pool/openssl-3
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity
Files
factory
openssl-3/openssl-CVE-2025-69420.patch
Pedro Monreal Gonzalez b0d78d2994 - Security fixes: 
* Missing ASN1_TYPE validation in PKCS#12 parsing
    - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
    - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
    - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
    - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
    - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
  * TLS 1.3 CompressedCertificate excessive memory allocation
    - openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
    - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
    - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB
    - openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469]
  * Stack buffer overflow in CMS AuthEnvelopedData parsing
    - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
    - openssl-CVE-2025-15467-comments.patch
    - openssl-CVE-2025-15467-test.patch
  * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification
    - openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187]
  * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID
    - openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468]
- Enable livepatching support for ppc64le [bsc#1257274]

- Security fix: [bsc#1250232 CVE-2025-9230]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=160
2026-02-19 15:28:42 +00:00

41 lines
1.5 KiB
Diff
Raw Permalink Blame History

From 6453d278557c8719233793730ec500c84aea55d9 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Wed, 7 Jan 2026 11:29:48 -0700
Subject: [PATCH] Verify ASN1 object's types before attempting to access them
as a particular type
Issue was reported in ossl_ess_get_signing_cert but is also present in
ossl_ess_get_signing_cert_v2.
Fixes: https://github.com/openssl/srt/issues/61
Fixes CVE-2025-69420
---
crypto/ts/ts_rsp_verify.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 3876e30f47..40dab687d1 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -209,7 +209,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
const unsigned char *p;
attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
- if (attr == NULL)
+ if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
return NULL;
p = attr->value.sequence->data;
return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
@@ -221,7 +221,7 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO
const unsigned char *p;
attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
- if (attr == NULL)
+ if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
return NULL;
p = attr->value.sequence->data;
return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
--
2.51.0
Reference in New Issue View Git Blame Copy Permalink