Merge PR "[AUTO-CHERRYPICK] openssl: Fix check of unwrapped key size - branch main" microsoft#15076

Co-authored-by: corvus-callidus <[email protected]>

Author: CBL-Mariner-Bot

SPECS/openssl/openssl-1.1.1-fix-incorrect-check-of-unwrapped-key-size.patch

@@ -0,0 +1,34 @@
+From dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <[email protected]>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Saša Nedvědický <[email protected]>
+Reviewed-by: Tomas Mraz <[email protected]>
+Reviewed-by: Neil Horman <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/6)
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index d741488339..9f98840244 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
+--
+2.43.0

SPECS/openssl/openssl.spec

@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        36%{?dist}
+Release:        37%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -66,6 +66,8 @@ Patch42:        openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them
 Patch43:        openssl-1.1.1-jitterentropy-fix-intermittent-fips-selftest-failure.patch
 Patch44:        CVE-2024-5535.patch
 Patch45:        openssl-1.1.1-Fix-timing-side-channel-in-ECDSA-signature-computation.patch
+Patch46:        openssl-1.1.1-fix-incorrect-check-of-unwrapped-key-size.patch
+
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -329,6 +331,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Nov 06 2025 Lynsey Rydberg <[email protected]> - 1.1.1k-37
+- Fix incorrect check of unwrapped key size
+
 * Wed Mar 26 2025 Tobias Brick <[email protected]> - 1.1.1k-36
 - Fix timing side-channel in ECDSA signature computation.
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-36.cm2.aarch64.rpm
-openssl-devel-1.1.1k-36.cm2.aarch64.rpm
-openssl-libs-1.1.1k-36.cm2.aarch64.rpm
-openssl-perl-1.1.1k-36.cm2.aarch64.rpm
-openssl-static-1.1.1k-36.cm2.aarch64.rpm
+openssl-1.1.1k-37.cm2.aarch64.rpm
+openssl-devel-1.1.1k-37.cm2.aarch64.rpm
+openssl-libs-1.1.1k-37.cm2.aarch64.rpm
+openssl-perl-1.1.1k-37.cm2.aarch64.rpm
+openssl-static-1.1.1k-37.cm2.aarch64.rpm
 libcap-2.60-4.cm2.aarch64.rpm
 libcap-devel-2.60-4.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-36.cm2.x86_64.rpm
-openssl-devel-1.1.1k-36.cm2.x86_64.rpm
-openssl-libs-1.1.1k-36.cm2.x86_64.rpm
-openssl-perl-1.1.1k-36.cm2.x86_64.rpm
-openssl-static-1.1.1k-36.cm2.x86_64.rpm
+openssl-1.1.1k-37.cm2.x86_64.rpm
+openssl-devel-1.1.1k-37.cm2.x86_64.rpm
+openssl-libs-1.1.1k-37.cm2.x86_64.rpm
+openssl-perl-1.1.1k-37.cm2.x86_64.rpm
+openssl-static-1.1.1k-37.cm2.x86_64.rpm
 libcap-2.60-4.cm2.x86_64.rpm
 libcap-devel-2.60-4.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-36.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-36.cm2.aarch64.rpm
-openssl-devel-1.1.1k-36.cm2.aarch64.rpm
-openssl-libs-1.1.1k-36.cm2.aarch64.rpm
-openssl-perl-1.1.1k-36.cm2.aarch64.rpm
-openssl-static-1.1.1k-36.cm2.aarch64.rpm
+openssl-1.1.1k-37.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-37.cm2.aarch64.rpm
+openssl-devel-1.1.1k-37.cm2.aarch64.rpm
+openssl-libs-1.1.1k-37.cm2.aarch64.rpm
+openssl-perl-1.1.1k-37.cm2.aarch64.rpm
+openssl-static-1.1.1k-37.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-36.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-36.cm2.x86_64.rpm
-openssl-devel-1.1.1k-36.cm2.x86_64.rpm
-openssl-libs-1.1.1k-36.cm2.x86_64.rpm
-openssl-perl-1.1.1k-36.cm2.x86_64.rpm
-openssl-static-1.1.1k-36.cm2.x86_64.rpm
+openssl-1.1.1k-37.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-37.cm2.x86_64.rpm
+openssl-devel-1.1.1k-37.cm2.x86_64.rpm
+openssl-libs-1.1.1k-37.cm2.x86_64.rpm
+openssl-perl-1.1.1k-37.cm2.x86_64.rpm
+openssl-static-1.1.1k-37.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm