140 lines
5.6 KiB
Diff
140 lines
5.6 KiB
Diff
From 16aaeaab46d407f739fc74e3d89ae4fc43ef77c2 Mon Sep 17 00:00:00 2001
|
|
From: Igor Ustinov <igus@openssl.foundation>
|
|
Date: Sat, 16 May 2026 08:16:23 +0200
|
|
Subject: [PATCH 1/2] Fix possible use-after-free in OpenSSL PKCS7_verify()
|
|
|
|
Fixes CVE-2026-45447
|
|
---
|
|
crypto/pkcs7/pk7_smime.c | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
|
|
index 4bf26331c1a..49129690deb 100644
|
|
--- a/crypto/pkcs7/pk7_smime.c
|
|
+++ b/crypto/pkcs7/pk7_smime.c
|
|
@@ -221,6 +221,7 @@ int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
|
|
int i, j = 0, k, ret = 0;
|
|
BIO *p7bio = NULL;
|
|
BIO *tmpout = NULL;
|
|
+ BIO *next = NULL;
|
|
const PKCS7_CTX *p7_ctx;
|
|
|
|
if (p7 == NULL) {
|
|
@@ -351,9 +352,11 @@ int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
|
|
BIO_free(tmpout);
|
|
X509_STORE_CTX_free(cert_ctx);
|
|
OPENSSL_free(buf);
|
|
- if (indata != NULL)
|
|
- BIO_pop(p7bio);
|
|
- BIO_free_all(p7bio);
|
|
+ while (p7bio != NULL && p7bio != indata) {
|
|
+ next = BIO_pop(p7bio);
|
|
+ BIO_free(p7bio);
|
|
+ p7bio = next;
|
|
+ }
|
|
sk_X509_free(signers);
|
|
sk_X509_free(untrusted);
|
|
return ret;
|
|
|
|
From a6622a0503575097f1faefc0781f5b3916bb3ffc Mon Sep 17 00:00:00 2001
|
|
From: Igor Ustinov <igus@openssl.foundation>
|
|
Date: Sat, 16 May 2026 08:22:53 +0200
|
|
Subject: [PATCH 2/2] Test for CVE-2026-45447 (UAF in PKCS7_verify)
|
|
|
|
The test data were created with a tool developed by
|
|
Thai Duong <thai@calif.io>.
|
|
---
|
|
test/recipes/80-test_cms.t | 19 +++++++++-
|
|
test/smime-eml/pkcs7-empty-digest-set.eml | 45 +++++++++++++++++++++++
|
|
2 files changed, 63 insertions(+), 1 deletion(-)
|
|
create mode 100644 test/smime-eml/pkcs7-empty-digest-set.eml
|
|
|
|
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
index 152a1a55a0a..cf76537200e 100644
|
|
--- a/test/recipes/80-test_cms.t
|
|
+++ b/test/recipes/80-test_cms.t
|
|
@@ -56,7 +56,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
|
|
|
$no_rc2 = 1 if disabled("legacy");
|
|
|
|
-plan tests => 32;
|
|
+plan tests => 33;
|
|
|
|
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
|
|
|
@@ -1263,6 +1263,23 @@ subtest "CMS code signing test" => sub {
|
|
"fail verify CMS signature with code signing certificate for purpose smime_sign");
|
|
};
|
|
|
|
+# Regression test for PKCS7_verify() ownership handling when
|
|
+# digestAlgorithms is an empty SET.
|
|
+# The malformed structure must fail cleanly without crashing or
|
|
+# triggering use-after-free behaviour.
|
|
+with({ exit_checker => sub { return shift == 4; } },
|
|
+ sub {
|
|
+ ok(run(app([
|
|
+ 'openssl', 'smime',
|
|
+ '-verify',
|
|
+ '-noverify',
|
|
+ '-in',
|
|
+ srctop_file('test', 'smime-eml',
|
|
+ 'pkcs7-empty-digest-set.eml'),
|
|
+ ])),
|
|
+ "Check empty digestAlgorithms SET is handled safely");
|
|
+ });
|
|
+
|
|
# Test case for missing MD algorithm (must not segfault)
|
|
|
|
with({ exit_checker => sub { return shift == 4; } },
|
|
diff --git a/test/smime-eml/pkcs7-empty-digest-set.eml b/test/smime-eml/pkcs7-empty-digest-set.eml
|
|
new file mode 100644
|
|
index 00000000000..a6db2c38adf
|
|
--- /dev/null
|
|
+++ b/test/smime-eml/pkcs7-empty-digest-set.eml
|
|
@@ -0,0 +1,45 @@
|
|
+MIME-Version: 1.0
|
|
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E0314CC5D732C92AE2D7A3BACDCDCFCE"
|
|
+
|
|
+This is an S/MIME signed message
|
|
+
|
|
+------E0314CC5D732C92AE2D7A3BACDCDCFCE
|
|
+This is the content to be signed.
