diff --git a/0056-Fix-incorrect-check-of-unwrapped-key-size.patch b/0056-Fix-incorrect-check-of-unwrapped-key-size.patch new file mode 100644 index 0000000..59314fc --- /dev/null +++ b/0056-Fix-incorrect-check-of-unwrapped-key-size.patch @@ -0,0 +1,33 @@ +From 9c462be2cea54ebfc62953224220b56f8ba22a0c Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 11 Sep 2025 18:10:12 +0200 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite up to 4 bytes. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +--- + crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c +index 106bd98dc7..ba8646f93c 100644 +--- a/crypto/cms/cms_pwri.c ++++ b/crypto/cms/cms_pwri.c +@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.51.0 + diff --git a/openssl.spec b/openssl.spec index b1d1551..ef82803 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.1 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -97,6 +97,7 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch %endif Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch +Patch0056: 0056-Fix-incorrect-check-of-unwrapped-key-size.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -453,6 +454,10 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog +* Wed Oct 22 2025 Pavol Žáčik - 1:3.5.1-4 +- Fix CVE-2025-9230 + Resolves: RHEL-115885 + * Thu Jul 24 2025 Simo Sorce - 1:3.5.1-3 - Add custom define to disable symbol versioning in downstream patched code Also add stricter Suggests for openssl-fips-provider