CVE-2023-0286 compat-openssl11: X.400 address type confusion in X.509 GeneralName

Resolves: RHEL-88969

compat-openssl11.spec

@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: compat-openssl11
 Version: 1.1.1k
-Release: 5%{?dist}
+Release: 5%{?dist}.1
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -77,6 +77,7 @@ Patch55: openssl-1.1.1-arm-update.patch
 Patch56: openssl-1.1.1-s390x-ecc.patch
 Patch73: openssl-1.1.1-cve-2022-0778.patch
 Patch83: openssl-1.1.1-replace-expired-certs.patch
+Patch74: openssl-1.1.1-cve-2023-0286-X400.patch
 
 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@@ -147,6 +148,7 @@ cp %{SOURCE13} test/
 %patch72 -p1 -b .disable-fips
 %patch73 -p1 -b .cve-2022-0778
 %patch -P 83 -p1 -b .replace-expired-certs
+%patch74 -p1 -b .cve-2023-0286
 
 cp apps/openssl.cnf apps/openssl11.cnf
 
@@ -315,6 +317,10 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1
 %ldconfig_scriptlets
 
 %changelog
+* Fri May 9 2025 Petr Hybl <phybl@redhat.com> - 1:1.1.1k-5.1
+- Fixes cve-2023-0286 X.400 address type confusion in X.509 GeneralName
+  Resolves: RHEL-88969
+
 * Thu Sep 21 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-5
 - Update expired certificates used in the testsuite
   Resolves: RHEL-5297

openssl-1.1.1-cve-2023-0286-X400.patch

@@ -0,0 +1,63 @@
+From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
+ (1.1.1)
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ CHANGES                  | 18 +++++++++++++++++-
+ crypto/x509v3/v3_genn.c  |  2 +-
+ include/openssl/x509v3.h |  2 +-
+ test/v3nametest.c        |  8 ++++++++
+ 4 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47c..e54ddc55c9 100644
+--- a/crypto/x509v3/v3_genn.c
++++ b/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce..e61c0f29d4 100644
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
+diff --git a/test/v3nametest.c b/test/v3nametest.c
+index d1852190b8..37819da8fd 100644
+--- a/test/v3nametest.c
++++ b/test/v3nametest.c
+@@ -646,6 +646,14 @@ static struct gennamedata {
+             0xb7, 0x09, 0x02, 0x02
+         },
+         15
++    }, {
++        /*
++         * Regression test for CVE-2023-0286.
++         */
++        {
++            0xa3, 0x00
++        },
++        2
+     }
+ };
+ 
+-- 
+2.39.1
+