Backport openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
Fix CVE-2025-9230 Resolves: RHEL-128613
This commit is contained in:
Nikita Sanjay Patwa
parent
c2ed103d24
commit
8cf1b3e83c
31
openssl-1.1.1-cve-2025-9230.patch
Normal file
31
openssl-1.1.1-cve-2025-9230.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 Mon Sep 17 00:00:00 2001
|
||||
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
||||
Date: Thu, 11 Sep 2025 18:10:12 +0200
|
||||
Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
|
||||
|
||||
Fixes CVE-2025-9230
|
||||
|
||||
The check is off by 8 bytes so it is possible to overread by
|
||||
up to 8 bytes and overwrite up to 4 bytes.
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
|
||||
---
|
||||
crypto/cms/cms_pwri.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
|
||||
index a7d609f83791a..ee1b8aa6ed61d 100644
|
||||
--- a/crypto/cms/cms_pwri.c
|
||||
+++ b/crypto/cms/cms_pwri.c
|
||||
@@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
|
||||
/* Check byte failure */
|
||||
goto err;
|
||||
}
|
||||
- if (inlen < (size_t)(tmp[0] - 4)) {
|
||||
+ if (inlen < 4 + (size_t)tmp[0]) {
|
||||
/* Invalid length value */
|
||||
goto err;
|
||||
}
|
||||
@ -22,7 +22,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1k
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -102,6 +102,7 @@ Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
||||
# Backport from OpenSSL 3.0
|
||||
# Fix for CVE-2024-5535
|
||||
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
||||
Patch110: openssl-1.1.1-cve-2025-9230.patch
|
||||
|
||||
License: OpenSSL and ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -236,6 +237,7 @@ cp %{SOURCE13} test/
|
||||
%patch107 -p1 -b .cve-2023-5678
|
||||
%patch108 -p1 -b .pkcs15imprejection
|
||||
%patch109 -p1 -b .cve-2024-5535
|
||||
%patch110 -p1 -b .cve-2025-9230
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
@ -519,6 +521,11 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Mon Dec 08 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14
|
||||
- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap
|
||||
Fix CVE-2025-9230
|
||||
Resolves: RHEL-128613
|
||||
|
||||
* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
|
||||
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
||||
Fix CVE-2024-5535
|
||||
|
||||
Loading…
Reference in New Issue
Block a user