stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4a98dfef353e6065bb8daaa43c05943205fd49
git.stella-ops.org/bench/golden-corpus/golden-sets/CVE-2024-0727.golden.yaml
master 7f7eb8b228 Complete batch 012 (golden set diff) and 013 (advisory chat), fix build errors 
Sprints completed:
- SPRINT_20260110_012_* (golden set diff layer - 10 sprints)
- SPRINT_20260110_013_* (advisory chat - 4 sprints)

Build fixes applied:
- Fix namespace conflicts with Microsoft.Extensions.Options.Options.Create
- Fix VexDecisionReachabilityIntegrationTests API drift (major rewrite)
- Fix VexSchemaValidationTests FluentAssertions method name
- Fix FixChainGateIntegrationTests ambiguous type references
- Fix AdvisoryAI test files required properties and namespace aliases
- Add stub types for CveMappingController (ICveSymbolMappingService)
- Fix VerdictBuilderService static context issue

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 10:09:07 +02:00

129 lines
3.9 KiB
YAML
Raw Blame History

# Golden Set: CVE-2024-0727
# OpenSSL PKCS12 Parsing Vulnerability
#
# Sprint: SPRINT_20260110_012_010_TEST
# Task: GTV-001 - OpenSSL Golden Sets
#
# This golden set defines the vulnerability targets for CVE-2024-0727,
# allowing binary-level verification that a patch eliminates the vulnerable code path.
id: "CVE-2024-0727"
version: "1.0.0"
created: "2026-01-11T12:00:00Z"
author: "stellaops-security"
status: "approved"
# Component identification
component:
name: "openssl"
ecosystem: "system"
affectedVersions:
- ">=1.0.2,<1.0.2zd"
- ">=1.1.0,<1.1.1x"
- ">=3.0.0,<3.0.13"
- ">=3.1.0,<3.1.5"
- ">=3.2.0,<3.2.1"
# Vulnerability details
vulnerability:
cveId: "CVE-2024-0727"
severity: "MEDIUM"
cvssScore: 5.5
description: |
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack.
The PKCS12 specification allows certain fields to be NULL, but OpenSSL does
not correctly check for this case. A NULL value can lead to a memory access
violation when processing PKCS12 files.
references:
- url: "https://www.openssl.org/news/secadv/20240125.txt"
title: "OpenSSL Security Advisory"
- url: "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
title: "NVD Entry"
# Vulnerability targets - the code locations that must be analyzed
targets:
- function: "PKCS12_parse"
symbolPattern: "PKCS12_parse"
description: "Main PKCS12 parsing function - vulnerable to NULL pointer dereference"
criticalEdges:
- from: "bb_entry"
to: "bb_null_check"
description: "Entry to NULL validation check"
- from: "bb_process"
to: "bb_mac_verify"
description: "Processing to MAC verification"
sinks:
- "memcpy"
- "X509_REQ_get_subject_name"
- "PKCS12_verify_mac"
expectedPatchBehavior: "add_null_check"
- function: "PKCS12_item_decrypt_d2i"
symbolPattern: "PKCS12_item_decrypt_d2i"
description: "PKCS12 decryption - may receive NULL input"
criticalEdges:
- from: "bb_entry"
to: "bb_decrypt"
description: "Entry to decryption block"
sinks:
- "EVP_CIPHER_CTX_free"
- "OPENSSL_cleanse"
expectedPatchBehavior: "add_null_check"
- function: "PKCS8_decrypt"
symbolPattern: "PKCS8_decrypt"
description: "PKCS8 key decryption - downstream of PKCS12_parse"
criticalEdges:
- from: "bb_entry"
to: "bb_key_extract"
description: "Entry to key extraction"
sinks:
- "EVP_DecryptInit_ex"
expectedPatchBehavior: "propagate_null_check"
# Witness data - inputs that trigger the vulnerable path
witness:
command: "openssl pkcs12 -in {input} -passin pass:test"
inputs:
- name: "malformed_pkcs12.p12"
description: "PKCS12 file with NULL MAC field"
sha256: "0000000000000000000000000000000000000000000000000000000000000000" # Placeholder
trigger: "null_mac_pointer"
- name: "malformed_pkcs12_empty_cert.p12"
description: "PKCS12 file with empty certificate bag"
sha256: "0000000000000000000000000000000000000000000000000000000000000001" # Placeholder
trigger: "empty_cert_bag"
# Verification criteria
verification:
# What changes indicate the fix is applied
fixIndicators:
- type: "null_check_added"
location: "PKCS12_parse"
pattern: "if\\s*\\(.*==\\s*NULL\\)"
- type: "return_early"
location: "PKCS12_item_decrypt_d2i"
pattern: "return.*0|NULL"
- type: "edge_removed"
fromFunction: "PKCS12_parse"
description: "Vulnerable edge to MAC processing removed"
# Expected confidence levels
expectedConfidence:
fixed: 0.95
partial: 0.70
inconclusive: 0.50
# Metadata
metadata:
reviewedBy: "security-team"
reviewedAt: "2026-01-11T12:00:00Z"
approvedFor: "production"
tags:
- "memory-safety"
- "null-dereference"
- "crypto"
- "pkcs12"
Reference in New Issue View Git Blame Copy Permalink