import UBI compat-openssl10-1.0.2o-4.el8_10.2
This commit is contained in:
AlmaLinux RelEng Bot
parent
bdc42685a6
commit
94763ff4c5
82
SOURCES/openssl-1.0.2o-cve-2026-28390.patch
Normal file
82
SOURCES/openssl-1.0.2o-cve-2026-28390.patch
Normal file
@ -0,0 +1,82 @@
|
||||
From 5e3a6358423f5fe7d940bc3b43b6be1f71a0400a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
|
||||
Date: Fri, 15 May 2026 11:39:00 +0200
|
||||
Subject: [PATCH] Fix CVE-2026-28390
|
||||
|
||||
Ensure that if we are missing parameters in
|
||||
RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
|
||||
we don't segfault when decrypting.
|
||||
---
|
||||
crypto/rsa/rsa_ameth.c | 31 +++++++++++++++++++++----------
|
||||
1 file changed, 21 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
||||
index ddead3d..32f1ede 100644
|
||||
--- a/crypto/rsa/rsa_ameth.c
|
||||
+++ b/crypto/rsa/rsa_ameth.c
|
||||
@@ -798,11 +798,14 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
|
||||
X509_ALGOR *cmsalg;
|
||||
int nid;
|
||||
int rv = -1;
|
||||
- unsigned char *label = NULL;
|
||||
+ const unsigned char *label = NULL;
|
||||
int labellen = 0;
|
||||
const EVP_MD *mgf1md = NULL, *md = NULL;
|
||||
RSA_OAEP_PARAMS *oaep;
|
||||
X509_ALGOR *maskHash;
|
||||
+ const ASN1_OBJECT *aoid;
|
||||
+ const void *parameter = NULL;
|
||||
+ int ptype = 0;
|
||||
pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
|
||||
if (!pkctx)
|
||||
return 0;
|
||||
@@ -831,20 +834,18 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
|
||||
goto err;
|
||||
|
||||
if (oaep->pSourceFunc) {
|
||||
- X509_ALGOR *plab = oaep->pSourceFunc;
|
||||
- if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
|
||||
+ X509_ALGOR_get0(&aoid, &ptype, ¶meter, oaep->pSourceFunc);
|
||||
+ if (OBJ_obj2nid(aoid) != NID_pSpecified) {
|
||||
RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
|
||||
goto err;
|
||||
}
|
||||
- if (plab->parameter->type != V_ASN1_OCTET_STRING) {
|
||||
+ if (ptype != V_ASN1_OCTET_STRING) {
|
||||
RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
|
||||
goto err;
|
||||
}
|
||||
|
||||
- label = plab->parameter->value.octet_string->data;
|
||||
- /* Stop label being freed when OAEP parameters are freed */
|
||||
- plab->parameter->value.octet_string->data = NULL;
|
||||
- labellen = plab->parameter->value.octet_string->length;
|
||||
+ label = ASN1_STRING_data(parameter);
|
||||
+ labellen = ASN1_STRING_length(parameter);
|
||||
}
|
||||
|
||||
if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
|
||||
@@ -853,8 +854,18 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
|
||||
goto err;
|
||||
if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
|
||||
goto err;
|
||||
- if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
|
||||
- goto err;
|
||||
+ if (label != NULL) {
|
||||
+ unsigned char *dup_label = OPENSSL_malloc(labellen);
|
||||
+
|
||||
+ if (dup_label == NULL)
|
||||
+ goto err;
|
||||
+ memcpy(dup_label, label, labellen);
|
||||
+
|
||||
+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
|
||||
+ OPENSSL_free(dup_label);
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
/* Carry on */
|
||||
rv = 1;
|
||||
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
Summary: Compatibility version of the OpenSSL library
|
||||
Name: compat-openssl10
|
||||
Version: 1.0.2o
|
||||
Release: 4%{?dist}.1
|
||||
Release: 4%{?dist}.2
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -95,6 +95,7 @@ Patch82: openssl-1.0.2m-trusted-first-doc.patch
|
||||
Patch83: openssl-1.0.2o-cve-2022-0778.patch
|
||||
Patch84: openssl-1.0.2o-update-expired-certificates.patch
|
||||
Patch85: openssl-1.0.2-cve-2023-0286-X400.patch
|
||||
Patch86: openssl-1.0.2o-cve-2026-28390.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -200,6 +201,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||
%patch83 -p1 -b .cve-2022-0778
|
||||
%patch84 -p1 -b .update-expired-certificates
|
||||
%patch85 -p1 -b .cve-2023-0286
|
||||
%patch86 -p1 -b .cve-2026-28390
|
||||
|
||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||
|
||||
@ -422,6 +424,10 @@ install -m 644 apps/openssl10.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl10.cn
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Fri May 15 2026 Pavol Žáčik <pzacik@redhat.com> - 1.1.0.2o-4.2
|
||||
- Fixes CVE-2026-28390: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
|
||||
Resolves: RHEL-165754
|
||||
|
||||
* Tue Apr 29 2025 Petr Hybl <phybl@redhat.com> - 1.1.0.2o-4.1
|
||||
- Fix CVE-2023-0286 X.400 address type confusion in X.509 GeneralName
|
||||
Resolves: RHEL-9699
|
||||
|
||||
Loading…
Reference in New Issue
Block a user