Overview

File openssl-CVE-2025-4575.patch of Package openssl-3

From 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 20 May 2025 16:34:10 +0200
Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
 of rejection

Fixes CVE-2025-4575

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27672)

Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
 apps/x509.c                 |  2 +-
 test/recipes/25-test_x509.t | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

Index: openssl-3.5.0/apps/x509.c
===================================================================
--- openssl-3.5.0.orig/apps/x509.c
+++ openssl-3.5.0/apps/x509.c
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
                            prog, opt_arg());
                 goto opthelp;
             }
-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
+            if (!sk_ASN1_OBJECT_push(reject, objtmp))
                 goto end;
             trustout = 1;
             break;
Index: openssl-3.5.0/test/recipes/25-test_x509.t
===================================================================
--- openssl-3.5.0.orig/test/recipes/25-test_x509.t
+++ openssl-3.5.0/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_fil
 
 setup("test_x509");
 
-plan tests => 134;
+plan tests => 138;
 
 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "
 && run(app(["openssl", "verify", "-no_check_time",
             "-trusted", $ca, "-partial_chain", $caout])));
 
+# test trust decoration
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
+            "-out", "ca-trusted.pem"])));
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
+              1, 'trusted use - E-mail Protection');
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
+            "-out", "ca-rejected.pem"])));
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
+              1, 'rejected use - E-mail Protection');
+
 subtest 'x509 -- x.509 v1 certificate' => sub {
     tconversion( -type => 'x509', -prefix => 'x509v1',
                  -in => srctop_file("test", "testx509.pem") );
openSUSE Build Service is sponsored by
Places