Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2026-02-23 16:11:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-3" Mon Feb 23 16:11:51 2026 rev:47 rq:1334213 version:3.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2025-09-18 21:07:56.680564665 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.1977/openssl-3.changes 2026-02-23 16:11:53.487714012 +0100 @@ -1,0 +2,50 @@ +Fri Jan 30 19:14:25 UTC 2026 - Giuliano Belinassi <[email protected]> + +- Do not guard ulp-macros with arch x86-64. + +------------------------------------------------------------------- +Tue Jan 27 14:04:21 UTC 2026 - Lucas Mulling <[email protected]> + +- Security fixes: + * Missing ASN1_TYPE validation in PKCS#12 parsing + - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] + * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function + - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] + * Missing ASN1_TYPE validation in TS_RESP_verify_response() function + - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] + * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function + - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] + * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion + - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] + * TLS 1.3 CompressedCertificate excessive memory allocation + - openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199] + * Heap out-of-bounds write in BIO_f_linebuffer on short writes + - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] + * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls + - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] + * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB + - openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469] + * Stack buffer overflow in CMS AuthEnvelopedData parsing + - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] + - openssl-CVE-2025-15467-comments.patch + - openssl-CVE-2025-15467-test.patch + * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification + - openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187] + * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID + - openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468] +- Enable livepatching support for ppc64le [bsc#1257274] + +------------------------------------------------------------------- +Wed Oct 1 00:08:17 UTC 2025 - Lucas Mulling <[email protected]> + +- Security fix: [bsc#1250232 CVE-2025-9230] + * Fix out-of-bounds read & write in RFC 3211 KEK unwrap + * Add patch openssl-CVE-2025-9230.patch +- Security fix: [bsc#1250233 CVE-2025-9231] + * Fix timing side-channel in SM2 algorithm on 64 bit ARM + * Add patch openssl-CVE-2025-9231.patch +- Security fix: [bsc#1250234 CVE-2025-9232] + * Fix out-of-bounds read in HTTP client no_proxy handling + * Add patch openssl-CVE-2025-9232.patch + +------------------------------------------------------------------- New: ---- openssl-CVE-2025-11187.patch openssl-CVE-2025-15467-comments.patch openssl-CVE-2025-15467-test.patch openssl-CVE-2025-15467.patch openssl-CVE-2025-15468.patch openssl-CVE-2025-15469.patch openssl-CVE-2025-66199.patch openssl-CVE-2025-68160.patch openssl-CVE-2025-69418.patch openssl-CVE-2025-69419.patch openssl-CVE-2025-69420.patch openssl-CVE-2025-69421.patch openssl-CVE-2025-9230.patch openssl-CVE-2025-9231.patch openssl-CVE-2025-9232.patch openssl-CVE-2026-22795.patch ----------(New B)---------- New: * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification - openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187] * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID New: - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch New: - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification New: * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch New: * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID - openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468] - Enable livepatching support for ppc64le [bsc#1257274] New: * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB - openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469] * Stack buffer overflow in CMS AuthEnvelopedData parsing New: * TLS 1.3 CompressedCertificate excessive memory allocation - openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199] * Heap out-of-bounds write in BIO_f_linebuffer on short writes New: * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls New: * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB New: * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * TLS 1.3 CompressedCertificate excessive memory allocation New: * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function New: * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion New: * Fix out-of-bounds read & write in RFC 3211 KEK unwrap * Add patch openssl-CVE-2025-9230.patch - Security fix: [bsc#1250233 CVE-2025-9231] New: * Fix timing side-channel in SM2 algorithm on 64 bit ARM * Add patch openssl-CVE-2025-9231.patch - Security fix: [bsc#1250234 CVE-2025-9232] New: * Fix out-of-bounds read in HTTP client no_proxy handling * Add patch openssl-CVE-2025-9232.patch New: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-3.spec ++++++ --- /var/tmp/diff_new_pack.wzlgE4/_old 2026-02-23 16:11:54.871771067 +0100 +++ /var/tmp/diff_new_pack.wzlgE4/_new 2026-02-23 16:11:54.875771232 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -126,13 +126,42 @@ Patch44: openssl-FIPS-Fix-openssl-speed-KMAC.patch # PATCH-FIX-SUSE Fix a bogus warning caused by -Wfree-nonheap-object Patch45: openssl-Fix-Wfree-nonheap-object-warning.patch +# PATCH-FIX-UPSTREAM bsc#1250232 CVE-2025-9230: Fix out-of-bounds read & write in RFC 3211 KEK Unwrap +Patch46: openssl-CVE-2025-9230.patch +# PATCH-FIX-UPSTREAM bsc#1250233 CVE-2025-9231: Fix timing side-channel in SM2 algorithm on 64 bit ARM +Patch47: openssl-CVE-2025-9231.patch +# PATCH-FIX-UPSTREAM bsc#1250234 CVE-2025-9232: Fix out-of-bounds read in HTTP client no_proxy handling +Patch48: openssl-CVE-2025-9232.patch +# PATCH-FIX-UPSTREAM bsc#1256839 CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing +# PATCH-FIX-UPSTREAM bsc#1256840 CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function +Patch50: openssl-CVE-2026-22795.patch +# PATCH-FIX-UPSTREAM bsc#1256837 CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function +Patch51: openssl-CVE-2025-69420.patch +# PATCH-FIX-UPSTREAM bsc#1256838 CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function +Patch52: openssl-CVE-2025-69421.patch +# PATCH-FIX-UPSTREAM bsc#1256836 CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 function +Patch53: openssl-CVE-2025-69419.patch +# PATCH-FIX-UPSTREAM bsc#1256833 CVE-2025-66199: TLS 1.3 CompressedCertificate excessive memory allocation +Patch54: openssl-CVE-2025-66199.patch +# PATCH-FIX-UPSTREAM bsc#1256834 CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes +Patch55: openssl-CVE-2025-68160.patch +# PATCH-FIX-UPSTREAM bsc#1256835 CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls +Patch56: openssl-CVE-2025-69418.patch +# PATCH-FIX-UPSTREAM bsc#1256832 CVE-2025-15469: 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB +Patch57: openssl-CVE-2025-15469.patch +# PATCH-FIX-UPSTREAM bsc#1256830 CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing +Patch58: openssl-CVE-2025-15467.patch +Patch59: openssl-CVE-2025-15467-comments.patch +Patch60: openssl-CVE-2025-15467-test.patch +# PATCH-FIX-UPSTREAM bsc#1256829 CVE-2025-11187: Improper validation of PBMAC1 parameters in PKCS#12 MAC verification +Patch61: openssl-CVE-2025-11187.patch +# PATCH-FIX-UPSTREAM bsc#1256831 CVE-2025-15468: NULL dereference in SSL_CIPHER_find() function on unknown cipher ID +Patch62: openssl-CVE-2025-15468.patch # ulp-macros is available according to SUSE version. -%ifarch x86_64 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540 BuildRequires: ulp-macros %endif -%endif BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Requires: libopenssl3 = %{version}-%{release} ++++++ openssl-CVE-2025-11187.patch ++++++ >From a26d82c5b141c706bc97455cde511e710c2510a9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz <[email protected]> Date: Thu, 8 Jan 2026 14:31:19 +0100 Subject: [PATCH] pkcs12: Validate salt and keylength in PBMAC1 The keylength value must be present and we accept EVP_MAX_MD_SIZE at maximum. The salt ASN.1 type must be OCTET STRING. Fixes CVE-2025-11187 Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research). Reported independently also by Hamza (Metadust). --- crypto/pkcs12/p12_mutl.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) Index: openssl-3.5.0/crypto/pkcs12/p12_mutl.c =================================================================== --- openssl-3.5.0.orig/crypto/pkcs12/p12_mutl.c +++ openssl-3.5.0/crypto/pkcs12/p12_mutl.c @@ -122,8 +122,6 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_C ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED); goto err; } - keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); - pbkdf2_salt = pbkdf2_param->salt->value.octet_string; if (pbkdf2_param->prf == NULL) { kdf_hmac_nid = NID_hmacWithSHA1; @@ -138,6 +136,22 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_C goto err; } + /* Validate salt is an OCTET STRING choice */ + if (pbkdf2_param->salt == NULL + || pbkdf2_param->salt->type != V_ASN1_OCTET_STRING) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + goto err; + } + pbkdf2_salt = pbkdf2_param->salt->value.octet_string; + + /* RFC 9579 specifies missing key length as invalid */ + if (pbkdf2_param->keylength != NULL) + keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); + if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR); + goto err; + } + if (PKCS5_PBKDF2_HMAC(pass, passlen, pbkdf2_salt->data, pbkdf2_salt->length, ASN1_INTEGER_get(pbkdf2_param->iter), kdf_md, keylen, key) <= 0) { ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR); ++++++ openssl-CVE-2025-15467-comments.patch ++++++ >From 6fb47957bfb0aef2deaa7df7aebd4eb52ffe20ce Mon Sep 17 00:00:00 2001 From: Igor Ustinov <[email protected]> Date: Mon, 12 Jan 2026 12:15:42 +0100 Subject: [PATCH] Some comments to clarify functions usage --- crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) Index: openssl-3.5.0/crypto/asn1/evp_asn1.c =================================================================== --- openssl-3.5.0.orig/crypto/asn1/evp_asn1.c +++ openssl-3.5.0/crypto/asn1/evp_asn1.c @@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_o oct->flags = 0; } +/* + * This function copies 'anum' to 'num' and the data of 'oct' to 'data'. + * If the length of 'data' > 'max_len', copies only the first 'max_len' + * bytes, but returns the full length of 'oct'; this allows distinguishing + * whether all the data was copied. + */ static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum, long *num, unsigned char *data, int max_len) { @@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_T return 0; } +/* + * This function decodes an int-octet sequence and copies the integer to 'num' + * and the data of octet to 'data'. + * If the length of 'data' > 'max_len', copies only the first 'max_len' + * bytes, but returns the full length of 'oct'; this allows distinguishing + * whether all the data was copied. + */ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, unsigned char *data, int max_len) { @@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(A return 0; } +/* + * This function decodes an octet-int sequence and copies the data of octet + * to 'data' and the integer to 'num'. + * If the length of 'data' > 'max_len', copies only the first 'max_len' + * bytes, but returns the full length of 'oct'; this allows distinguishing + * whether all the data was copied. + */ int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num, unsigned char *data, int max_len) { ++++++ openssl-CVE-2025-15467-test.patch ++++++ >From 1e8f5c7cd2c46b25a2877e8f3f4bbf954fbcdf77 Mon Sep 17 00:00:00 2001 From: Igor Ustinov <[email protected]> Date: Sun, 11 Jan 2026 11:35:15 +0100 Subject: [PATCH] Test for handling of AEAD-encrypted CMS with inadmissibly long IV --- test/cmsapitest.c | 39 ++++++++++++++++++- test/recipes/80-test_cmsapi.t | 3 +- .../encDataWithTooLongIV.pem | 11 ++++++ 3 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem Index: openssl-3.5.0/test/cmsapitest.c =================================================================== --- openssl-3.5.0.orig/test/cmsapitest.c +++ openssl-3.5.0/test/cmsapitest.c @@ -9,10 +9,10 @@ #include <string.h> +#include <openssl/pem.h> #include <openssl/cms.h> #include <openssl/bio.h> #include <openssl/x509.h> -#include <openssl/pem.h> #include "../crypto/cms/cms_local.h" /* for d.signedData and d.envelopedData */ #include "testutil.h" @@ -20,6 +20,7 @@ static X509 *cert = NULL; static EVP_PKEY *privkey = NULL; static char *derin = NULL; +static char *too_long_iv_cms_in = NULL; static int test_encrypt_decrypt(const EVP_CIPHER *cipher) { @@ -385,6 +386,38 @@ end: return ret; } +static int test_cms_aesgcm_iv_too_long(void) +{ + int ret = 0; + BIO *cmsbio = NULL, *out = NULL; + CMS_ContentInfo *cms = NULL; + unsigned long err = 0; + + if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r"))) + goto end; + + if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL))) + goto end; + + /* Must fail cleanly (no crash) */ + if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0))) + goto end; + err = ERR_peek_last_error(); + if (!TEST_ulong_ne(err, 0)) + goto end; + if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS)) + goto end; + if (!TEST_int_eq(ERR_GET_REASON(err), CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR)) + goto end; + + ret = 1; +end: + CMS_ContentInfo_free(cms); + BIO_free(cmsbio); + BIO_free(out); + return ret; +} + OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") int setup_tests(void) @@ -399,7 +432,8 @@ int setup_tests(void) if (!TEST_ptr(certin = test_get_argument(0)) || !TEST_ptr(privkeyin = test_get_argument(1)) - || !TEST_ptr(derin = test_get_argument(2))) + || !TEST_ptr(derin = test_get_argument(2)) + || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) return 0; certbio = BIO_new_file(certin, "r"); @@ -432,6 +466,7 @@ int setup_tests(void) ADD_TEST(test_CMS_add1_cert); ADD_TEST(test_d2i_CMS_bio_NULL); ADD_ALL_TESTS(test_d2i_CMS_decode, 2); + ADD_TEST(test_cms_aesgcm_iv_too_long); return 1; } Index: openssl-3.5.0/test/recipes/80-test_cmsapi.t =================================================================== --- openssl-3.5.0.orig/test/recipes/80-test_cmsapi.t +++ openssl-3.5.0/test/recipes/80-test_cmsapi.t @@ -18,5 +18,6 @@ plan tests => 1; ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"), srctop_file("test", "certs", "serverkey.pem"), - srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der")])), + srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"), + srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])), "running cmsapitest"); Index: openssl-3.5.0/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem =================================================================== --- /dev/null +++ openssl-3.5.0/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem @@ -0,0 +1,11 @@ +-----BEGIN CMS----- +MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G +A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V +b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV +NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd +sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2 +CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu +GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P +AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl +paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO +-----END CMS----- ++++++ openssl-CVE-2025-15467.patch ++++++ >From 190ba58c0a1d995d4da8b017054d4b74d138291c Mon Sep 17 00:00:00 2001 From: Igor Ustinov <[email protected]> Date: Mon, 12 Jan 2026 12:13:35 +0100 Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long IV Fixes CVE-2025-15467 --- crypto/evp/evp_lib.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 9eae1d421c..58fa7ce43b 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type, if (type == NULL || asn1_params == NULL) return 0; - i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH); - if (i <= 0) + i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH); + if (i <= 0 || i > EVP_MAX_IV_LENGTH) return -1; - ossl_asn1_type_get_octetstring_int(type, &tl, iv, i); memcpy(asn1_params->iv, iv, i); asn1_params->iv_len = i; -- 2.51.0 ++++++ openssl-CVE-2025-15468.patch ++++++ >From 7da6afe3dac7d65b30f87f2c5d305b6e699bc5dc Mon Sep 17 00:00:00 2001 From: Daniel Kubec <[email protected]> Date: Fri, 9 Jan 2026 14:33:24 +0100 Subject: [PATCH] ossl_quic_get_cipher_by_char(): Add a NULL guard before dereferencing SSL_CIPHER Fixes CVE-2025-15468 --- ssl/quic/quic_impl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 87c1370a8d..89c108a973 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -5222,6 +5222,8 @@ const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p) { const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p); + if (ciph == NULL) + return NULL; if ((ciph->algorithm2 & SSL_QUIC) == 0) return NULL; -- 2.51.0 ++++++ openssl-CVE-2025-15469.patch ++++++ >From ef48810aafdc3b8c6c4a85e52314caeec0cb596c Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni <[email protected]> Date: Wed, 7 Jan 2026 01:21:58 +1100 Subject: [PATCH] Report truncation in oneshot `openssl dgst -sign` Previously input was silently truncated at 16MB, now if the input is longer than limit, an error is reported. The bio_to_mem() apps helper function was changed to return 0 or 1, and return the size of the result via an output size_t pointer. Fixes CVE-2025-15469 --- apps/dgst.c | 7 +++--- apps/include/apps.h | 2 +- apps/lib/apps.c | 55 +++++++++++++++++++++++---------------------- apps/pkeyutl.c | 36 ++++++++++++++--------------- 4 files changed, 50 insertions(+), 50 deletions(-) Index: openssl-3.5.0/apps/dgst.c =================================================================== --- openssl-3.5.0.orig/apps/dgst.c +++ openssl-3.5.0/apps/dgst.c @@ -704,12 +704,11 @@ static int do_fp_oneshot_sign(BIO *out, { int res, ret = EXIT_FAILURE; size_t len = 0; - int buflen = 0; - int maxlen = 16 * 1024 * 1024; + size_t buflen = 0; + size_t maxlen = 16 * 1024 * 1024; uint8_t *buf = NULL, *sig = NULL; - buflen = bio_to_mem(&buf, maxlen, in); - if (buflen <= 0) { + if (!bio_to_mem(&buf, &buflen, maxlen, in)) { BIO_printf(bio_err, "Read error in %s\n", file); return ret; } Index: openssl-3.5.0/apps/include/apps.h =================================================================== --- openssl-3.5.0.orig/apps/include/apps.h +++ openssl-3.5.0/apps/include/apps.h @@ -254,7 +254,7 @@ int parse_yesno(const char *str, int def X509_NAME *parse_name(const char *str, int chtype, int multirdn, const char *desc); void policies_print(X509_STORE_CTX *ctx); -int bio_to_mem(unsigned char **out, int maxlen, BIO *in); +int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in); int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value); int x509_ctrl_string(X509 *x, const char *value); int x509_req_ctrl_string(X509_REQ *x, const char *value); Index: openssl-3.5.0/apps/lib/apps.c =================================================================== --- openssl-3.5.0.orig/apps/lib/apps.c +++ openssl-3.5.0/apps/lib/apps.c @@ -49,6 +49,7 @@ #include "apps.h" #include "internal/sockets.h" /* for openssl_fdset() */ +#include "internal/numbers.h" /* for LONG_MAX */ #include "internal/e_os.h" #ifdef _WIN32 @@ -2059,45 +2060,45 @@ X509_NAME *parse_name(const char *cp, in } /* - * Read whole contents of a BIO into an allocated memory buffer and return - * it. + * Read whole contents of a BIO into an allocated memory buffer. + * The return value is one on success, zero on error. + * If `maxlen` is non-zero, at most `maxlen` bytes