From d9f9880be938e5619487dcf494e51cc80b630fc4 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal Date: Mon, 20 Apr 2026 19:34:00 +0000 Subject: [PATCH] Patch openssl for multiple Null Deref --- ...ence-When-Delta-CRL-Lacks-CRL-Number.patch | 33 ++++++ ...L-deref-in-ec-dh_cms_set_shared_info.patch | 107 ++++++++++++++++++ ....1-Fix-NULL-deref-in-rsa_cms_decrypt.patch | 88 ++++++++++++++ ...should-X509_free-on-mcert-instead-of.patch | 32 ++++++ SPECS/openssl/openssl.spec | 12 +- .../manifests/package/pkggen_core_aarch64.txt | 10 +- .../manifests/package/pkggen_core_x86_64.txt | 10 +- .../manifests/package/toolchain_aarch64.txt | 12 +- .../manifests/package/toolchain_x86_64.txt | 12 +- 9 files changed, 293 insertions(+), 23 deletions(-) create mode 100644 SPECS/openssl/openssl-1.1.1-Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number.patch create mode 100644 SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch create mode 100644 SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-rsa_cms_decrypt.patch create mode 100644 SPECS/openssl/openssl-1.1.1-dane_match_cert-should-X509_free-on-mcert-instead-of.patch diff --git a/SPECS/openssl/openssl-1.1.1-Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number.patch b/SPECS/openssl/openssl-1.1.1-Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number.patch new file mode 100644 index 00000000000..648e4f37786 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number.patch @@ -0,0 +1,33 @@ +From a1c1ce6a37d05e0a70d463667a199c2a9c772680 Mon Sep 17 00:00:00 2001 +From: Alexandr Nedvedicky +Date: Wed, 25 Mar 2026 11:15:05 +0100 +Subject: [PATCH 02/11] Fix NULL Dereference When Delta CRL Lacks CRL Number + Extension + +Fixes: CVE-2026-28388 +Resolves: https://github.com/openssl/srt/issues/77 +Co-Authored-by: Igor Morgenstern + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Tue Apr 7 12:13:20 2026 +--- + crypto/x509/x509_vfy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index bc46ae8352..ea51bb28f5 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1136,6 +1136,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) + if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) + return 0; + /* Delta CRL number must exceed full CRL number */ ++ if (delta->crl_number == NULL) ++ return 0; + if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) + return 1; + return 0; +-- +2.45.4 + diff --git a/SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch b/SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch new file mode 100644 index 00000000000..86529e82cf8 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch @@ -0,0 +1,107 @@ +From 114e959f0405ae860a4b4f95f7a12e60afc8843a Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Wed, 25 Mar 2026 11:11:02 +0100 +Subject: [PATCH 03/11] Fix NULL deref in [ec]dh_cms_set_shared_info + +Multiple independent reports indicated a SIGSEGV was possible in CMS +processing when a crafted CMS EnvelopedData message using A Key +Agreement Recipient Info field. If the +KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the +referenced functions above will attempt to dereference the +alg->parameter data prior to checking if the parameter field is NULL. + +Confirmed to resolve the issues using the reproducers provided in the +security reports. + +Fixes: CVE-2026-28389 +Co-authored-by: Tomas Mraz + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Tue Apr 7 12:26:51 2026 +--- + crypto/dh/dh_ameth.c | 13 +++++++++---- + crypto/ec/ec_ameth.c | 16 ++++++++++++---- + 2 files changed, 21 insertions(+), 8 deletions(-) + +diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c +index 