Version in base suite: 3.0.17-1~deb12u2 Base version: openssl_3.0.17-1~deb12u2 Target version: openssl_3.0.17-1~deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssl/openssl_3.0.17-1~deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssl/openssl_3.0.17-1~deb12u3.dsc changelog | 7 ++ patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch | 25 ++++++++++ patches/series | 2 patches/use_proxy-Add-missing-terminating-NUL-byte.patch | 24 +++++++++ 4 files changed, 58 insertions(+) diff -Nru openssl-3.0.17/debian/changelog openssl-3.0.17/debian/changelog --- openssl-3.0.17/debian/changelog 2025-08-05 07:09:41.000000000 +0000 +++ openssl-3.0.17/debian/changelog 2025-09-26 18:59:22.000000000 +0000 @@ -1,3 +1,10 @@ +openssl (3.0.17-1~deb12u3) bookworm-security; urgency=medium + + * CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap) + * CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling) + + -- Sebastian Andrzej Siewior Fri, 26 Sep 2025 20:59:22 +0200 + openssl (3.0.17-1~deb12u2) bookworm; urgency=medium * Revert the following upstream changes to avoid crashes in downstream diff -Nru openssl-3.0.17/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch openssl-3.0.17/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch --- openssl-3.0.17/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.17/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch 2025-09-26 18:59:22.000000000 +0000 @@ -0,0 +1,25 @@ +From: Viktor Dukhovni +Date: Thu, 11 Sep 2025 18:10:12 +0200 +Subject: kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite up to 4 bytes. +--- + crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c +index d5c3c8d399df..33a7ccaa76a3 100644 +--- a/crypto/cms/cms_pwri.c ++++ b/crypto/cms/cms_pwri.c +@@ -229,7 +229,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } diff -Nru openssl-3.0.17/debian/patches/series openssl-3.0.17/debian/patches/series --- openssl-3.0.17/debian/patches/series 2025-08-04 18:06:36.000000000 +0000 +++ openssl-3.0.17/debian/patches/series 2025-09-26 18:59:22.000000000 +0000 @@ -10,3 +10,5 @@ Revert-Drop-by-store-s-by_store_subject_ex.patch Revert-Rework-the-by-store-X509_LOOKUP-method-to-open-the.patch Revert-Add-test_verify-tests.patch +use_proxy-Add-missing-terminating-NUL-byte.patch +kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch diff -Nru openssl-3.0.17/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch openssl-3.0.17/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch --- openssl-3.0.17/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.17/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch 2025-09-26 18:59:22.000000000 +0000 @@ -0,0 +1,24 @@ +From: Tomas Mraz +Date: Thu, 11 Sep 2025 18:43:55 +0200 +Subject: use_proxy(): Add missing terminating NUL byte + +Fixes CVE-2025-9232 + +There is a missing terminating NUL byte after strncpy() call. +Issue and a proposed fix reported by Stanislav Fort (Aisle Research). +--- + crypto/http/http_lib.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c +index 9c41f57541d7..614fd200b7c0 100644 +--- a/crypto/http/http_lib.c ++++ b/crypto/http/http_lib.c +@@ -267,6 +267,7 @@ static int use_proxy(const char *no_proxy, const char *server) + /* strip leading '[' and trailing ']' from escaped IPv6 address */ + sl -= 2; + strncpy(host, server + 1, sl); ++ host[sl] = '\0'; + server = host; + } +