CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory

Resolves: rhbz#2089444

0063-CVE-2022-1473.patch

@@ -0,0 +1,13 @@
+diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
+index 2a574fbfe6aa..16f482db68a9 100644
+--- a/crypto/lhash/lhash.c
++++ b/crypto/lhash/lhash.c
+@@ -100,6 +100,8 @@ void OPENSSL_LH_flush(OPENSSL_LHASH *lh)
+         }
+         lh->b[i] = NULL;
+     }
++
++    lh->num_items = 0;
+ }
+ 
+ void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data)

openssl.spec

@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 32%{?dist}
+Release: 33%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -119,6 +119,8 @@ Patch60: 0060-FIPS-KAT-signature-tests.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
 Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
+# https://github.com/openssl/openssl/pull/18141
+Patch63: 0063-CVE-2022-1473.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -449,6 +451,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu May 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-33
+- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
+- Resolves: rhbz#2089444
+
 * Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
 - Resolves: rhbz#2083240