are returned, or else, if + * the input is longer than `maxlen`, an error is returned. + * If `maxlen` is zero, the limit is effectively `SIZE_MAX`. */ - -int bio_to_mem(unsigned char **out, int maxlen, BIO *in) +int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in) { + unsigned char tbuf[4096]; BIO *mem; - int len, ret; - unsigned char tbuf[1024]; + BUF_MEM *bufm; + size_t sz = 0; + int len; mem = BIO_new(BIO_s_mem()); if (mem == NULL) - return -1; + return 0; for (;;) { - if ((maxlen != -1) && maxlen < 1024) - len = maxlen; - else - len = 1024; - len = BIO_read(in, tbuf, len); - if (len < 0) { - BIO_free(mem); - return -1; - } - if (len == 0) + if ((len = BIO_read(in, tbuf, 4096)) == 0) break; - if (BIO_write(mem, tbuf, len) != len) { + if (len < 0 + || BIO_write(mem, tbuf, len) != len + || sz > SIZE_MAX - len + || ((sz += len) > maxlen && maxlen != 0)) { BIO_free(mem); - return -1; + return 0; } - if (maxlen != -1) - maxlen -= len; - - if (maxlen == 0) - break; } - ret = BIO_get_mem_data(mem, (char **)out); - BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY); + + /* So BIO_free orphans BUF_MEM */ + (void)BIO_set_close(mem, BIO_NOCLOSE); + BIO_get_mem_ptr(mem, &bufm); BIO_free(mem); - return ret; + *out = (unsigned char *)bufm->data; + *outlen = bufm->length; + /* Tell BUF_MEM to orphan data */ + bufm->data = NULL; + BUF_MEM_free(bufm); + return 1; } int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value) Index: openssl-3.5.0/apps/pkeyutl.c =================================================================== --- openssl-3.5.0.orig/apps/pkeyutl.c +++ openssl-3.5.0/apps/pkeyutl.c @@ -40,7 +40,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, i static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx, EVP_PKEY *pkey, BIO *in, - int filesize, unsigned char *sig, int siglen, + int filesize, unsigned char *sig, size_t siglen, unsigned char **out, size_t *poutlen); static int only_nomd(EVP_PKEY *pkey) @@ -133,7 +133,7 @@ int pkeyutl_main(int argc, char **argv) char hexdump = 0, asn1parse = 0, rev = 0, *prog; unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL; OPTION_CHOICE o; - int buf_inlen = 0, siglen = -1; + size_t buf_inlen = 0, siglen = 0; int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF; int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; int engine_impl = 0; @@ -485,31 +485,31 @@ int pkeyutl_main(int argc, char **argv) if (sigfile != NULL) { BIO *sigbio = BIO_new_file(sigfile, "rb"); + size_t maxsiglen = 16 * 1024 * 1024; if (sigbio == NULL) { BIO_printf(bio_err, "Can't open signature file %s\n", sigfile); goto end; } - siglen = bio_to_mem(&sig, keysize * 10, sigbio); - BIO_free(sigbio); - if (siglen < 0) { + if (!bio_to_mem(&sig, &siglen, maxsiglen, sigbio)) { + BIO_free(sigbio); BIO_printf(bio_err, "Error reading signature data\n"); goto end; } + BIO_free(sigbio); } /* Raw input data is handled elsewhere */ if (in != NULL && !rawin) { /* Read the input data */ - buf_inlen = bio_to_mem(&buf_in, -1, in); - if (buf_inlen < 0) { + if (!bio_to_mem(&buf_in, &buf_inlen, 0, in)) { BIO_printf(bio_err, "Error reading input Data\n"); goto end; } if (rev) { size_t i; unsigned char ctmp; - size_t l = (size_t)buf_inlen; + size_t l = buf_inlen; for (i = 0; i < l / 2; i++) { ctmp = buf_in[i]; @@ -524,7 +524,8 @@ int pkeyutl_main(int argc, char **argv) && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) { if (buf_inlen > EVP_MAX_MD_SIZE) { BIO_printf(bio_err, - "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n", + "Error: The non-raw input data length %zd is too long - " + "max supported hashed size is %d\n", buf_inlen, EVP_MAX_MD_SIZE); goto end; } @@ -535,8 +536,8 @@ int pkeyutl_main(int argc, char **argv) rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, sig, siglen, NULL, 0); } else { - rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, - buf_in, (size_t)buf_inlen); + rv = EVP_PKEY_verify(ctx, sig, siglen, + buf_in, buf_inlen); } if (rv == 1) { BIO_puts(out, "Signature Verified Successfully\n"); @@ -555,8 +556,8 @@ int pkeyutl_main(int argc, char **argv) buf_outlen = kdflen; rv = 1; } else { - rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen); + rv = do_keyop(ctx, pkey_op, NULL, &buf_outlen, + buf_in, buf_inlen, NULL, &secretlen); } if (rv > 0 && (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE @@ -567,8 +568,8 @@ int pkeyutl_main(int argc, char **argv) if (secretlen > 0) secret = app_malloc(secretlen, "secret output"); rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen); + buf_out, &buf_outlen, + buf_in, buf_inlen, secret, &secretlen); } } if (rv <= 0) { @@ -837,7 +838,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, i static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx, EVP_PKEY *pkey, BIO *in, - int filesize, unsigned char *sig, int siglen, + int filesize, unsigned char *sig, size_t siglen, unsigned char **out, size_t *poutlen) { int rv = 0; @@ -860,7 +861,7 @@ static int do_raw_keyop(int pkey_op, EVP