Skip to content

Commit ae6462d

Browse files
Kanishk-BansalKanishk Bansal
andauthored
Patch openssl for multiple Null Deref (microsoft#16761)
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
1 parent 4dfe502 commit ae6462d

9 files changed

Lines changed: 293 additions & 23 deletions
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
From a1c1ce6a37d05e0a70d463667a199c2a9c772680 Mon Sep 17 00:00:00 2001
2+
From: Alexandr Nedvedicky <sashan@openssl.org>
3+
Date: Wed, 25 Mar 2026 11:15:05 +0100
4+
Subject: [PATCH 02/11] Fix NULL Dereference When Delta CRL Lacks CRL Number
5+
Extension
6+
7+
Fixes: CVE-2026-28388
8+
Resolves: https://github.com/openssl/srt/issues/77
9+
Co-Authored-by: Igor Morgenstern <igor.morgenstern@aisle.com>
10+
11+
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
12+
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
13+
MergeDate: Tue Apr 7 12:13:20 2026
14+
---
15+
crypto/x509/x509_vfy.c | 2 ++
16+
1 file changed, 2 insertions(+)
17+
18+
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
19+
index bc46ae8352..ea51bb28f5 100644
20+
--- a/crypto/x509/x509_vfy.c
21+
+++ b/crypto/x509/x509_vfy.c
22+
@@ -1136,6 +1136,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
23+
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
24+
return 0;
25+
/* Delta CRL number must exceed full CRL number */
26+
+ if (delta->crl_number == NULL)
27+
+ return 0;
28+
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
29+
return 1;
30+
return 0;
31+
--
32+
2.45.4
33+
Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
From 114e959f0405ae860a4b4f95f7a12e60afc8843a Mon Sep 17 00:00:00 2001
2+
From: Neil Horman <nhorman@openssl.org>
3+
Date: Wed, 25 Mar 2026 11:11:02 +0100
4+
Subject: [PATCH 03/11] Fix NULL deref in [ec]dh_cms_set_shared_info
5+
6+
Multiple independent reports indicated a SIGSEGV was possible in CMS
7+
processing when a crafted CMS EnvelopedData message using A Key
8+
Agreement Recipient Info field. If the
9+
KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the
10+
referenced functions above will attempt to dereference the
11+
alg->parameter data prior to checking if the parameter field is NULL.
12+
13+
Confirmed to resolve the issues using the reproducers provided in the
14+
security reports.
15+
16+
Fixes: CVE-2026-28389
17+
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
18+
19+
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
20+
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
21+
MergeDate: Tue Apr 7 12:26:51 2026
22+
---
23+
crypto/dh/dh_ameth.c | 13 +++++++++----
24+
crypto/ec/ec_ameth.c | 16 ++++++++++++----
25+
2 files changed, 21 insertions(+), 8 deletions(-)
26+
27+
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
28+
index 576409ccb5..6615cb9837 100644
29+
--- a/crypto/dh/dh_ameth.c
30+
+++ b/crypto/dh/dh_ameth.c
31+
@@ -681,15 +681,20 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
32+
int keylen, plen;
33+
const EVP_CIPHER *kekcipher;
34+
EVP_CIPHER_CTX *kekctx;
35+
+ const ASN1_OBJECT *aoid;
36+
+ const void *parameter = NULL;
37+
+ int ptype = 0;
38+
39+
if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
40+
goto err;
41+
42+
+ X509_ALGOR_get0(&aoid, &ptype, &parameter, alg);
43+
+
44+
/*
45+
* For DH we only have one OID permissible. If ever any more get defined
46+
* we will need something cleverer.
47+
*/
48+
- if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) {
49+
+ if (OBJ_obj2nid(aoid) != NID_id_smime_alg_ESDH) {
50+
DHerr(DH_F_DH_CMS_SET_SHARED_INFO, DH_R_KDF_PARAMETER_ERROR);
51+
goto err;
52+
}
53+
@@ -700,11 +705,11 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
54+
if (EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0)
55+
goto err;
56+
57+
- if (alg->parameter->type != V_ASN1_SEQUENCE)
58+
+ if (ptype != V_ASN1_SEQUENCE)
59+
goto err;
60+
61+
- p = alg->parameter->value.sequence->data;
62+
- plen = alg->parameter->value.sequence->length;
63+
+ p = ASN1_STRING_get0_data(parameter);
64+
+ plen = ASN1_STRING_length(parameter);
65+
kekalg = d2i_X509_ALGOR(NULL, &p, plen);
66+
if (!kekalg)
67+
goto err;
68+
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
69+
index 5a63590a9f..597d0311b5 100644
70+
--- a/crypto/ec/ec_ameth.c
71+
+++ b/crypto/ec/ec_ameth.c
72+
@@ -749,20 +749,28 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
73+
int plen, keylen;
74+
const EVP_CIPHER *kekcipher;
75+
EVP_CIPHER_CTX *kekctx;
76+
+ const ASN1_OBJECT *aoid = NULL;
77+
+ int ptype = 0;
78+
+ const void *parameter = NULL;
79+
80+
if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
81+
return 0;
82+
83+
- if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
84+
+ if (alg->parameter == NULL)
85+
+ return 0;
86+
+
87+
+ X509_ALGOR_get0(&aoid, &ptype, &parameter, alg);
