Fix CVE-2024-4741: Use After Free with SSL_free_buffers

Resolves: RHEL-39119

openssl-1.1.1-cve-2024-4741.patch

@@ -0,0 +1,70 @@
+From adf9a23d1a95c8378a81b720012b2f80aff618e2 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index b2a7a47..7a67fd3 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -80,6 +80,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index af56206..513ab39 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 21e6c45..82236d8 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5209,6 +5209,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.54.0
+

openssl.spec

@@ -108,6 +108,7 @@ Patch111: openssl-1.1.1-ticket_lifetime_hint.patch
 Patch112: openssl-1.1.1-hardening-from-openssl-3.0.1.patch
 Patch113: openssl-1.1.1-cve-2025-69419.patch
 Patch114: openssl-1.1.1-cve-2026-45447.patch
+Patch115: openssl-1.1.1-cve-2024-4741.patch
 
 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@@ -247,6 +248,7 @@ cp %{SOURCE13} test/
 %patch112 -p1 -b .cve-2025-69419-1
 %patch113 -p1 -b .cve-2025-69419-2
 %patch114 -p1 -b .cve-2026-45447
+%patch115 -p1 -b .cve-2024-4741
 
 %build
 # Figure out which flags we want to use.
@@ -533,6 +535,8 @@ export LD_LIBRARY_PATH
 * Mon Jun 01 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-16
 - Fix CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify()
   Resolves: RHEL-179623
+- Fix CVE-2024-4741: Use After Free with SSL_free_buffers
+  Resolves: RHEL-39119
 
 * Thu Feb 12 2026 Antonio Vieiro <avieirov@redhat.com> - 1:1.1.1k-15
 - Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing