pool/openssl-3
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity
Files
factory
openssl-3/openssl-CVE-2026-22795.patch
Pedro Monreal Gonzalez b0d78d2994 - Security fixes: 
* Missing ASN1_TYPE validation in PKCS#12 parsing
    - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
    - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
    - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
    - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
    - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
  * TLS 1.3 CompressedCertificate excessive memory allocation
    - openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
    - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
    - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB
    - openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469]
  * Stack buffer overflow in CMS AuthEnvelopedData parsing
    - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
    - openssl-CVE-2025-15467-comments.patch
    - openssl-CVE-2025-15467-test.patch
  * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification
    - openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187]
  * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID
    - openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468]
- Enable livepatching support for ppc64le [bsc#1257274]

- Security fix: [bsc#1250232 CVE-2025-9230]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=160
2026-02-19 15:28:42 +00:00

72 lines
2.8 KiB
Diff
Raw Permalink Blame History

From 572844beca95068394c916626a6d3a490f831a49 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Wed, 7 Jan 2026 11:29:48 -0700
Subject: [PATCH] Ensure ASN1 types are checked before use.
Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
this fix includes the other fixes in that commit, as well as fixes for others found by a scan
for a similar unvalidated access paradigm in the tree.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29582)
---
apps/s_client.c | 3 ++-
crypto/pkcs12/p12_kiss.c | 10 ++++++++--
crypto/pkcs7/pk7_doit.c | 2 ++
3 files changed, 12 insertions(+), 3 deletions(-)
Index: openssl-3.5.0/apps/s_client.c
===================================================================
--- openssl-3.5.0.orig/apps/s_client.c
+++ openssl-3.5.0/apps/s_client.c
@@ -2834,8 +2834,9 @@ int s_client_main(int argc, char **argv)
goto end;
}
atyp = ASN1_generate_nconf(genstr, cnf);
- if (atyp == NULL) {
+ if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
NCONF_free(cnf);
+ ASN1_TYPE_free(atyp);
BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
goto end;
}
Index: openssl-3.5.0/crypto/pkcs12/p12_kiss.c
===================================================================
--- openssl-3.5.0.orig/crypto/pkcs12/p12_kiss.c
+++ openssl-3.5.0/crypto/pkcs12/p12_kiss.c
@@ -197,11 +197,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag
ASN1_BMPSTRING *fname = NULL;
ASN1_OCTET_STRING *lkid = NULL;
- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+ if (attrib->type != V_ASN1_BMPSTRING)
+ return 0;
fname = attrib->value.bmpstring;
+ }
- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+ if (attrib->type != V_ASN1_OCTET_STRING)
+ return 0;
lkid = attrib->value.octet_string;
+ }
switch (PKCS12_SAFEBAG_get_nid(bag)) {
case NID_keyBag:
Index: openssl-3.5.0/crypto/pkcs7/pk7_doit.c
===================================================================
--- openssl-3.5.0.orig/crypto/pkcs7/pk7_doit.c
+++ openssl-3.5.0/crypto/pkcs7/pk7_doit.c
@@ -1228,6 +1228,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_att
ASN1_TYPE *astype;
if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
return NULL;
+ if (astype->type != V_ASN1_OCTET_STRING)
+ return NULL;
return astype->value.octet_string;
}
Reference in New Issue View Git Blame Copy Permalink