88+
+
89+
+ if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) {
90+
ECerr(EC_F_ECDH_CMS_SET_SHARED_INFO, EC_R_KDF_PARAMETER_ERROR);
91+
return 0;
92+
}
93+
94+
- if (alg->parameter->type != V_ASN1_SEQUENCE)
95+
+ if (ptype != V_ASN1_SEQUENCE)
96+
return 0;
97+
98+
- p = alg->parameter->value.sequence->data;
99+
- plen = alg->parameter->value.sequence->length;
100+
+ p = ASN1_STRING_get0_data(parameter);
101+
+ plen = ASN1_STRING_length(parameter);
102+
kekalg = d2i_X509_ALGOR(NULL, &p, plen);
103+
if (!kekalg)
104+
goto err;
105+
--
106+
2.45.4
107+
Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
From ac48e58ee5824062a320b81b4ef81e9b95dd9245 Mon Sep 17 00:00:00 2001
2+
From: Neil Horman <nhorman@openssl.org>
3+
Date: Tue, 7 Apr 2026 08:33:33 +0200
4+
Subject: [PATCH 05/11] Fix NULL deref in rsa_cms_decrypt
5+
6+
Very simmilar to CVE-2026-28389, ensure that if we are missing
7+
parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
8+
we don't segfault when decrypting.
9+
10+
Fixes: CVE-2026-28390
11+
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
12+
13+
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
14+
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
15+
MergeDate: Tue Apr 7 12:26:54 2026
16+
---
17+
crypto/rsa/rsa_ameth.c | 30 ++++++++++++++++++++----------
18+
1 file changed, 20 insertions(+), 10 deletions(-)
19+
20+
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
21+
index 00ed9820b0..b06b106ad1 100644
22+
--- a/crypto/rsa/rsa_ameth.c
23+
+++ b/crypto/rsa/rsa_ameth.c
24+
@@ -922,10 +922,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
25+
X509_ALGOR *cmsalg;
26+
int nid;
27+
int rv = -1;
28+
- unsigned char *label = NULL;
29+
+ const unsigned char *label = NULL;
30+
int labellen = 0;
31+
const EVP_MD *mgf1md = NULL, *md = NULL;
32+
RSA_OAEP_PARAMS *oaep;
33+
+ const ASN1_OBJECT *aoid;
34+
+ const void *parameter = NULL;
35+
+ int ptype = 0;
36+
37+
pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
38+
if (pkctx == NULL)
39+
@@ -955,21 +958,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
40+
goto err;
41+
42+
if (oaep->pSourceFunc != NULL) {
43+
- X509_ALGOR *plab = oaep->pSourceFunc;
44+
+ X509_ALGOR_get0(&aoid, &ptype, &parameter, oaep->pSourceFunc);
45+
46+
- if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
47+
+ if (OBJ_obj2nid(aoid) != NID_pSpecified) {
48+
RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_UNSUPPORTED_LABEL_SOURCE);
49+
goto err;
50+
}
51+
- if (plab->parameter->type != V_ASN1_OCTET_STRING) {
52+
+ if (ptype != V_ASN1_OCTET_STRING) {
53+
RSAerr(RSA_F_RSA_CMS_DECRYPT, RSA_R_INVALID_LABEL);
54+
goto err;
55+
}
56+
57+
- label = plab->parameter->value.octet_string->data;
58+
- /* Stop label being freed when OAEP parameters are freed */
59+
- plab->parameter->value.octet_string->data = NULL;
60+
- labellen = plab->parameter->value.octet_string->length;
61+
+ label = ASN1_STRING_get0_data(parameter);
62+
+ labellen = ASN1_STRING_length(parameter);
63+
}
64+
65+
if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
66+
@@ -978,8 +979,17 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
67+
goto err;
68+
if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
69+
goto err;
70+
- if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
71+
- goto err;
72+
+ if (label != NULL) {
73+
+ unsigned char *dup_label = OPENSSL_memdup(label, labellen);
74+
+
75+
+ if (dup_label == NULL)
76+
+ goto err;
77+
+
78+
+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
79+
+ OPENSSL_free(dup_label);
80+
+ goto err;
81+
+ }
82+
+ }
83+
/* Carry on */
84+
rv = 1;
85+
86+
--
87+
2.45.4
88+
Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
From cd99a872da3ede64ee848f4a937c310454241c2c Mon Sep 17 00:00:00 2001
2+
From: Alexandr Nedvedicky <sashan@openssl.org>
3+
Date: Wed, 25 Mar 2026 12:04:19 +0100
4+
Subject: [PATCH 01/11] dane_match_cert() should X509_free() on mcert instead
5+
of OPENSSL_free()
6+
7+
Fixes: 170b735820ac "DANE support for X509_verify_cert()"
8+
Fixes: CVE-2026-28387
9+
10+
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
11+
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
12+
MergeDate: Tue Apr 7 12:08:19 2026
13+
---
14+
crypto/x509/x509_vfy.c | 2 +-
15+
1 file changed, 1 insertion(+), 1 deletion(-)
16+
17+
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
18+
index 66b532a165..bc46ae8352 100644
19+
--- a/crypto/x509/x509_vfy.c
20+
+++ b/crypto/x509/x509_vfy.c
21+
@@ -2761,7 +2761,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
22+
if (matched || dane->mdpth < 0) {
23+
dane->mdpth = depth;
24+
dane->mtlsa = t;
25+
- OPENSSL_free(dane->mcert);
26+
+ X509_free(dane->mcert);
27+
dane->mcert = cert;
28+
X509_up_ref(cert);
29+
}
30+
--
31+
2.45.4
32+

SPECS/openssl/openssl.spec

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
Summary: Utilities from the general purpose cryptography library with TLS implementation
55
Name: openssl
66
Version: 1.1.1k
7-
Release: 39%{?dist}
7+
Release: 40%{?dist}
88
License: OpenSSL
99
Vendor: Microsoft Corporation
1010
Distribution: Mariner
@@ -73,6 +73,10 @@ Patch49: openssl-1.1.1-fix-OCB-AES-NI-HW-stream-path-unauthenticated-unen
7373
Patch50: openssl-1.1.1-check-return-code-of-UTF8_putc.patch
7474
Patch51: openssl-1.1.1-verify-ASN1-objects-types.patch
7575
Patch52: openssl-1.1.1-check-oct-argument-for-NULL.patch
76+
Patch53: openssl-1.1.1-dane_match_cert-should-X509_free-on-mcert-instead-of.patch
77+
Patch54: openssl-1.1.1-Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number.patch
78+
Patch55: openssl-1.1.1-Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch
79+
Patch56: openssl-1.1.1-Fix-NULL-deref-in-rsa_cms_decrypt.patch
7680

7781
BuildRequires: perl-Test-Warnings
7882
BuildRequires: perl-Text-Template
@@ -336,6 +340,12 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
336340
%postun libs -p /sbin/ldconfig
337341

338342
%changelog
343+
* Mon Apr 20 2026 Kanishk Bansal <kanbansal@microsoft.com> - 1.1.1k-40
344+
- Fix NULL Dereference When Delta CRL Lacks CRL Number Extension
345+
- Fix NULL deref in [ec]dh_cms_set_shared_info
346+
- Fix NULL deref in rsa_cms_decrypt
347+
- dane_match_cert() should X509_free() on mcert instead of OPENSSL_free()
348+
339349
* Wed Mar 11 2026 Archana Shettigar <v-shettigara@microsoft.com> - 1.1.1k-39
340350
- Patch PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
341351

