Version in base suite: 3.0.18-1~deb12u1 Version in overlay suite: 3.0.19-1~deb12u1 Base version: openssl_3.0.19-1~deb12u1 Target version: openssl_3.0.19-1~deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssl/openssl_3.0.19-1~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssl/openssl_3.0.19-1~deb12u2.dsc /srv/release.debian.org/tmp/CU080N2uhj/openssl-3.0.19/debian/binary.tar |binary openssl-3.0.19/debian/changelog | 13 openssl-3.0.19/debian/patches/Add-test-for-CMS-decryption-with-RSA-keys.patch | 44 ++ openssl-3.0.19/debian/patches/Added-test-for-CVE-2026-28388.patch | 124 +++++++ openssl-3.0.19/debian/patches/Avoid-possible-buffer-overflow-in-buf2hex-conversion.patch | 45 ++ openssl-3.0.19/debian/patches/Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number-Exte.patch | 23 + openssl-3.0.19/debian/patches/Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch | 100 ++++++ openssl-3.0.19/debian/patches/Fix-NULL-deref-in-rsa_cms_decrypt.patch | 82 +++++ openssl-3.0.19/debian/patches/Test-for-DH-ECDH-CMS-KARI-processing-NULL-pointer-derefer.patch | 157 ++++++++++ openssl-3.0.19/debian/patches/dane_match_cert-should-X509_free-on-mcert-instead.patch | 32 ++ openssl-3.0.19/debian/patches/rsa_kem-test-RSA_public_encrypt-result-in-RSASVE.patch | 108 ++++++ openssl-3.0.19/debian/patches/rsa_kem-validate-RSA_public_encrypt-result-in-RSASVE.patch | 56 +++ openssl-3.0.19/debian/patches/series | 10 openssl-3.0.19/debian/rules | 1 openssl-3.0.19/debian/source/include-binaries | 1 15 files changed, 796 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp34y6e3s0/openssl_3.0.19-1~deb12u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp34y6e3s0/openssl_3.0.19-1~deb12u2.dsc: no acceptable signature found Binary files /srv/release.debian.org/tmp/x5DtQrk3cV/openssl-3.0.19/debian/binary.tar and /srv/release.debian.org/tmp/CU080N2uhj/openssl-3.0.19/debian/binary.tar differ diff -Nru openssl-3.0.19/debian/changelog openssl-3.0.19/debian/changelog --- openssl-3.0.19/debian/changelog 2026-02-22 17:36:50.000000000 +0000 +++ openssl-3.0.19/debian/changelog 2026-04-03 12:29:32.000000000 +0000 @@ -1,3 +1,16 @@ +openssl (3.0.19-1~deb12u2) bookworm-security; urgency=medium + + * CVE-2026-28387 ("Potential use-after-free in DANE client code") + * CVE-2026-28389 ("Possible NULL dereference when processing CMS + KeyAgreeRecipientInfo") + * CVE-2026-28390 ("Possible NULL dereference when processing CMS + KeyTransportRecipient Info") + * CVE-2026-31789 ("Heap buffer overflow in hexadecimal conversion") + * CVE-2026-31790 ("Incorrect failure handling in RSA KEM RSASVE + encapsulation") + + -- Sebastian Andrzej Siewior Fri, 03 Apr 2026 14:29:32 +0200 + openssl (3.0.19-1~deb12u1) bookworm; urgency=medium * Import 3.0.19 diff -Nru openssl-3.0.19/debian/patches/Add-test-for-CMS-decryption-with-RSA-keys.patch openssl-3.0.19/debian/patches/Add-test-for-CMS-decryption-with-RSA-keys.patch --- openssl-3.0.19/debian/patches/Add-test-for-CMS-decryption-with-RSA-keys.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Add-test-for-CMS-decryption-with-RSA-keys.