From 4cf5738ac1c163d5ce2517250321da906492c40d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Thu, 23 Oct 2025 09:16:48 +0200 Subject: [PATCH] Patch CVE-2025-9230 Resolves: RHEL-115883 --- ...ncorrect-check-of-unwrapped-key-size.patch | 33 +++++++++++++++++++ openssl.spec | 7 +++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0059-Fix-incorrect-check-of-unwrapped-key-size.patch diff --git a/0059-Fix-incorrect-check-of-unwrapped-key-size.patch b/0059-Fix-incorrect-check-of-unwrapped-key-size.patch new file mode 100644 index 0000000..59314fc --- /dev/null +++ b/0059-Fix-incorrect-check-of-unwrapped-key-size.patch @@ -0,0 +1,33 @@ +From 9c462be2cea54ebfc62953224220b56f8ba22a0c Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 11 Sep 2025 18:10:12 +0200 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite up to 4 bytes. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +--- + crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c +index 106bd98dc7..ba8646f93c 100644 +--- a/crypto/cms/cms_pwri.c ++++ b/crypto/cms/cms_pwri.c +@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.51.0 + diff --git a/openssl.spec b/openssl.spec index 70e8da4..fe8cc36 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -100,6 +100,7 @@ Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch Patch0056: 0056-Speed-test-signatures-without-errors.patch Patch0057: 0057-Targets-to-skip-build-of-non-installable-programs.patch Patch0058: 0058-aes-s390x.pl-Initialize-reserved-and-unused-memory.patch +Patch0059: 0059-Fix-incorrect-check-of-unwrapped-key-size.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -460,6 +461,10 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog +* Wed Oct 22 2025 Pavol Žáčik - 1:3.5.1-6 +- Fix CVE-2025-9230 + Resolves: RHEL-115883 + * Fri Sep 05 2025 Pavol Žáčik - 1:3.5.1-5 - Fix globally disabled LTO Related: RHEL-111634