BIO_printf(bio_err, "Error reading raw input data\n"); goto end; } - rv = EVP_DigestVerify(mctx, sig, (size_t)siglen, mbuf, buf_len); + rv = EVP_DigestVerify(mctx, sig, siglen, mbuf, buf_len); break; case EVP_PKEY_OP_SIGN: buf_len = BIO_read(in, mbuf, filesize); @@ -894,7 +895,7 @@ static int do_raw_keyop(int pkey_op, EVP goto end; } } - rv = EVP_DigestVerifyFinal(mctx, sig, (size_t)siglen); + rv = EVP_DigestVerifyFinal(mctx, sig, siglen); break; case EVP_PKEY_OP_SIGN: for (;;) { ++++++ openssl-CVE-2025-66199.patch ++++++ >From 04a93ac145041e3ef0121a2688cf7c1b23780519 Mon Sep 17 00:00:00 2001 From: Igor Ustinov <[email protected]> Date: Thu, 8 Jan 2026 14:02:54 +0100 Subject: [PATCH] Check the received uncompressed certificate length to prevent excessive pre-decompression allocation. The patch was proposed by Tomas Dulka and Stanislav Fort (Aisle Research). Fixes: CVE-2025-66199 --- ssl/statem/statem_lib.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 9e0c853c0d..f82d8dcdac 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -2877,6 +2877,12 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, goto err; } + /* Prevent excessive pre-decompression allocation */ + if (expected_length > sc->max_cert_list) { + SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_EXCESSIVE_MESSAGE_SIZE); + goto err; + } + if (PACKET_remaining(pkt) != comp_length || comp_length == 0) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION); goto err; -- 2.51.0 ++++++ openssl-CVE-2025-68160.patch ++++++ >From 701aa270db8ad424cece68702b9bb2e05290af9b Mon Sep 17 00:00:00 2001 From: Neil Horman <[email protected]> Date: Wed, 7 Jan 2026 11:52:09 -0500 Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer When a FIO_f_linebuffer is part of a bio chain, and the next BIO preforms short writes, the remainder of the unwritten buffer is copied unconditionally to the internal buffer ctx->obuf, which may not be sufficiently sized to handle the remaining data, resulting in a buffer overflow. Fix it by only copying data when ctx->obuf has space, flushing to the next BIO to increase available storage if needed. Fixes CVE-2025-68160 --- crypto/bio/bf_lbuf.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) Index: openssl-3.5.0/crypto/bio/bf_lbuf.c =================================================================== --- openssl-3.5.0.orig/crypto/bio/bf_lbuf.c +++ openssl-3.5.0/crypto/bio/bf_lbuf.c @@ -186,14 +186,34 @@ static int linebuffer_write(BIO *b, cons while (foundnl && inl > 0); /* * We've written as much as we can. The rest of the input buffer, if - * any, is text that doesn't and with a NL and therefore needs to be - * saved for the next trip. + * any, is text that doesn't end with a NL and therefore we need to try + * free up some space in our obuf so we can make forward progress. */ - if (inl > 0) { - memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl); - ctx->obuf_len += inl; - num += inl; + while (inl > 0) { + size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len; + size_t to_copy; + + if (avail == 0) { + /* Flush buffered data to make room */ + i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len); + if (i <= 0) { + BIO_copy_next_retry(b); + return num > 0 ? num : i; + } + if (i < ctx->obuf_len) + memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i); + ctx->obuf_len -= i; + continue; + } + + to_copy = inl > (int)avail ? avail : (size_t)inl; + memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy); + ctx->obuf_len += (int)to_copy; + in += to_copy; + inl -= (int)to_copy; + num += (int)to_copy; } + return num; } ++++++ openssl-CVE-2025-69418.patch ++++++ >From 1a556ff619473af9e179b202284a961590d5a2bd Mon Sep 17 00:00:00 2001 From: Norbert Pocs <[email protected]> Date: Thu, 8 Jan 2026 15:04:54 +0100 Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted trailing bytes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path encrypts/decrypts full blocks but does not advance in/out pointers. The tail-handling code then operates on the base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unencrypted (encryption) or using the wrong plaintext (decryption). The authentication checksum excludes the true tail. CVE-2025-69418 Fixes: https://github.com/openssl/srt/issues/58 Signed-off-by: Norbert Pocs <[email protected]> --- crypto/modes/ocb128.