wok-current rev 25790 tip

Backport fix CVE-2025-9230 to openssl11
author Stanislas Leduc <shann@slitaz.org>
date Fri Oct 03 02:49:16 2025 +0000 (11 hours ago)
parents 728e408d970d
children
files libcrypto11-dev/receipt libcrypto11/receipt libssl11/receipt openssl11-dev/receipt openssl11/receipt openssl11/stuff/0006-openssl-1.1.1zd_CVE_2025-9230.patch
line diff
     1.1 --- a/libcrypto11-dev/receipt	Tue Sep 30 08:15:48 2025 +0000
     1.2 +++ b/libcrypto11-dev/receipt	Fri Oct 03 02:49:16 2025 +0000
     1.3 @@ -1,7 +1,7 @@
     1.4  # SliTaz package receipt.
     1.5  
     1.6  PACKAGE="libcrypto11-dev"
     1.7 -VERSION="1.1.1zb"
     1.8 +VERSION="1.1.1zd"
     1.9  CATEGORY="development"
    1.10  SHORT_DESC="General purpose cryptographic shared library devel files (1.1.1 series)."
    1.11  MAINTAINER="pascal.bellard@slitaz.org"

     2.1 --- a/libcrypto11/receipt	Tue Sep 30 08:15:48 2025 +0000
     2.2 +++ b/libcrypto11/receipt	Fri Oct 03 02:49:16 2025 +0000
     2.3 @@ -1,7 +1,7 @@
     2.4  # SliTaz package receipt.
     2.5  
     2.6  PACKAGE="libcrypto11"
     2.7 -VERSION="1.1.1zb"
     2.8 +VERSION="1.1.1zd"
     2.9  CATEGORY="security"
    2.10  SHORT_DESC="General purpose cryptographic shared library (1.1.1 series)."
    2.11  MAINTAINER="pascal.bellard@slitaz.org"

     3.1 --- a/libssl11/receipt	Tue Sep 30 08:15:48 2025 +0000
     3.2 +++ b/libssl11/receipt	Fri Oct 03 02:49:16 2025 +0000
     3.3 @@ -1,7 +1,7 @@
     3.4  # SliTaz package receipt.
     3.5  
     3.6  PACKAGE="libssl11"
     3.7 -VERSION="1.1.1zb"
     3.8 +VERSION="1.1.1zd"
     3.9  CATEGORY="security"
    3.10  SHORT_DESC="OpenSSL libraries (1.1.1 series)."
    3.11  MAINTAINER="pascal.bellard@slitaz.org"

     4.1 --- a/openssl11-dev/receipt	Tue Sep 30 08:15:48 2025 +0000
     4.2 +++ b/openssl11-dev/receipt	Fri Oct 03 02:49:16 2025 +0000
     4.3 @@ -1,7 +1,7 @@
     4.4  # SliTaz package receipt.
     4.5  
     4.6  PACKAGE="openssl11-dev"
     4.7 -VERSION="1.1.1zb"
     4.8 +VERSION="1.1.1zd"
     4.9  CATEGORY="development"
    4.10  SHORT_DESC="Open source Secure Sockets Layer devel files (1.1.1 series)."
    4.11  MAINTAINER="pascal.bellard@slitaz.org"

     5.1 --- a/openssl11/receipt	Tue Sep 30 08:15:48 2025 +0000
     5.2 +++ b/openssl11/receipt	Fri Oct 03 02:49:16 2025 +0000
     5.3 @@ -2,7 +2,7 @@
     5.4  
     5.5  PACKAGE="openssl11"
     5.6  SOURCE="openssl"
     5.7 -VERSION="1.1.1zb"
     5.8 +VERSION="1.1.1zd"
     5.9  _realver="1.1.1w"
    5.10  CATEGORY="security"
    5.11  SHORT_DESC="Open source Secure Sockets Layer (1.1.1 series)."
    5.12 @@ -48,6 +48,11 @@
    5.13  	patch -p1 < $stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch
    5.14  	patch -p1 < $stuff/0005-openssl-1.1.1zb_p2_CVE_2024_13176.patch
    5.15  
    5.16 +	# Backport fix CVE 2025-9230
    5.17 +	# see https://build.opensuse.org/package/show/SUSE:SLE-15-SP6:Update/openssl-1_1
    5.18 +	# see https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def
    5.19 +	patch -p1 < $stuff/0006-openssl-1.1.1zd_CVE_2025-9230.patch
    5.20 +
    5.21  	# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
    5.22  	# marked as not requiring an executable stack (compatibility improvement).
    5.23  	case "$ARCH" in

     6.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     6.2 +++ b/openssl11/stuff/0006-openssl-1.1.1zd_CVE_2025-9230.patch	Fri Oct 03 02:49:16 2025 +0000
     6.3 @@ -0,0 +1,39 @@
     6.4 +From eb7ca9504a1b9ba7ed50140fc5b81e1e5e9adf59 Mon Sep 17 00:00:00 2001
     6.5 +From: Viktor Dukhovni <openssl-users@dukhovni.org>
     6.6 +Date: Thu, 11 Sep 2025 18:10:12 +0200
     6.7 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
     6.8 +
     6.9 +Fixes CVE-2025-9230
    6.10 +
    6.11 +The check is off by 8 bytes so it is possible to overread by
    6.12 +up to 8 bytes and overwrite up to 4 bytes.
    6.13 +---
    6.14 + crypto/cms/cms_pwri.c | 2 +-
    6.15 + 1 file changed, 1 insertion(+), 1 deletion(-)
    6.16 +
    6.17 +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
    6.18 +index 106bd98dc7..ba8646f93c 100644
    6.19 +--- a/crypto/cms/cms_pwri.c
    6.20 ++++ b/crypto/cms/cms_pwri.c
    6.21 +@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
    6.22 +         /* Check byte failure */
    6.23 +         goto err;
    6.24 +     }
    6.25 +-    if (inlen < (size_t)(tmp[0] - 4)) {
    6.26 ++    if (inlen < 4 + (size_t)tmp[0]) {
    6.27 +         /* Invalid length value */
    6.28 +         goto err;
    6.29 +     }
    6.30 +--- a/include/openssl/opensslv.h
    6.31 ++++ b/include/openssl/opensslv.h
    6.32 +@@ -40,7 +40,7 @@ extern "C" {
    6.33 +  *  major minor fix final patch/beta)
    6.34 +  */
    6.35 + # define OPENSSL_VERSION_NUMBER  0x101011bfL
    6.36 +-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1zb  20 Jan 2025"
    6.37 ++# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1zd  01 Oct 2025"
    6.38 +
    6.39 + /*-
    6.40 +  * The macros below are to be used for shared library (.so, .dll, ...)
    6.41 +-- 
    6.42 +2.51.0