576409ccb5..6615cb9837 100644 +--- a/crypto/dh/dh_ameth.c ++++ b/crypto/dh/dh_ameth.c +@@ -681,15 +681,20 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) + int keylen, plen; + const EVP_CIPHER *kekcipher; + EVP_CIPHER_CTX *kekctx; ++ const ASN1_OBJECT *aoid; ++ const void *parameter = NULL; ++ int ptype = 0; + + if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) + goto err; + ++ X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg); ++ + /* + * For DH we only have one OID permissible. If ever any more get defined + * we will need something cleverer. + */ +- if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) { ++ if (OBJ_obj2nid(aoid) != NID_id_smime_alg_ESDH) { + DHerr(DH_F_DH_CMS_SET_SHARED_INFO, DH_R_KDF_PARAMETER_ERROR); + goto err; + } +@@ -700,11 +705,11 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) + if (EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0) + goto err; + +- if (alg->parameter->type != V_ASN1_SEQUENCE) ++ if (ptype != V_ASN1_SEQUENCE) + goto err; + +- p = alg->parameter->value.sequence->data; +- plen = alg->parameter->value.sequence->length; ++ p = ASN1_STRING_get0_data(parameter); ++ plen = ASN1_STRING_length(parameter); + kekalg = d2i_X509_ALGOR(NULL, &p, plen); + if (!kekalg) + goto err; +diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c +index 5a63590a9f..597d0311b5 100644 +--- a/crypto/ec/ec_ameth.c ++++ b/crypto/ec/ec_ameth.c +@@ -749,20 +749,28 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) + int plen, keylen; + const EVP_CIPHER *kekcipher; + EVP_CIPHER_CTX *kekctx; ++ const ASN1_OBJECT *aoid = NULL; ++ int ptype = 0; ++ const void *parameter = NULL; + + if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) + return 0; + +- if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { ++ if (alg->parameter == NULL) ++ return 0; ++ ++ X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg); ++ ++ if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) { + ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR); + return 0; + } + +- if (alg->parameter->type != V_ASN1_SEQUENCE) ++ if (ptype != V_ASN1_SEQUENCE) + return 0; + +- p = alg->parameter->value.sequence->data; +- plen = alg->parameter->value.sequence->length; ++ p = ASN1_STRING_get0_data(parameter); ++ plen = ASN1_STRING_length(parameter); + kekalg = d2i_X509_ALGOR(NULL, &p, plen); + if (!kekalg) + goto err; +-- +2.45.4 + diff --git a/SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-rsa_cms_decrypt.patch b/SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-rsa_cms_decrypt.patch new file mode 100644 index 00000000000..41d8e449e89 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-Fix-NULL-deref-in-rsa_cms_decrypt.patch @@ -0,0 +1,88 @@ +From ac48e58ee5824062a320b81b4ef81e9b95dd9245 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 7 Apr 2026 08:33:33 +0200 +Subject: [PATCH 05/11] Fix NULL deref in rsa_cms_decrypt + +Very simmilar to CVE-2026-28389, ensure that if we are missing +parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo, +we don't segfault when decrypting. + +Fixes: CVE-2026-28390 +Co-authored-by: Tomas Mraz + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Tue Apr 7 12:26:54 2026 +--- + crypto/rsa/rsa_ameth.