diff --git a/0058-Fix-incorrect-check-of-unwrapped-key-size.patch b/0058-Fix-incorrect-check-of-unwrapped-key-size.patch new file mode 100644 index 0000000..59314fc --- /dev/null +++ b/0058-Fix-incorrect-check-of-unwrapped-key-size.patch @@ -0,0 +1,33 @@ +From 9c462be2cea54ebfc62953224220b56f8ba22a0c Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 11 Sep 2025 18:10:12 +0200 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite up to 4 bytes. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +--- + crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c +index 106bd98dc7..ba8646f93c 100644 +--- a/crypto/cms/cms_pwri.c ++++ b/crypto/cms/cms_pwri.c +@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.51.0 + diff --git a/openssl.spec b/openssl.spec index d5825ae..15882e7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -98,6 +98,7 @@ Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch Patch0056: 0056-Speed-test-signatures-without-errors.patch Patch0057: 0057-Targets-to-skip-build-of-non-installable-programs.patch +Patch0058: 0058-Fix-incorrect-check-of-unwrapped-key-size.patch #The patches that are different for RHEL9 and 10 start here Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -456,6 +457,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Thu Oct 23 2025 Pavol Žáčik - 1:3.5.1-6 +- Fix CVE-2025-9230 + Resolves: RHEL-115928 + * Fri Sep 05 2025 Pavol Žáčik - 1:3.5.1-5 - Fix globally disabled LTO Related: RHEL-111633