From 3c2c52cdcef8e134c467150d5b17a8fde9dc8f39 Mon Sep 17 00:00:00 2001 From: zhaohang_mskdxl Date: Wed, 10 Dec 2025 18:24:20 +0800 Subject: [PATCH] Update code from upstream --- ...ncorrect-check-of-unwrapped-key-size.patch | 33 +++++++++++++++++++ openssl.spec | 7 +++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0059-Fix-incorrect-check-of-unwrapped-key-size.patch diff --git a/0059-Fix-incorrect-check-of-unwrapped-key-size.patch b/0059-Fix-incorrect-check-of-unwrapped-key-size.patch new file mode 100644 index 0000000..59314fc --- /dev/null +++ b/0059-Fix-incorrect-check-of-unwrapped-key-size.patch @@ -0,0 +1,33 @@ +From 9c462be2cea54ebfc62953224220b56f8ba22a0c Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 11 Sep 2025 18:10:12 +0200 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite up to 4 bytes. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +--- + crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c +index 106bd98dc7..ba8646f93c 100644 +--- a/crypto/cms/cms_pwri.c ++++ b/crypto/cms/cms_pwri.c +@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.51.0 + diff --git a/openssl.spec b/openssl.spec index a889144..aca24ba 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,4 +1,4 @@ -%define anolis_release 15 +%define anolis_release 16 %global soversion 3 %define srpmhash() %{lua: @@ -115,6 +115,7 @@ Patch58: 1008-fix-CVE-2024-9143.patch Patch59: 1009-fix-CVE-2024-13176.patch Patch100: add-sw_64-support.patch +Patch60: 0059-Fix-incorrect-check-of-unwrapped-key-size.patch BuildRequires: gcc git coreutils perl-interpreter sed zlib-devel /usr/bin/cmp BuildRequires: lksctp-tools-devel @@ -319,6 +320,10 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/{openssl.cnf.dist,ct_log_list.cnf.di %doc NEWS.md README.md %changelog +* Thu Sep 11 2025 OpenSSL Security Team - 1:3.0.12-16 +- Patch CVE-2025-9230: Fix incorrect check of unwrapped key size in kek_unwrap_key() +- Prevent up to 8-byte overread and 4-byte overwrite in CMS key unwrapping + * Wed Aug 13 2025 lzq11122 1:3.0.12-15 - fix build error for sw_64 -- Gitee