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,44 @@ +From: Neil Horman +Date: Sun, 29 Mar 2026 10:47:03 -0400 +Subject: Add test for CMS decryption with RSA keys + +Ensure we don't encounter a segfault when decrypting CMS messages with +malformed EnvelopedData when using RSA-OAEP. + +Co-authored-by: Tomas Mraz +--- + test/recipes/80-test_cms.t | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 725aa4519d8c..1e652295975d 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -51,7 +51,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + + $no_rc2 = 1 if disabled("legacy"); + +-plan tests => 22; ++plan tests => 23; + + ok(run(test(["pkcs7_test"])), "test pkcs7"); + +@@ -1137,6 +1137,18 @@ with({ exit_checker => sub { return shift == 4; } }, + } + }); + ++$smcont_malformed = srctop_file("test", "recipes", "80-test_cms_data", "rsa-malformed.der"); ++my $smrsacert = catfile($smdir, "smrsa3.pem"); ++my $smrsakey = catfile($smdir, "smrsa3-key.pem"); ++ ++# Test case for CVE-2026-28390 ++with({ exit_checker => sub { return shift == 4; } }, ++ sub { ++ ok(run(app(["openssl", "cms", @prov, "-decrypt", "-in", $smcont_malformed, "-inform", ++ "DER", "-recip", $smrsacert, "-inkey", $smrsakey, "-out", "{output}.cms"])), ++ "Must not crash on malformed cms inputs with RSA key"); ++ }); ++ + # Test encrypt to three recipients, and decrypt using key-only; + # i.e. do not follow the recommended practice of providing the + # recipient cert in the decrypt op. diff -Nru openssl-3.0.19/debian/patches/Added-test-for-CVE-2026-28388.patch openssl-3.0.19/debian/patches/Added-test-for-CVE-2026-28388.patch --- openssl-3.0.19/debian/patches/Added-test-for-CVE-2026-28388.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Added-test-for-CVE-2026-28388.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,124 @@ +From: Daniel Kubec +Date: Tue, 17 Mar 2026 11:14:56 +0100 +Subject: Added test for CVE-2026-28388 + +--- + test/certs/cve-2026-28388-ca.pem | 19 +++++++++++++++++++ + test/certs/cve-2026-28388-crls.pem | 22 ++++++++++++++++++++++ + test/certs/cve-2026-28388-leaf.pem | 19 +++++++++++++++++++ + test/recipes/25-test_verify.t | 14 +++++++++++++- + 4 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 test/certs/cve-2026-28388-ca.pem + create mode 100644 test/certs/cve-2026-28388-crls.pem + create mode 100644 test/certs/cve-2026-28388-leaf.pem + +diff --git a/test/certs/cve-2026-28388-ca.pem b/test/certs/cve-2026-28388-ca.pem +new file mode 100644 +index 000000000000..9e36d11c4b4b +--- /dev/null ++++ b/test/certs/cve-2026-28388-ca.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDFTCCAf2gAwIBAgIUOl5NN/jfsuLU9JSGLZAfRzviF+owDQYJKoZIhvcNAQEL ++BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yNjAzMTcwODE5NDdaFw0yNzAzMTcw ++ODE5NDdaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB ++DwAwggEKAoIBAQD0m4KETjF0c25spNWUiNChWP0GalDL0gVDFbtAoMVF/lvlZEcp ++hcg62ifHJRPntWyVAmH70DAI87cWzl/73QYGaOcMVcH5yEM31BoK83FvhsS3RTPO ++FSrNCHaZrrWuga+QkBmMcR6qX7GF5eb6ASMBsLuuDqbkCRbTJ2ryhYeWF+VFemBF ++pSHpcinSSLvswTVbZiCqmoy0WkK8eiyfLMZA17PgVLQpyPZ3rp5YG5vEZZoqFc/f ++1bCHjwQ7fNdLCEMqPvE/I0mg2skRClb1L1Vieud/jmjL8nVd9I12j1eUOcSKtCkW ++nj4BFa7TRz13sN3LZOFvV774ZaXRJ1GxoAlnAgMBAAGjYzBhMB0GA1UdDgQWBBSt ++UxfaVbV9QMmfwMoImdgi4MZHzTAfBgNVHSMEGDAWgBStUxfaVbV9QMmfwMoImdgi ++4MZHzTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0B ++AQsFAAOCAQEA84w49n0pPJlqiD1/mn3pUZ66lBP0fFZiCuV/3YatBZcW+xcboW0Q ++xImYztjZo0i+sQLZOalI4GoBqD77Dv4Qas0QoJZIp0wM8DjE3YcudCr4cpUhT1XC ++ruHVHQA9bY5rW0GsfUBW6/3RbRpiK4SaFG3sUBbXPo0dC2EaLDjpLM7o2UljRrWu ++d/vg6ieKuAicexLxqQLdM4SxjyvBpCwHg/dnMxawSj4Xhks1BHJ0hTLKJGDgfVHh ++ex8+878u6Gf7fAOZa5idWUgTvdt5WHSW5x+Tm/P6LGG3HkM425ZU6BLTCHONoBud ++cOlfWTTuIyweX5TRL5HY3SuO1cpMBpjiAA== ++-----END CERTIFICATE----- +diff --git a/test/certs/cve-2026-28388-crls.pem b/test/certs/cve-2026-28388-crls.pem +new file mode 100644 +index 000000000000..46cbd7876dcd +--- /dev/null ++++ b/test/certs/cve-2026-28388-crls.pem +@@ -0,0 +1,22 @@ ++-----BEGIN X509 CRL----- ++MIIBizB1AgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EXDTI2 ++MDMxNzA4MTk0N1oXDTI2MDQxNjA4MTk0N1qgLzAtMB8GA1UdIwQYMBaAFK1TF9pV ++tX1AyZ/AygiZ2CLgxkfNMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBl ++3vVknchCNA/oW0ovtnrE+xQs8yAk3uElooQlw88moTcts2YAcKWl49lnNWZk/RbF ++Zs8m+MUuNb2W861siuvY3EwnSKVaJB2tKPfCRBP4xt+Q0g/Tn5CWxzpzHjQfLT6l ++pvWOwaO7aE6bthX7MQ9XBpnHSPxsbul+MhV5PER11BYZGVh5MH0XxfMI0jDHFh2M ++klTamgaao3TkVOI3OQPgzUx/q0Lz/YoCIH0pYGGP6KTGUX2x7UfD1tcIOcUp6tvO ++6hG3utMgJOpZJl9yMzhG+ZURjbz4MSbBM0FVIaWnBn2VzY1jHGky0nK83IZhiddf ++OohWoSH8tqwrNFZkblAH ++-----END X509 CRL----- ++-----BEGIN X509 CRL----- ++MIIBjjB4AgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EXDTI2 ++MDEwODEyMDAwMFoXDTI2MDIwODEyMDAwMFqgMjAwMB8GA1UdIwQYMBaAFK1TF9pV ++tX1AyZ/AygiZ2CLgxkfNMA0GA1UdGwEB/wQDAgEBMA0GCSqGSIb3DQEBCwUAA4IB ++AQCyYxa5iVUFxBpdXgBGSMqkuxJqQzVni8nXK0DiXHfgbTud+HD5Qp/6PX2EQuwK ++SrT0yeNJBU1gxxMMsbdA0yVTPa7N2Ny39mjq/27yBXduiljo3Gs4NLEW9grJRnep ++WOD1cQe3Fea5HlEfUoQJF1WVekF6CnOSqESaDvTAzqpZd7pxU8cuduiRJPin93ki ++1nicQAU/G4Td190+JEAWD3/dJTg2LF6LKrmHiv2ZUTuNsVBfcbhFSoC6FpnjFUAI ++kF8EgJpuBEfqV6erIuT1GD+5p1QGNqdcNl7LO9erJaUFnssJBJtj84iXd7RZARNs ++njcibOSKC9YWgNmZUy0QV5D8 ++-----END X509 CRL----- +diff --git a/test/certs/cve-2026-28388-leaf.pem b/test/certs/cve-2026-28388-leaf.pem +new file mode 100644 +index 000000000000..02b22997cdd8 +--- /dev/null ++++ b/test/certs/cve-2026-28388-leaf.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDHTCCAgWgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0 ++IENBMB4XDTI2MDMxNzA4MTk0N1oXDTI3MDMxNzA4MTk0N1owFDESMBAGA1UEAwwJ ++VGVzdCBMZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqx7jpC6+ ++nRZ4ol6sShkpv04hGYtt7y+Ns4oIfdQTqo57DItFab8D8cH04zR8NND42MMnsPPn ++Ovh9gv2l1mj9ZfwgXI5PvaKc6CoXvXb0ttekdDUS1iw9g04BxIXTDANxsdSXrCDd ++Npyr1Pxdo3N2fiH6qN9/Lsh7yg0vJW/aJzdvhLcCTFcr89qmCsh17XfcTR0wZJXP ++QdlRib9EK8aa6aKOYmm44SBbuXXyWojhheUaqVuzDj6A0L9opmh/DVXa9bdIN/FX ++CKJB+d60Qxy5pKwpzDDxbCdG2vA1U2cPz8yAgelFG5AmXSHF7Id4G6GTCAY6PbTO ++Jy2Z4I6NY+mj5wIDAQABo3wwejAdBgNVHQ4EFgQUlf2YZ93MvS4kZm7fshosgp+J ++ImkwHwYDVR0jBBgwFoAUrVMX2lW1fUDJn8DKCJnYIuDGR80wCQYDVR0TBAIwADAt ++BgNVHS4EJjAkMCKgIKAehhxodHRwOi8vZXhhbXBsZS5jb20vZGVsdGEucGVtMA0G ++CSqGSIb3DQEBCwUAA4IBAQDoNAQGLS0Juf3i2fhuVQyWIFvNIMElLexeLnnd/y80 ++13nsP68ZGT2D3DoHQSz3SL7sNjLBc2CiUVftdaRQ4dNCz8sBY5BRTS5XEGbbTAFZ ++bQUReykuuTy83CGw/JYN6YT/OHcf4gEhUnWtRMCmIz3J/NMRVSRnpV2Ezjltm/Q+ ++emFS/QclRhkP6Vu+lwM/nV6uAN8T7Ba68Hym2MN0clozrpoKeqFouB7D0i+iCZMw ++zbac5as0hn7Fm+HGTbfTs2/fqUslvE6PmagepceP37pTSSVmYRmdpOD2cyCb30A+ ++nJFGQg7PcacGSL1re65W35XzdU8Si8OYD+PxjDaRbPcP ++-----END CERTIFICATE----- +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 19c528f0b89a..8c76472df7fb 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -30,7 +30,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 175; ++plan tests => 176; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -529,6 +529,18 @@ ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], + "-explicit_policy"), + "Bad certificate policy"); + ++# CVE-2026-28388 ++my $cve_28388_stderr = "cve-2026-28388.err"; ++run(app(["openssl", "verify", ++ "-attime", "1739527200", ++ "-CAfile", srctop_file(@certspath, "cve-2026-28388-ca.pem"), ++ "-crl_check", "-use_deltas", ++ "-CRLfile", srctop_file(@certspath, "cve-2026-28388-crls.pem"), ++ srctop_file(@certspath, "cve-2026-28388-leaf.pem")], ++ stderr => $cve_28388_stderr)); ++ok(grep(/CRL is not yet valid/, do { open my $fh, '<', $cve_28388_stderr; <$fh> }), ++ "CVE-2026-28388"); ++ + # CAstore option + my $rootcertname = "root-cert"; + my $rootcert = srctop_file(@certspath, "${rootcertname}.pem"); diff -Nru openssl-3.0.19/debian/patches/Avoid-possible-buffer-overflow-in-buf2hex-conversion.patch openssl-3.0.19/debian/patches/Avoid-possible-buffer-overflow-in-buf2hex-conversion.patch --- openssl-3.0.19/debian/patches/Avoid-possible-buffer-overflow-in-buf2hex-conversion.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Avoid-possible-buffer-overflow-in-buf2hex-conversion.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,45 @@ +From: Igor Ustinov +Date: Sat, 7 Mar 2026 08:16:47 +0100 +Subject: Avoid possible buffer overflow in buf2hex conversion + +Fixes CVE-2026-31789 +--- + crypto/o_str.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/crypto/o_str.c b/crypto/o_str.c +index d7090acef45b..1e62f5b51159 100644 +--- a/crypto/o_str.c ++++ b/crypto/o_str.c +@@ -236,6 +236,11 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength, + int has_sep = (sep != CH_ZERO); + size_t len = has_sep ? buflen * 3 : 1 + buflen * 2; + ++ if (buflen > (has_sep ? SIZE_MAX / 3 : (SIZE_MAX - 1) / 2)) { ++ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES); ++ return 0; ++ } ++ + if (len == 0) + ++len; + if (strlength != NULL) +@@ -277,10 +282,18 @@ char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep) + char *tmp; + size_t tmp_n; + ++ if (buflen < 0) ++ return NULL; + if (buflen == 0) + return OPENSSL_zalloc(1); + +- tmp_n = (sep != CH_ZERO) ? buflen * 3 : 1 + buflen * 2; ++ if ((sep != CH_ZERO && (size_t)buflen > SIZE_MAX / 3) ++ || (sep == CH_ZERO && (size_t)buflen > (SIZE_MAX - 1) / 2)) { ++ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES); ++ return NULL; ++ } ++ ++ tmp_n = (sep != CH_ZERO) ? (size_t)buflen * 3 : 1 + (size_t)buflen * 2; + if ((tmp = OPENSSL_malloc(tmp_n)) == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); + return NULL; diff -Nru openssl-3.0.19/debian/patches/Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number-Exte.patch openssl-3.0.19/debian/patches/Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number-Exte.patch --- openssl-3.0.19/debian/patches/Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number-Exte.