From 95790d3a387494a8adce7687c1dd965bf10903a5 Mon Sep 17 00:00:00 2001
From: Petr Hybl <phybl@redhat.com>
Date: Fri, 2 May 2025 10:37:43 +0200
Subject: [PATCH] Fixed X.400 address type confusion in X.509 General

RHEL-9699
Resolves: CVE-2023-0286
---
 compat-openssl10.spec                  |  8 ++++++-
 openssl-1.0.2-cve-2023-0286-X400.patch | 30 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 openssl-1.0.2-cve-2023-0286-X400.patch

diff --git a/compat-openssl10.spec b/compat-openssl10.spec
index d352bb7..5719d25 100644
--- a/compat-openssl10.spec
+++ b/compat-openssl10.spec
@@ -22,7 +22,7 @@
 Summary: Compatibility version of the OpenSSL library
 Name: compat-openssl10
 Version: 1.0.2o
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -94,6 +94,7 @@ Patch81: openssl-1.0.2a-padlock64.patch
 Patch82: openssl-1.0.2m-trusted-first-doc.patch
 Patch83: openssl-1.0.2o-cve-2022-0778.patch
 Patch84: openssl-1.0.2o-update-expired-certificates.patch
+Patch85: openssl-1.0.2-cve-2023-0286-X400.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -198,6 +199,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch82 -p1 -b .trusted-first
 %patch83 -p1 -b .cve-2022-0778
 %patch84 -p1 -b .update-expired-certificates
+%patch85 -p1 -b .cve-2023-0286
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -420,6 +422,10 @@ install -m 644 apps/openssl10.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl10.cn
 %postun -p /sbin/ldconfig
 
 %changelog
+* Tue Apr 29 2025 Petr Hybl <phybl@redhat.com> - 1.1.0.2o-4.1
+- Fix CVE-2023-0286 X.400 address type confusion in X.509 GeneralName
+  Resolves: RHEL-9699
+
 * Wed May 04 2022 Clemens Lang <cllang@redhat.com> - 1:1.0.2o-4
 - Fix CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
   Resolves: rhbz#2077418
diff --git a/openssl-1.0.2-cve-2023-0286-X400.patch b/openssl-1.0.2-cve-2023-0286-X400.patch
new file mode 100644
index 0000000..38999c4
--- /dev/null
+++ b/openssl-1.0.2-cve-2023-0286-X400.patch
@@ -0,0 +1,30 @@
+From: Petr Hybl <phybl@redhat.com>
+Date: Tue, 29 Apr 2025 17:45:42 +0000
+Subject: CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 9bb01ee..8cbcbe0 100644
+--- a/crypto/x509v3/v3_genn.c
++++ b/crypto/x509v3/v3_genn.c
+@@ -116,6 +116,9 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
++        break;
++
+     case GEN_EDIPARTY:
+         result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+         break;
+diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
+index f5c6156..7328acd 100644
+--- a/crypto/x509v3/x509v3.h
++++ b/crypto/x509v3/x509v3.h
+@@ -190,7 +190,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;