File openssl-CVE-2025-69420.patch of Package openssl-1_1.42460

From 6453d278557c8719233793730ec500c84aea55d9 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Wed, 7 Jan 2026 11:29:48 -0700
Subject: [PATCH] Verify ASN1 object's types before attempting to access them
 as a particular type

Issue was reported in ossl_ess_get_signing_cert but is also present in
ossl_ess_get_signing_cert_v2.

Fixes: https://github.com/openssl/srt/issues/61
Fixes CVE-2025-69420
---
 crypto/ts/ts_rsp_verify.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: openssl-1.1.1d/crypto/ts/ts_rsp_verify.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ts/ts_rsp_verify.c
+++ openssl-1.1.1d/crypto/ts/ts_rsp_verify.c
@@ -262,7 +262,7 @@ static ESS_SIGNING_CERT *ess_get_signing
     ASN1_TYPE *attr;
     const unsigned char *p;
     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
-    if (!attr)
+    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
         return NULL;
     p = attr->value.sequence->data;
     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
@@ -274,7 +274,7 @@ static ESS_SIGNING_CERT_V2 *ess_get_sign
     const unsigned char *p;
 
     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
-    if (attr == NULL)
+    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
         return NULL;
     p = attr->value.sequence->data;
     return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);