From 297177218ee1406bde09deda364ae7e87ae08fec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Tue, 2 Jun 2026 06:47:08 +0200 Subject: [PATCH] Fix CVE-2024-4741: Use After Free with SSL_free_buffers Resolves: RHEL-39119 --- openssl-1.1.1-cve-2024-4741.patch | 70 +++++++++++++++++++++++++++++++ openssl.spec | 4 ++ 2 files changed, 74 insertions(+) create mode 100644 openssl-1.1.1-cve-2024-4741.patch diff --git a/openssl-1.1.1-cve-2024-4741.patch b/openssl-1.1.1-cve-2024-4741.patch new file mode 100644 index 0000000..fa55db2 --- /dev/null +++ b/openssl-1.1.1-cve-2024-4741.patch @@ -0,0 +1,70 @@ +From adf9a23d1a95c8378a81b720012b2f80aff618e2 Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) +--- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index b2a7a47..7a67fd3 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -80,6 +80,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index af56206..513ab39 100644 +--- a/ssl/record/record.h ++++ b/ssl/record/record.h +@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 21e6c45..82236d8 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -5209,6 +5209,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.54.0 + diff --git a/openssl.spec b/openssl.spec index bf87e26..6e02d1b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -108,6 +108,7 @@ Patch111: openssl-1.1.1-ticket_lifetime_hint.patch Patch112: openssl-1.1.1-hardening-from-openssl-3.0.1.patch Patch113: openssl-1.1.1-cve-2025-69419.patch Patch114: openssl-1.1.1-cve-2026-45447.patch +Patch115: openssl-1.1.1-cve-2024-4741.patch License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ @@ -247,6 +248,7 @@ cp %{SOURCE13} test/ %patch112 -p1 -b .cve-2025-69419-1 %patch113 -p1 -b .cve-2025-69419-2 %patch114 -p1 -b .cve-2026-45447 +%patch115 -p1 -b .cve-2024-4741 %build # Figure out which flags we want to use. @@ -533,6 +535,8 @@ export LD_LIBRARY_PATH * Mon Jun 01 2026 Dmitry Belyavskiy - 1:1.1.1k-16 - Fix CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() Resolves: RHEL-179623 +- Fix CVE-2024-4741: Use After Free with SSL_free_buffers + Resolves: RHEL-39119 * Thu Feb 12 2026 Antonio Vieiro - 1:1.1.1k-15 - Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing