[root@vt12 ~]# cp /usr/local/soft/zlib-1.2.11/zutil.c /usr/local/include/

[root@vt12 ~]# cp /usr/local/soft/zlib-1.2.11/zlib.h /usr/local/include/

[root@vt12 ~]# cp /usr/local/soft/zlib-1.2.11/zconf.h /usr/local/include/

• 替换旧版本

# 查看旧版本位置
[root@vt12 ~]# find / -name zlib.pc
/usr/lib64/pkgconfig/zlib.pc           # 旧版本位置
/usr/local/soft/zlib-1.2.11/zlib.pc    # 新版本源码位置 
/usr/local/zlib/lib/pkgconfig/zlib.pc   # 新版本编译后位置

# 替换旧版的zlib.pc
[root@vt12 ~]# cp /usr/local/zlib/lib/pkgconfig/zlib.pc /usr/lib64/pkgconfig/
cp: overwrite ‘/usr/lib64/pkgconfig/zlib.pc’? y

# 删除旧版本的libz.so
[root@vt12 ~]# ls /usr/lib64/libz.so*
/usr/lib64/libz.so  /usr/lib64/libz.so.1  /usr/lib64/libz.so.1.2.7
[root@vt12 ~]# rm -rf  /usr/lib64/libz.so*

# 复制新版本的libz.so
[root@vt12 ~]# cp /usr/local/zlib/lib/libz.so.1.2.11 /usr/lib64/
[root@vt12 ~]# cd /usr/lib64/
[root@vt12 lib64]# ln -s libz.so.1.2.11  libz.so
[root@vt12 lib64]# ln -s libz.so.1.2.11  libz.so.1

• 加载

[root@vt12 zlib-1.2.11]# ldconfig

• 查看版本

[root@vt12 ~]# cat /usr/lib64/pkgconfig/zlib.pc
prefix=/usr/local/zlib
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
sharedlibdir=${libdir}
includedir=${prefix}/include

Name: zlib
Description: zlib compression library
Version: 1.2.11

Requires:
Libs: -L${libdir} -L${sharedlibdir} -lz
Cflags: -I${includedir}

2.2 OpenSSL

• 下载包，并解压

[root@vt12 ~]# wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

[root@vt12 ~]# tar -zxvf openssl-1.1.1g.tar.gz -C /usr/local/soft/

• 编译安装

[root@vt12 openssl-1.1.1g]# ./config shared zlib
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1g (0x1010107fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************

[root@vt12 openssl-1.1.1g]# make && make install
...
/usr/local/share/doc/openssl/html/man7/x509.html

• 配置

[root@vt12 ~]# mv /usr/bin/openssl /usr/bin/openssl.bak

[root@vt12 ~]# mv /usr/include/openssl /usr/include/openssl.bak

[root@vt12 include]# find / -name openssl
find: ‘/proc/10546’: No such file or directory
/etc/pki/ca-trust/extracted/openssl
/usr/lib64/openssl
/usr/local/bin/openssl
/usr/local/include/openssl
/usr/local/share/doc/openssl
/usr/local/soft/openssl-1.1.1g/apps/openssl
/usr/local/soft/openssl-1.1.1g/include/openssl
/usr/local/soft/openssl-1.1.1g/test/ossl_shim/include/openssl

[root@vt12 ~]# ln -s /usr/local/bin/openssl /usr/bin/openssl

[root@vt12 ~]# ln -s /usr/local/include/openssl /usr/include/openssl 

[root@vt12 ~]# echo "/usr/local/lib64/" >> /etc/ld.so.conf

[root@vt12 ~]# ldconfig

• 验证

[root@vt12 ~]# openssl version -a
OpenSSL 1.1.1g  21 Apr 2020
built on: Sun Dec 13 14:49:11 2020 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
Seeding source: os-specific