import UBI compat-openssl11-1.1.1k-5.el9_8.3

2026-06-01 11:29:38 -04:00 · 2026-06-01 11:29:38 -04:00 · 01cbb53ec2
commit 01cbb53ec2
parent 7fb658ccd5
2 changed files with 89 additions and 1 deletions
--- a/SOURCES/openssl-1.1.1-cve-2026-28390.patch
+++ b/SOURCES/openssl-1.1.1-cve-2026-28390.patch
@ -0,0 +1,81 @@
+From 2ff16c29c115c131fbcf196ab66ca0ef822c7ab0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
+Date: Wed, 13 May 2026 16:22:35 +0200
+Subject: [PATCH] Fix CVE-2026-28390
+
+Ensure that if we are missing parameters in
+RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
+we don't segfault when decrypting.
+---
+ crypto/rsa/rsa_ameth.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index fb04554..dfce3e2 100644
+--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
+@@ -918,10 +918,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+     X509_ALGOR *cmsalg;
+     int nid;
+     int rv = -1;
+-    unsigned char *label = NULL;
+    const unsigned char *label = NULL;
+     int labellen = 0;
+     const EVP_MD *mgf1md = NULL, *md = NULL;
+     RSA_OAEP_PARAMS *oaep;
+    const ASN1_OBJECT *aoid;
+    const void *parameter = NULL;
+    int ptype = 0;
+ 
+     pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+     if (pkctx == NULL)
+@@ -951,21 +954,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+         goto err;
+ 
+     if (oaep->pSourceFunc != NULL) {
+-        X509_ALGOR *plab = oaep->pSourceFunc;
+        X509_ALGOR_get0(&aoid, &ptype, &parameter, oaep->pSourceFunc);
+ 
+-        if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
+        if (OBJ_obj2nid(aoid) != NID_pSpecified) {
+             RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
+             goto err;
+         }
+-        if (plab->parameter->type != V_ASN1_OCTET_STRING) {
+        if (ptype != V_ASN1_OCTET_STRING) {
+             RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
+             goto err;
+         }
+ 
+-        label = plab->parameter->value.octet_string->data;
+-        /* Stop label being freed when OAEP parameters are freed */
+-        plab->parameter->value.octet_string->data = NULL;
+-        labellen = plab->parameter->value.octet_string->length;
+        label = ASN1_STRING_get0_data(parameter);
+        labellen = ASN1_STRING_length(parameter);
+     }
+ 
+     if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
+@@ -974,8 +975,17 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+         goto err;
+     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
+         goto err;
+-    if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
+-        goto err;
+    if (label != NULL) {
+        unsigned char *dup_label = OPENSSL_memdup(label, labellen);
+
+        if (dup_label == NULL)
+            goto err;
+
+        if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
+            OPENSSL_free(dup_label);
+            goto err;
+        }
+    }
+     /* Carry on */
+     rv = 1;
+ 
+-- 
+2.53.0
+
--- a/SPECS/compat-openssl11.spec
+++ b/SPECS/compat-openssl11.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: compat-openssl11
 Version: 1.1.1k
-Release: 5%{?dist}.2
+Release: 5%{?dist}.3
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -81,6 +81,8 @@ Patch74: openssl-1.1.1-cve-2023-0286-X400.patch
 # Fix for CVE-2025-69419 (next two)
 Patch75: openssl-1.1.1-hardening-from-openssl-3.0.1.patch
 Patch76: openssl-1.1.1-cve-2025-69419.patch
+# Fix for CVE-2026-28390
+Patch77: openssl-1.1.1-cve-2026-28390.patch

 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@ -154,6 +156,7 @@ cp %{SOURCE13} test/
 %patch74 -p1 -b .cve-2023-0286
 %patch75 -p1 -b .cve-2025-69419-1
 %patch76 -p1 -b .cve-2025-69419-2
+%patch77 -p1 -b .cve-2026-28390
 cp apps/openssl.cnf apps/openssl11.cnf

 %build
@ -321,6 +324,10 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1
 %ldconfig_scriptlets

 %changelog
+* Wed May 13 2026 Pavol Žáčik <pzacik@redhat.com> - 1:1.1.1k-5.3
+- Fixes CVE-2026-28390: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
+  Resolves: RHEL-165863
+
 * Wed Apr 1 2026 Petr Hybl <phybl@redhat.com> - 1:1.1.1k-5.2
 - Fixes CVE-2025-69419 OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing
  Resolves: RHEL-142723