Overview

File openssl-CVE-2026-22795.patch of Package openssl-1_1.42458

From 572844beca95068394c916626a6d3a490f831a49 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Wed, 7 Jan 2026 11:29:48 -0700
Subject: [PATCH] Ensure ASN1 types are checked before use.

Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
this fix includes the other fixes in that commit, as well as fixes for others found by a scan
for a similar unvalidated access paradigm in the tree.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29582)
---
 apps/s_client.c          |  3 ++-
 crypto/pkcs12/p12_kiss.c | 10 ++++++++--
 crypto/pkcs7/pk7_doit.c  |  2 ++
 3 files changed, 12 insertions(+), 3 deletions(-)

Index: openssl-1.1.1d/apps/s_client.c
===================================================================
--- openssl-1.1.1d.orig/apps/s_client.c
+++ openssl-1.1.1d/apps/s_client.c
@@ -2668,8 +2668,9 @@ int s_client_main(int argc, char **argv)
                 goto end;
             }
             atyp = ASN1_generate_nconf(genstr, cnf);
-            if (atyp == NULL) {
+            if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
                 NCONF_free(cnf);
+                ASN1_TYPE_free(atyp);
                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
                 goto end;
             }
Index: openssl-1.1.1d/crypto/pkcs12/p12_kiss.c
===================================================================
--- openssl-1.1.1d.orig/crypto/pkcs12/p12_kiss.c
+++ openssl-1.1.1d/crypto/pkcs12/p12_kiss.c
@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag
     ASN1_BMPSTRING *fname = NULL;
     ASN1_OCTET_STRING *lkid = NULL;
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+        if (attrib->type != V_ASN1_BMPSTRING)
+            return 0;
         fname = attrib->value.bmpstring;
+    }
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+        if (attrib->type != V_ASN1_OCTET_STRING)
+            return 0;
         lkid = attrib->value.octet_string;
+    }
 
     switch (PKCS12_SAFEBAG_get_nid(bag)) {
     case NID_keyBag:
Index: openssl-1.1.1d/crypto/pkcs7/pk7_doit.c
===================================================================
--- openssl-1.1.1d.orig/crypto/pkcs7/pk7_doit.c
+++ openssl-1.1.1d/crypto/pkcs7/pk7_doit.c
@@ -1099,6 +1099,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_att
     ASN1_TYPE *astype;
     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
         return NULL;
+    if (astype->type != V_ASN1_OCTET_STRING)
+        return NULL;
     return astype->value.octet_string;
 }
openSUSE Build Service is sponsored by
Places