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
165165
gtk-doc-1.33.2-1.cm2.noarch.rpm
166166
autoconf-2.71-3.cm2.noarch.rpm
167167
automake-1.16.5-1.cm2.noarch.rpm
168-
openssl-1.1.1k-39.cm2.aarch64.rpm
169-
openssl-devel-1.1.1k-39.cm2.aarch64.rpm
170-
openssl-libs-1.1.1k-39.cm2.aarch64.rpm
171-
openssl-perl-1.1.1k-39.cm2.aarch64.rpm
172-
openssl-static-1.1.1k-39.cm2.aarch64.rpm
168+
openssl-1.1.1k-40.cm2.aarch64.rpm
169+
openssl-devel-1.1.1k-40.cm2.aarch64.rpm
170+
openssl-libs-1.1.1k-40.cm2.aarch64.rpm
171+
openssl-perl-1.1.1k-40.cm2.aarch64.rpm
172+
openssl-static-1.1.1k-40.cm2.aarch64.rpm
173173
libcap-2.60-7.cm2.aarch64.rpm
174174
libcap-devel-2.60-7.cm2.aarch64.rpm
175175
debugedit-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
165165
gtk-doc-1.33.2-1.cm2.noarch.rpm
166166
autoconf-2.71-3.cm2.noarch.rpm
167167
automake-1.16.5-1.cm2.noarch.rpm
168-
openssl-1.1.1k-39.cm2.x86_64.rpm
169-
openssl-devel-1.1.1k-39.cm2.x86_64.rpm
170-
openssl-libs-1.1.1k-39.cm2.x86_64.rpm
171-
openssl-perl-1.1.1k-39.cm2.x86_64.rpm
172-
openssl-static-1.1.1k-39.cm2.x86_64.rpm
168+
openssl-1.1.1k-40.cm2.x86_64.rpm
169+
openssl-devel-1.1.1k-40.cm2.x86_64.rpm
170+
openssl-libs-1.1.1k-40.cm2.x86_64.rpm
171+
openssl-perl-1.1.1k-40.cm2.x86_64.rpm
172+
openssl-static-1.1.1k-40.cm2.x86_64.rpm
173173
libcap-2.60-7.cm2.x86_64.rpm
174174
libcap-devel-2.60-7.cm2.x86_64.rpm
175175
debugedit-5.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
270270
npth-debuginfo-1.6-4.cm2.aarch64.rpm
271271
npth-devel-1.6-4.cm2.aarch64.rpm
272272
ntsysv-1.20-4.cm2.aarch64.rpm
273-
openssl-1.1.1k-39.cm2.aarch64.rpm
274-
openssl-debuginfo-1.1.1k-39.cm2.aarch64.rpm
275-
openssl-devel-1.1.1k-39.cm2.aarch64.rpm
276-
openssl-libs-1.1.1k-39.cm2.aarch64.rpm
277-
openssl-perl-1.1.1k-39.cm2.aarch64.rpm
278-
openssl-static-1.1.1k-39.cm2.aarch64.rpm
273+
openssl-1.1.1k-40.cm2.aarch64.rpm
274+
openssl-debuginfo-1.1.1k-40.cm2.aarch64.rpm
275+
openssl-devel-1.1.1k-40.cm2.aarch64.rpm
276+
openssl-libs-1.1.1k-40.cm2.aarch64.rpm
277+
openssl-perl-1.1.1k-40.cm2.aarch64.rpm
278+
openssl-static-1.1.1k-40.cm2.aarch64.rpm
279279
p11-kit-0.24.1-1.cm2.aarch64.rpm
280280
p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
281281
p11-kit-devel-0.24.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
276276
npth-debuginfo-1.6-4.cm2.x86_64.rpm
277277
npth-devel-1.6-4.cm2.x86_64.rpm
278278
ntsysv-1.20-4.cm2.x86_64.rpm
279-
openssl-1.1.1k-39.cm2.x86_64.rpm
280-
openssl-debuginfo-1.1.1k-39.cm2.x86_64.rpm
281-
openssl-devel-1.1.1k-39.cm2.x86_64.rpm
282-
openssl-libs-1.1.1k-39.cm2.x86_64.rpm
283-
openssl-perl-1.1.1k-39.cm2.x86_64.rpm
284-
openssl-static-1.1.1k-39.cm2.x86_64.rpm
279+
openssl-1.1.1k-40.cm2.x86_64.rpm
280+
openssl-debuginfo-1.1.1k-40.cm2.x86_64.rpm
281+
openssl-devel-1.1.1k-40.cm2.x86_64.rpm
282+
openssl-libs-1.1.1k-40.cm2.x86_64.rpm
283+
openssl-perl-1.1.1k-40.cm2.x86_64.rpm
284+
openssl-static-1.1.1k-40.cm2.x86_64.rpm
285285
p11-kit-0.24.1-1.cm2.x86_64.rpm
286286
p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
287287
p11-kit-devel-0.24.1-1.cm2.x86_64.rpm

0 commit comments

Comments
 (0)