Your message dated Thu, 31 Jul 2025 17:40:44 +0000
with message-id <[email protected]>
and subject line unblock jose
has caused the Debian Bug report #1110165,
regarding unblock: jose/14-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110165: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110165
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:jose
User: [email protected]
Usertags: unblock
Please unblock package jose
Only contains one bugfix (adding NULL pointer check).
unblock jose/14-2
diffstat for jose-14 jose-14
changelog
| 6 +
patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
| 33 ++++++++++
patches/series
| 1
3 files changed, 40 insertions(+)
diff -Nru jose-14/debian/changelog jose-14/debian/changelog
--- jose-14/debian/changelog 2024-08-10 19:16:54.000000000 +0300
+++ jose-14/debian/changelog 2025-07-10 19:04:11.000000000 +0300
@@ -1,3 +1,9 @@
+jose (14-2) unstable; urgency=high
+
+ * Cherry-pick fix to handle possible Null pointer gracefully
+
+ -- Christoph Biedl <[email protected]> Thu, 10 Jul 2025
18:04:11 +0200
+
jose (14-1) unstable; urgency=medium
* New upstream version 14
diff -Nru
jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
---
jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
1970-01-01 02:00:00.000000000 +0200
+++
jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
2025-07-10 19:04:11.000000000 +0300
@@ -0,0 +1,33 @@
+Subject: Openssl: handle NULL in jose_openssl_jwk_from_EC_KEY gracefully (#172)
+Origin: upstream, commit v14-7-g5aaaaf6
<https://github.com/latchset/jose/commit/v14-7-g5aaaaf6>
+Author: Ahmad Fatoum <[email protected]>
+Date: Wed Jul 9 14:21:37 2025 +0200
+
+ We already check that the RSA *key is not NULL in
+ jose_openssl_jwk_from_RSA(), but fail to do so for EC_KEY *key in
+ jose_openssl_jwk_from_EC_KEY().
+
+ But EVP_PKEY_get0_EC_KEY() can return NULL too, e.g., if
+ the EVP_PKEY comes from an OpenSSL provider that is not creating a
+ keymgmt instance for a public key and the default provider is not
+ loaded[1].
+
+ Instead of crashing inside OpenSSL when we pass a NULL pointer to
+ EC_KEY_get0_private_key(), detect this case and return gracefully.
+
+ [1]: https://github.com/openssl/openssl/discussions/25679
+
+ Signed-off-by: Ahmad Fatoum <[email protected]>
+
+--- a/lib/openssl/jwk.c
++++ b/lib/openssl/jwk.c
+@@ -140,6 +140,9 @@
+ json_t *
+ jose_openssl_jwk_from_EC_KEY(jose_cfg_t *cfg, const EC_KEY *key)
+ {
++ if (!key)
++ return NULL;
++
+ return jose_openssl_jwk_from_EC_POINT(
+ cfg,
+ EC_KEY_get0_group(key),
diff -Nru jose-14/debian/patches/series jose-14/debian/patches/series
--- jose-14/debian/patches/series 2024-06-19 23:31:56.000000000 +0300
+++ jose-14/debian/patches/series 2025-07-10 19:04:11.000000000 +0300
@@ -1,5 +1,6 @@
# cherry-picked commits. Keep in upstream's chronological order
+cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
# patches for upstream
--- End Message ---
--- Begin Message ---
Unblocked jose.
--- End Message ---
