Redefine sslarch for x86_64_v2 arch

2026-05-16 02:45:26 +00:00 · 2026-05-16 02:45:26 +00:00 · d6c12df515
commit d6c12df515
parent eef0d63fd4 7ee5eab42c
2 changed files with 100 additions and 2 deletions
--- a/0059-CVE-2026-28390.patch
+++ b/0059-CVE-2026-28390.patch
@ -0,0 +1,93 @@
+From 2e39b7a6993be445fddb9fbce316fa756e0397b6 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 1 Apr 2026 10:56:44 +0200
+Subject: [PATCH] Fix NULL deref in rsa_cms_decrypt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Very simmilar to CVE-2026-28389, ensure that if we are missing
+parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
+we don't segfault when decrypting.
+
+Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
+
+Fixes CVE-2026-28390
+
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+MergeDate: Mon Apr  6 19:06:14 2026
+---
+ crypto/cms/cms_rsa.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
+index 6b65842cc1..34c739a982 100644
+--- a/crypto/cms/cms_rsa.c
+++ b/crypto/cms/cms_rsa.c
+@@ -42,10 +42,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+     X509_ALGOR *cmsalg;
+     int nid;
+     int rv = -1;
+-    unsigned char *label = NULL;
+    const unsigned char *label = NULL;
+     int labellen = 0;
+     const EVP_MD *mgf1md = NULL, *md = NULL;
+     RSA_OAEP_PARAMS *oaep;
+    const ASN1_OBJECT *aoid;
+    const void *parameter = NULL;
+    int ptype = 0;
+ 
+     pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+     if (pkctx == NULL)
+@@ -75,21 +78,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+         goto err;
+ 
+     if (oaep->pSourceFunc != NULL) {
+-        X509_ALGOR *plab = oaep->pSourceFunc;
+        X509_ALGOR_get0(&aoid, &ptype, &parameter, oaep->pSourceFunc);
+ 
+-        if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
+        if (OBJ_obj2nid(aoid) != NID_pSpecified) {
+             ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_LABEL_SOURCE);
+             goto err;
+         }
+-        if (plab->parameter->type != V_ASN1_OCTET_STRING) {
+        if (ptype != V_ASN1_OCTET_STRING) {
+             ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_LABEL);
+             goto err;
+         }
+ 
+-        label = plab->parameter->value.octet_string->data;
+-        /* Stop label being freed when OAEP parameters are freed */
+-        plab->parameter->value.octet_string->data = NULL;
+-        labellen = plab->parameter->value.octet_string->length;
+        label = ASN1_STRING_get0_data(parameter);
+        labellen = ASN1_STRING_length(parameter);
+     }
+ 
+     if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
+@@ -98,10 +99,16 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
+         goto err;
+     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
+         goto err;
+-    if (label != NULL
+-        && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) {
+-        OPENSSL_free(label);
+-        goto err;
+    if (label != NULL) {
+        unsigned char *dup_label = OPENSSL_memdup(label, labellen);
+
+        if (dup_label == NULL)
+            goto err;
+
+        if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
+            OPENSSL_free(dup_label);
+            goto err;
+        }
+     }
+     /* Carry on */
+     rv = 1;
+-- 
+2.53.0
+
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.5
-Release: 2%{?dist}.alma.1
+Release: 3%{?dist}.alma.1
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@ -100,6 +100,7 @@ Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
 Patch0056: 0056-Add-targets-to-skip-build-of-non-installable-program.patch
 Patch0057: 0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
 Patch0058: 0058-CVE-2026-31790.patch
+Patch0059: 0059-CVE-2026-28390.patch

 License: Apache-2.0
 URL: http://www.openssl.org/
@ -463,9 +464,13 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %ldconfig_scriptlets libs

 %changelog
-* Tue Apr 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.5-2.alma.1
+* Sat May 16 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.5-3.alma.1
 - Redefine sslarch for x86_64_v2 arch

+* Wed May 13 2026 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.5-3
+- Fix CVE-2026-28390
+  Resolves: RHEL-165705
+
 * Thu Apr 09 2026 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.5-2
 - Fix CVE-2026-31790
  Resolves: RHEL-161574