|
|
+
|
|
+------E0314CC5D732C92AE2D7A3BACDCDCFCE
|
|
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
|
|
+Content-Transfer-Encoding: base64
|
|
+Content-Disposition: attachment; filename="smime.p7s"
|
|
+
|
|
+MIIFWgYJKoZIhvcNAQcCoIIFSzCCBUcCAQExADALBgkqhkiG9w0BBwGgggLuMIIC
|
|
+6jCCAdKgAwIBAgIUL5E46FxyhsT7C3G1NS27OtR7XAowDQYJKoZIhvcNAQELBQAw
|
|
+FTETMBEGA1UEAwwKUG9DIFNpZ25lcjAeFw0yNjA1MDgxMDIwNDhaFw0yNzA1MDgx
|
|
+MDIwNDhaMBUxEzARBgNVBAMMClBvQyBTaWduZXIwggEiMA0GCSqGSIb3DQEBAQUA
|
|
+A4IBDwAwggEKAoIBAQDSSu/gupmIlclvmTMHiqOrCqmB8NRTjAMoI//MPJrnFXYp
|
|
+FjDPMk7Y/kCcHztudaIvADkowaFtOm4oMinQFhjwCNCo5K5WrrlAitnpcd5QH2nA
|
|
+iVZXjjohQUJEd7n33AGqTwo5EGaCK+alAZL7tA7bdhNi/aZ33L3bUNYqoHbXiNsE
|
|
+u1tj8frLfIjduOt0TMPSOrrFjjEsrL3T3tg+HmxpalDHz7E6o9zJu0wlk8bcR2Xk
|
|
+mpX8RdYCu7K9m39N1F2WKa9WJh24NQLpWRfwD213jaIFK2EXy/XHePDUeiMYtVOV
|
|
+oovCSmY7OqowupA7J+4dcsnRjFqgZECctHhAfk+PAgMBAAGjMjAwMB0GA1UdDgQW
|
|
+BBRZlupXNYq4fny0SE76sr/CdQ2DUTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
|
|
+DQEBCwUAA4IBAQANOlttTWVz620JNTrPzhiR4x9+5UiF4GSqv8BRJQFj3Xh7fsUp
|
|
++3GDs9M27f4FVh3utJsjt7Sa9ZWLpBVdgjGBwGLAtPsoYMjhnUgZTUvwEk5+aXyv
|
|
+zJxn4I7mMbDhlNCMHcVtGdtA+2UOEuvdGfuEilpzPsV8DzM1K3xU5bSWoo0BRFKK
|
|
+srHkyEfxCFPAQOcX80ZbMO6zdcXeJjC6mQXGqy2aqeQob0vuSZJ7QHZBlRjY5YHR
|
|
+wWlIqG8G3Eist16iTqdX2PQFZT1/QAEQ/LnXARTUUjUroccdci8YNASoeHDpcjRL
|
|
+MBrN+QBNZVt5qLhDogwZb2ZwqKfZ8Aqg3oAkMYICPzCCAjsCAQEwLTAVMRMwEQYD
|
|
+VQQDDApQb0MgU2lnbmVyAhQvkTjoXHKGxPsLcbU1Lbs61HtcCjANBglghkgBZQME
|
|
+AgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
|
|
+Fw0yNjA1MDgxMDIwNDhaMC8GCSqGSIb3DQEJBDEiBCAvyoHfycLqb8UzVPizy1uA
|
|
+o3h7tza3HebeiJaSnpIJHzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjAL
|
|
+BglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMC
|
|
+AgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkq
|
|
+hkiG9w0BAQEFAASCAQBIpl7U2j4YiU1vdZHyx2dCK41ZahtTVOB4RVJcrmopgans
|
|
+fICdkSTfb0dVqc13++bYn4i1b2R2os5YIkoGxdrM5aZB7KF9r1xwgrendTF4/BwP
|
|
+gQq2khNtKebv9Yr0kOPynFIsgx5BHk99wrzfwidJUFuJJgQ9W0YOf7EGkbnZvPT+
|
|
+hV0aeLmJAb5jjWhbDciqUjR3O23JQhzVj4U3vo2TeN7VYmNJsX+fA4sZzIbYSei9
|
|
+ps7GZruiRcKgqgUj1l8HjIGMHqd9lccchk/BYyAGxAbgGisntvfJdPZO09wG8rHh
|
|
+eS6FYkkXAKBO49WbhE9aVLJH0zgA6gTfyEvOOOS1
|
|
+
|
|
+------E0314CC5D732C92AE2D7A3BACDCDCFCE--
|
|
+
|