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c +index 00ed9820b0..b06b106ad1 100644 +--- a/crypto/rsa/rsa_ameth.c ++++ b/crypto/rsa/rsa_ameth.c +@@ -922,10 +922,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) + X509_ALGOR *cmsalg; + int nid; + int rv = -1; +- unsigned char *label = NULL; ++ const unsigned char *label = NULL; + int labellen = 0; + const EVP_MD *mgf1md = NULL, *md = NULL; + RSA_OAEP_PARAMS *oaep; ++ const ASN1_OBJECT *aoid; ++ const void *parameter = NULL; ++ int ptype = 0; + + pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (pkctx == NULL) +@@ -955,21 +958,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) + goto err; + + if (oaep->pSourceFunc != NULL) { +- X509_ALGOR *plab = oaep->pSourceFunc; ++ X509_ALGOR_get0(&aoid, &ptype, ¶meter, oaep->pSourceFunc); + +- if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { ++ if (OBJ_obj2nid(aoid) != NID_pSpecified) { + RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE); + goto err; + } +- if (plab->parameter->type != V_ASN1_OCTET_STRING) { ++ if (ptype != V_ASN1_OCTET_STRING) { + RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL); + goto err; + } + +- label = plab->parameter->value.octet_string->data; +- /* Stop label being freed when OAEP parameters are freed */ +- plab->parameter->value.octet_string->data = NULL; +- labellen = plab->parameter->value.octet_string->length; ++ label = ASN1_STRING_get0_data(parameter); ++ labellen = ASN1_STRING_length(parameter); + } + + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) +@@ -978,8 +979,17 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) + goto err; + if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) + goto err; +- if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) +- goto err; ++ if (label != NULL) { ++ unsigned char *dup_label = OPENSSL_memdup(label, labellen); ++ ++ if (dup_label == NULL) ++ goto err; ++ ++ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) { ++ OPENSSL_free(dup_label); ++ goto err; ++ } ++ } + /* Carry on */ + rv = 1; + +-- +2.45.4 + diff --git a/SPECS/openssl/openssl-1.1.1-dane_match_cert-should-X509_free-on-mcert-instead-of.patch b/SPECS/openssl/openssl-1.1.1-dane_match_cert-should-X509_free-on-mcert-instead-of.patch new file mode 100644 index 00000000000..fd2241840d3 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-dane_match_cert-should-X509_free-on-mcert-instead-of.patch @@ -0,0 +1,32 @@ +From cd99a872da3ede64ee848f4a937c310454241c2c Mon Sep 17 00:00:00 2001 +From: Alexandr Nedvedicky +Date: Wed, 25 Mar 2026 12:04:19 +0100 +Subject: [PATCH 01/11] dane_match_cert() should X509_free() on mcert instead + of OPENSSL_free() + +Fixes: 170b735820ac "DANE support for X509_verify_cert()" +Fixes: CVE-2026-28387 + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Tue Apr 7 12:08:19 2026 +--- + crypto/x509/x509_vfy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 66b532a165..bc46ae8352 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -2761,7 +2761,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) + if (matched || dane->mdpth < 0) { + dane->mdpth = depth; + dane->mtlsa = t; +- OPENSSL_free(dane->mcert); ++ X509_free(dane->mcert); + dane->mcert = cert; + X509_up_ref(cert); + } +-- +2.45.4 + diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec index 76fd228855f..374a2198d5a 100644 --- a/SPECS/openssl/openssl.spec +++ b/SPECS/openssl/openssl.spec @@ -4,7 +4,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 39%{?dist} +Release: 40%{?dist} License: OpenSSL Vendor: Microsoft Corporation Distribution: Mariner @@ -73,6 +73,10 @@ Patch49: openssl-1.1.1-fix-OCB-AES-NI-HW-stream-path-unauthenticated-unen Patch50: openssl-1.1.1-check-return-code-of-UTF8_putc.patch Patch51: openssl-1.1.1-verify-ASN1-objects-types.patch Patch52: openssl-1.1.1-check-oct-argument-for-NULL.patch +Patch53: openssl-1.1.1-dane_match_cert-should-X509_free-on-mcert-instead-of.patch +Patch54: openssl-1.1.1-Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number.patch +Patch55: openssl-1.1.1-Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch +Patch56: openssl-1.1.1-Fix-NULL-deref-in-rsa_cms_decrypt.patch BuildRequires: perl-Test-Warnings BuildRequires: perl-Text-Template @@ -336,6 +340,12 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist %postun libs -p /sbin/ldconfig %changelog +* Mon Apr 20 2026 Kanishk Bansal - 1.1.1k-40 +- Fix NULL Dereference When Delta CRL Lacks CRL Number Extension +- Fix NULL deref in [ec]dh_cms_set_shared_info +- Fix NULL deref in rsa_cms_decrypt +- dane_match_cert() should X509_free() on mcert instead of OPENSSL_free() + * Wed Mar 11 2026 Archana Shettigar - 1.1.1k-39 - Patch PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 8532b63b5f0..0a1f02944e1 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm gtk-doc-1.33.2-1.cm2.noarch.rpm autoconf-2.71-3.cm2.noarch.rpm automake-1.16.5-1.cm2.noarch.rpm -openssl-1.1.1k-39.cm2.aarch64.rpm -openssl-devel-1.1.1k-39.cm2.aarch64.rpm -openssl-libs-1.1.1k-39.cm2.aarch64.rpm -openssl-perl-1.1.1k-39.cm2.aarch64.rpm -openssl-static-1.1.1k-39.cm2.aarch64.rpm +openssl-1.1.1k-40.cm2.aarch64.rpm +openssl-devel-1.1.1k-40.cm2.aarch64.rpm +openssl-libs-1.1.1k-40.cm2.aarch64.rpm +openssl-perl-1.1.1k-40.cm2.aarch64.rpm +openssl-static-1.1.1k-40.cm2.aarch64.rpm libcap-2.60-7.cm2.aarch64.rpm libcap-devel-2.60-7.cm2.aarch64.rpm debugedit-5.0-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 73a9df4ca3a..809115e01ae 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm gtk-doc-1.33.2-1.cm2.noarch.rpm autoconf-2.71-3.cm2.noarch.rpm automake-1.16.5-1.cm2.noarch.rpm -openssl-1.1.1k-39.cm2.x86_64.rpm -openssl-devel-1.1.1k-39.cm2.x86_64.rpm -openssl-libs-1.1.1k-39.cm2.x86_64.rpm -openssl-perl-1.1.1k-39.cm2.x86_64.rpm -openssl-static-1.1.1k-39.cm2.x86_64.rpm +openssl-1.1.1k-40.cm2.x86_64.rpm +openssl-devel-1.1.1k-40.cm2.x86_64.rpm +openssl-libs-1.1.1k-40.cm2.x86_64.rpm +openssl-perl-1.1.1k-40.cm2.x86_64.rpm +openssl-static-1.1.1k-40.cm2.x86_64.rpm libcap-2.60-7.cm2.x86_64.rpm libcap-devel-2.60-7.cm2.x86_64.rpm debugedit-5.0-2.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 814c5ecd113..92d26d832e6 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm npth-debuginfo-1.6-4.cm2.aarch64.rpm npth-devel-1.6-4.cm2.aarch64.rpm ntsysv-1.20-4.cm2.aarch64.rpm -openssl-1.1.1k-39.cm2.aarch64.rpm -openssl-debuginfo-1.1.1k-39.cm2.aarch64.rpm -openssl-devel-1.1.1k-39.cm2.aarch64.rpm -openssl-libs-1.1.1k-39.cm2.aarch64.rpm -openssl-perl-1.1.1k-39.cm2.aarch64.rpm -openssl-static-1.1.1k-39.cm2.aarch64.rpm +openssl-1.1.1k-40.cm2.aarch64.rpm +openssl-debuginfo-1.1.1k-40.cm2.aarch64.rpm +openssl-devel-1.1.1k-40.cm2.aarch64.rpm +openssl-libs-1.1.1k-40.cm2.aarch64.rpm +openssl-perl-1.1.1k-40.cm2.aarch64.rpm +openssl-static-1.1.1k-40.cm2.aarch64.rpm p11-kit-0.24.1-1.cm2.aarch64.rpm p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm p11-kit-devel-0.24.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 0d153054275..d11e4afeeb6 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm npth-debuginfo-1.6-4.cm2.x86_64.rpm npth-devel-1.6-4.cm2.x86_64.rpm ntsysv-1.20-4.cm2.x86_64.rpm -openssl-1.1.1k-39.cm2.x86_64.rpm -openssl-debuginfo-1.1.1k-39.cm2.x86_64.rpm -openssl-devel-1.1.1k-39.cm2.x86_64.rpm -openssl-libs-1.1.1k-39.cm2.x86_64.rpm -openssl-perl-1.1.1k-39.cm2.x86_64.rpm -openssl-static-1.1.1k-39.cm2.x86_64.rpm +openssl-1.1.1k-40.cm2.x86_64.rpm +openssl-debuginfo-1.1.1k-40.cm2.x86_64.rpm +openssl-devel-1.1.1k-40.cm2.x86_64.rpm +openssl-libs-1.1.1k-40.cm2.x86_64.rpm +openssl-perl-1.1.1k-40.cm2.x86_64.rpm +openssl-static-1.1.1k-40.cm2.x86_64.rpm p11-kit-0.24.1-1.cm2.x86_64.rpm p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm p11-kit-devel-0.24.1-1.cm2.x86_64.rpm