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) Index: openssl-3.5.0/crypto/modes/ocb128.c =================================================================== --- openssl-3.5.0.orig/crypto/modes/ocb128.c +++ openssl-3.5.0/crypto/modes/ocb128.c @@ -338,7 +338,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { - size_t max_idx = 0, top = (size_t)all_num_blocks; + size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; /* * See how many L_{i} entries we need to process data at hand @@ -352,6 +352,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT ctx->stream(in, out, num_blocks, ctx->keyenc, (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); + processed_bytes = num_blocks * 16; + in += processed_bytes; + out += processed_bytes; } else { /* Loop through all full blocks to be encrypted */ for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { @@ -430,7 +433,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { - size_t max_idx = 0, top = (size_t)all_num_blocks; + size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; /* * See how many L_{i} entries we need to process data at hand @@ -444,6 +447,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT ctx->stream(in, out, num_blocks, ctx->keydec, (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); + processed_bytes = num_blocks * 16; + in += processed_bytes; + out += processed_bytes; } else { OCB_BLOCK tmp; ++++++ openssl-CVE-2025-69419.patch ++++++ >From 41be0f216404f14457bbf3b9cc488dba60b49296 Mon Sep 17 00:00:00 2001 From: Norbert Pocs <[email protected]> Date: Thu, 11 Dec 2025 12:49:00 +0100 Subject: [PATCH] Check return code of UTF8_putc Signed-off-by: Norbert Pocs <[email protected]> Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Viktor Dukhovni <[email protected]> (Merged from https://github.com/openssl/openssl/pull/29376) --- crypto/asn1/a_strex.c | 6 ++++-- crypto/pkcs12/p12_utl.c | 5 +++++ 2 files changed, 9 insertions(+), 2 deletions(-) Index: openssl-3.5.0/crypto/asn1/a_strex.c =================================================================== --- openssl-3.5.0.orig/crypto/asn1/a_strex.c +++ openssl-3.5.0/crypto/asn1/a_strex.c @@ -204,8 +204,10 @@ static int do_buf(unsigned char *buf, in orflags = CHARTYPE_LAST_ESC_2253; if (type & BUF_TYPE_CONVUTF8) { unsigned char utfbuf[6]; - int utflen; - utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); + int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); + + if (utflen < 0) + return -1; /* error happened with UTF8 */ for (i = 0; i < utflen; i++) { /* * We don't need to worry about setting orflags correctly Index: openssl-3.5.0/crypto/pkcs12/p12_utl.c =================================================================== --- openssl-3.5.0.orig/crypto/pkcs12/p12_utl.c +++ openssl-3.5.0/crypto/pkcs12/p12_utl.c @@ -206,6 +206,11 @@ char *OPENSSL_uni2utf8(const unsigned ch /* re-run the loop emitting UTF-8 string */ for (asclen = 0, i = 0; i < unilen; ) { j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i); + /* when UTF8_putc fails */ + if (j < 0) { + OPENSSL_free(asctmp); + return NULL; + } if (j == 4) i += 4; else i += 2; asclen += j; ++++++ openssl-CVE-2025-69420.patch ++++++ >From 6453d278557c8719233793730ec500c84aea55d9 Mon Sep 17 00:00:00 2001 From: Bob Beck <[email protected]> Date: Wed, 7 Jan 2026 11:29:48 -0700 Subject: [PATCH] Verify ASN1 object's types before attempting to access them as a particular type Issue was reported in ossl_ess_get_signing_cert but is also present in ossl_ess_get_signing_cert_v2. Fixes: https://github.com/openssl/srt/issues/61 Fixes CVE-2025-69420 --- crypto/ts/ts_rsp_verify.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 3876e30f47..40dab687d1 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -209,7 +209,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) const unsigned char *p; attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); - if (attr == NULL) + if (attr == NULL || attr->type != V_ASN1_SEQUENCE) return NULL; p = attr->value.sequence->data; return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); @@ -221,7 +221,7 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO const unsigned char *p; attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); - if (attr == NULL) + if (attr == NULL || attr->type != V_ASN1_SEQUENCE) return NULL; p = attr->value.sequence->data; return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); -- 2.51.0 ++++++ openssl-CVE-2025-69421.patch ++++++ >From 0a2ecb95993b588d2156dd6527459cc3983aabd5 Mon Sep 17 00:00:00 2001 From: Andrew Dinh <[email protected]> Date: Thu, 8 Jan 2026 01:24:30 +0900 Subject: [PATCH] Add NULL check to PKCS12_item_decrypt_d2i_ex Address CVE-2025-69421 Add NULL check for oct parameter --- crypto/pkcs12/p12_decr.c | 5 +++++ 1 file changed, 5 insertions(+) Index: openssl-3.5.0/crypto/pkcs12/p12_decr.c =================================================================== --- openssl-3.5.0.orig/crypto/pkcs12/p12_decr.c +++ openssl-3.5.0/crypto/pkcs12/p12_decr.c @@ -143,6 +143,11 @@ void *PKCS12_item_decrypt_d2i_ex(const X void *ret; int outlen = 0; + if (oct == NULL) { + ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length, &out, &outlen, 0, libctx, propq)) return NULL; ++++++ openssl-CVE-2025-9230.patch ++++++ >From eb7ca9504a1b9ba7ed50140fc5b81e1e5e9adf59 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni <[email protected]> Date: Thu, 11 Sep 2025 18:10:12 +0200 Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size Fixes CVE-2025-9230 The check is off by 8 bytes so it is possible to overread by up to 8 bytes and overwrite up to 4 bytes. --- crypto/cms/cms_pwri.