From 4a79ec202a2bc1ac7f1e759e64e98dd8e56febb0 Mon Sep 17 00:00:00 2001 From: Stepan Broz Date: Sun, 28 Jun 2026 00:52:23 +0200 Subject: [PATCH] Fix CVE-2026-45447: Fix double-free of caller-owned BIO in PKCS7_verify Resolves: RHEL-179622 Signed-off-by: Stepan Broz --- compat-openssl10.spec | 113 +++++++++++++++------------- openssl-1.0.2o-cve-2026-45447.patch | 38 ++++++++++ 2 files changed, 97 insertions(+), 54 deletions(-) create mode 100644 openssl-1.0.2o-cve-2026-45447.patch diff --git a/compat-openssl10.spec b/compat-openssl10.spec index 5d4b9e3..6b2efa7 100644 --- a/compat-openssl10.spec +++ b/compat-openssl10.spec @@ -22,7 +22,7 @@ Summary: Compatibility version of the OpenSSL library Name: compat-openssl10 Version: 1.0.2o -Release: 4%{?dist}.2 +Release: 4%{?dist}.3 Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -96,6 +96,7 @@ Patch83: openssl-1.0.2o-cve-2022-0778.patch Patch84: openssl-1.0.2o-update-expired-certificates.patch Patch85: openssl-1.0.2-cve-2023-0286-X400.patch Patch86: openssl-1.0.2o-cve-2026-28390.patch +Patch87: openssl-1.0.2o-cve-2026-45447.patch License: OpenSSL Group: System Environment/Libraries @@ -146,62 +147,63 @@ support various cryptographic algorithms and protocols. cp %{SOURCE12} %{SOURCE13} crypto/ec/ -%patch1 -p1 -b .rpmbuild -%patch2 -p1 -b .defaults -%patch4 -p1 -b .enginesdir %{?_rawbuild} -%patch5 -p1 -b .no-rpath -%patch6 -p1 -b .use-localhost -%patch7 -p1 -b .timezone -%patch8 -p1 -b .perlfind %{?_rawbuild} -%patch9 -p1 -b .aliasing -%patch10 -p1 -b .conf-10 +%patch -P 1 -p1 -b .rpmbuild +%patch -P 2 -p1 -b .defaults +%patch -P 4 -p1 -b .enginesdir %{?_rawbuild} +%patch -P 5 -p1 -b .no-rpath +%patch -P 6 -p1 -b .use-localhost +%patch -P 7 -p1 -b .timezone +%patch -P 8 -p1 -b .perlfind %{?_rawbuild} +%patch -P 9 -p1 -b .aliasing +%patch -P 10 -p1 -b .conf-10 -%patch23 -p1 -b .default-paths -%patch24 -p1 -b .issuer-hash +%patch -P 23 -p1 -b .default-paths +%patch -P 24 -p1 -b .issuer-hash -%patch33 -p1 -b .ca-dir -%patch34 -p1 -b .x509 -%patch35 -p1 -b .version-add-engines -%patch39 -p1 -b .ipv6-apps -%patch40 -p1 -b .fips -%patch45 -p1 -b .env-zlib -%patch47 -p1 -b .warning -%patch49 -p1 -b .algo-doc -%patch50 -p1 -b .dtls1-abi -%patch51 -p1 -b .version -%patch56 -p1 -b .x931 -%patch58 -p1 -b .md5-allow -%patch60 -p1 -b .dgst -%patch63 -p1 -b .starttls -%patch65 -p1 -b .chil -%patch66 -p1 -b .pkgconfig -%patch68 -p1 -b .secure-getenv -%patch70 -p1 -b .fips-ec -%patch71 -p1 -b .manfix -%patch72 -p1 -b .fips-ctor -%patch73 -p1 -b .suiteb -%patch74 -p1 -b .deprecate-algos -%patch75 -p1 -b .compat -%patch76 -p1 -b .fips-reqs -%patch77 -p1 -b .strength -%patch78 -p1 -b .cc-reqs -%patch90 -p1 -b .enc-fail -%patch92 -p1 -b .system -%patch93 -p1 -b .v2v3 -%patch94 -p1 -b .secp256k1 -%patch95 -p1 -b .nistp224 -%patch96 -p1 -b .speed-doc -%patch97 -p1 -b .nokrb5-abi -%patch98 -p1 -b .long-hello -%patch99 -p1 -b .randlock +%patch -P 33 -p1 -b .ca-dir +%patch -P 34 -p1 -b .x509 +%patch -P 35 -p1 -b .version-add-engines +%patch -P 39 -p1 -b .ipv6-apps +%patch -P 40 -p1 -b .fips +%patch -P 45 -p1 -b .env-zlib +%patch -P 47 -p1 -b .warning +%patch -P 49 -p1 -b .algo-doc +%patch -P 50 -p1 -b .dtls1-abi +%patch -P 51 -p1 -b .version +%patch -P 56 -p1 -b .x931 +%patch -P 58 -p1 -b .md5-allow +%patch -P 60 -p1 -b .dgst +%patch -P 63 -p1 -b .starttls +%patch -P 65 -p1 -b .chil +%patch -P 66 -p1 -b .pkgconfig +%patch -P 68 -p1 -b .secure-getenv +%patch -P 70 -p1 -b .fips-ec +%patch -P 71 -p1 -b .manfix +%patch -P 72 -p1 -b .fips-ctor +%patch -P 73 -p1 -b .suiteb +%patch -P 74 -p1 -b .deprecate-algos +%patch -P 75 -p1 -b .compat +%patch -P 76 -p1 -b .fips-reqs +%patch -P 77 -p1 -b .strength +%patch -P 78 -p1 -b .cc-reqs +%patch -P 90 -p1 -b .enc-fail +%patch -P 92 -p1 -b .system +%patch -P 93 -p1 -b .v2v3 +%patch -P 94 -p1 -b .secp256k1 +%patch -P 95 -p1 -b .nistp224 +%patch -P 96 -p1 -b .speed-doc +%patch -P 97 -p1 -b .nokrb5-abi +%patch -P 98 -p1 -b .long-hello +%patch -P 99 -p1 -b .randlock -%patch80 -p1 -b .wrap -%patch81 -p1 -b .padlock64 -%patch82 -p1 -b .trusted-first -%patch83 -p1 -b .cve-2022-0778 -%patch84 -p1 -b .update-expired-certificates -%patch85 -p1 -b .cve-2023-0286 -%patch86 -p1 -b .cve-2026-28390 +%patch -P 80 -p1 -b .wrap +%patch -P 81 -p1 -b .padlock64 +%patch -P 82 -p1 -b .trusted-first +%patch -P 83 -p1 -b .cve-2022-0778 +%patch -P 84 -p1 -b .update-expired-certificates +%patch -P 85 -p1 -b .cve-2023-0286 +%patch -P 86 -p1 -b .cve-2026-28390 +%patch -P 87 -p1 -b .cve-2026-45447 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -424,6 +426,9 @@ install -m 644 apps/openssl10.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl10.cn %postun -p /sbin/ldconfig %changelog +* Fri Jun 26 2026 Stepan Broz - 1.1.0-2o-4.3 +- Fix CVE-2026-45447: Fix double-free of caller-owned BIO in PKCS7_verify + * Fri May 15 2026 Pavol Žáčik - 1.1.0.2o-4.2 - Fixes CVE-2026-28390: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing Resolves: RHEL-165754 diff --git a/openssl-1.0.2o-cve-2026-45447.patch b/openssl-1.0.2o-cve-2026-45447.patch new file mode 100644 index 0000000..5ba5712 --- /dev/null +++ b/openssl-1.0.2o-cve-2026-45447.patch @@ -0,0 +1,38 @@ +From 5cad5ea0a5f8b903afc82a115269e4ef32b5a8e7 Mon Sep 17 00:00:00 2001 +From: Stepan Broz +Date: Sun, 28 Jun 2026 00:42:19 +0200 +Subject: [PATCH] Fix double-free of caller-owned BIO in PKCS7_verify + +When PKCS7_dataInit creates no filter BIOs (e.g. empty digestAlgorithms +SET), it returns p7bio pointing directly to the caller's indata BIO. +The cleanup code in PKCS7_verify then frees indata via BIO_free_all(p7bio), +leaving the caller with a dangling pointer and causing a double-free +when the caller frees its own BIO. + +Guard BIO_free_all with a check that p7bio is not the caller's indata BIO. + +Co-Authored-By: Claude Opus 4.6 +--- + crypto/pkcs7/pk7_smime.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c +index dc9b484..163acfa 100644 +--- a/crypto/pkcs7/pk7_smime.c ++++ b/crypto/pkcs7/pk7_smime.c +@@ -408,8 +408,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + if (tmpin == indata) { + if (indata) + BIO_pop(p7bio); ++ if (p7bio != indata) ++ BIO_free_all(p7bio); ++ } else { ++ BIO_free_all(p7bio); + } +- BIO_free_all(p7bio); + sk_X509_free(signers); + return ret; + } +-- +2.54.0 +