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index 106bd98dc7..ba8646f93c 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, /* Check byte failure */ goto err; } - if (inlen < (size_t)(tmp[0] - 4)) { + if (inlen < 4 + (size_t)tmp[0]) { /* Invalid length value */ goto err; } -- 2.51.0 ++++++ openssl-CVE-2025-9231.patch ++++++ >From d874cbd603bb1b254cfe212797f18fc7cdb7cc52 Mon Sep 17 00:00:00 2001 From: Tomas Mraz <[email protected]> Date: Thu, 11 Sep 2025 18:40:34 +0200 Subject: [PATCH] SM2: Use constant time modular inversion Fixes CVE-2025-9231 Issue and a proposed fix reported by Stanislav Fort (Aisle Research). --- crypto/ec/ecp_sm2p256.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ecp_sm2p256.c b/crypto/ec/ecp_sm2p256.c index aabe74b6e4..d75230a651 100644 --- a/crypto/ec/ecp_sm2p256.c +++ b/crypto/ec/ecp_sm2p256.c @@ -747,7 +747,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void) ossl_ec_GFp_simple_point_copy, ossl_ec_GFp_simple_point_set_to_infinity, ossl_ec_GFp_simple_point_set_affine_coordinates, - ecp_sm2p256_get_affine, + ossl_ec_GFp_simple_point_get_affine_coordinates, 0, 0, 0, ossl_ec_GFp_simple_add, ossl_ec_GFp_simple_dbl, @@ -763,7 +763,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void) ecp_sm2p256_field_mul, ecp_sm2p256_field_sqr, 0 /* field_div */, - 0 /* field_inv */, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */, 0 /* field_decode */, 0 /* field_set_to_one */, @@ -779,7 +779,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void) ossl_ecdsa_simple_sign_setup, ossl_ecdsa_simple_sign_sig, ossl_ecdsa_simple_verify_sig, - ecp_sm2p256_inv_mod_ord, + 0, /* use constant‑time fallback for inverse mod order */ 0, /* blind_coordinates */ 0, /* ladder_pre */ 0, /* ladder_step */ -- 2.51.0 ++++++ openssl-CVE-2025-9232.patch ++++++ >From b8427e03e06c5ffde63f2231b7c0663b4c2510cd Mon Sep 17 00:00:00 2001 From: Tomas Mraz <[email protected]> Date: Thu, 11 Sep 2025 18:43:55 +0200 Subject: [PATCH] use_proxy(): Add missing terminating NUL byte Fixes CVE-2025-9232 There is a missing terminating NUL byte after strncpy() call. Issue and a proposed fix reported by Stanislav Fort (Aisle Research). --- crypto/http/http_lib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c index fcf8a69e07..022b8c194c 100644 --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -263,6 +263,7 @@ static int use_proxy(const char *no_proxy, const char *server) /* strip leading '[' and trailing ']' from escaped IPv6 address */ sl -= 2; strncpy(host, server + 1, sl); + host[sl] = '\0'; server = host; } -- 2.51.0 ++++++ openssl-CVE-2026-22795.patch ++++++ >From 572844beca95068394c916626a6d3a490f831a49 Mon Sep 17 00:00:00 2001 From: Bob Beck <[email protected]> Date: Wed, 7 Jan 2026 11:29:48 -0700 Subject: [PATCH] Ensure ASN1 types are checked before use. Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8 this fix includes the other fixes in that commit, as well as fixes for others found by a scan for a similar unvalidated access paradigm in the tree. Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/29582) --- apps/s_client.c | 3 ++- crypto/pkcs12/p12_kiss.c | 10 ++++++++-- crypto/pkcs7/pk7_doit.c | 2 ++ 3 files changed, 12 insertions(+), 3 deletions(-) Index: openssl-3.5.0/apps/s_client.c =================================================================== --- openssl-3.5.0.orig/apps/s_client.c +++ openssl-3.5.0/apps/s_client.c @@ -2834,8 +2834,9 @@ int s_client_main(int argc, char **argv) goto end; } atyp = ASN1_generate_nconf(genstr, cnf); - if (atyp == NULL) { + if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) { NCONF_free(cnf); + ASN1_TYPE_free(atyp); BIO_printf(bio_err, "ASN1_generate_nconf failed\n"); goto end; } Index: openssl-3.5.0/crypto/pkcs12/p12_kiss.c =================================================================== --- openssl-3.5.0.orig/crypto/pkcs12/p12_kiss.c +++ openssl-3.5.0/crypto/pkcs12/p12_kiss.c @@ -197,11 +197,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag ASN1_BMPSTRING *fname = NULL; ASN1_OCTET_STRING *lkid = NULL; - if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) + if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) { + if (attrib->type != V_ASN1_BMPSTRING) + return 0; fname = attrib->value.bmpstring; + } - if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) + if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) { + if (attrib->type != V_ASN1_OCTET_STRING) + return 0; lkid = attrib->value.octet_string; + } switch (PKCS12_SAFEBAG_get_nid(bag)) { case NID_keyBag: Index: openssl-3.5.0/crypto/pkcs7/pk7_doit.c =================================================================== --- openssl-3.5.0.orig/crypto/pkcs7/pk7_doit.c +++ openssl-3.5.0/crypto/pkcs7/pk7_doit.c @@ -1228,6 +1228,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_att ASN1_TYPE *astype; if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL) return NULL; + if (astype->type != V_ASN1_OCTET_STRING) + return NULL; return astype->value.octet_string; }