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number-Exte.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,23 @@ +From: Daniel Kubec +Date: Tue, 17 Mar 2026 11:11:22 +0100 +Subject: Fix NULL Dereference When Delta CRL Lacks CRL Number Extension + +Fixes CVE-2026-28388 +Fixes https://github.com/openssl/srt/issues/77 +--- + crypto/x509/x509_vfy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index baf334107b23..8a978b8257eb 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1176,6 +1176,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) + if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) + return 0; + /* Delta CRL number must exceed full CRL number */ ++ if (delta->crl_number == NULL) ++ return 0; + return ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0; + } + diff -Nru openssl-3.0.19/debian/patches/Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch openssl-3.0.19/debian/patches/Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch --- openssl-3.0.19/debian/patches/Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,100 @@ +From: Neil Horman +Date: Mon, 16 Mar 2026 13:49:07 -0400 +Subject: Fix NULL deref in [ec]dh_cms_set_shared_info + +Multiple independent reports indicated a SIGSEGV was possible in CMS +processing when a crafted CMS EnvelopedData message using A Key +Agreement Recipient Info field. If the +KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the +referenced functions above will attempt to dereference the +alg->parameter data prior to checking if the parameter field is NULL. + +Confirmed to resolve the issues using the reproducers provided in the +security reports. + +Co-authored-by: Tomas Mraz + +Fixes CVE-2026-28389 +--- + crypto/cms/cms_dh.c | 13 +++++++++---- + crypto/cms/cms_ec.c | 14 ++++++++++---- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c +index a77b3304aa47..2bf4b4664357 100644 +--- a/crypto/cms/cms_dh.c ++++ b/crypto/cms/cms_dh.c +@@ -88,16 +88,21 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) + int keylen, plen; + EVP_CIPHER *kekcipher = NULL; + EVP_CIPHER_CTX *kekctx; ++ const ASN1_OBJECT *aoid; ++ const void *parameter = NULL; ++ int ptype = 0; + char name[OSSL_MAX_NAME_SIZE]; + + if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) + goto err; + ++ X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg); ++ + /* + * For DH we only have one OID permissible. If ever any more get defined + * we will need something cleverer. + */ +- if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) { ++ if (OBJ_obj2nid(aoid) != NID_id_smime_alg_ESDH) { + ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR); + goto err; + } +@@ -106,11 +111,11 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) + || EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0) + goto err; + +- if (alg->parameter->type != V_ASN1_SEQUENCE) ++ if (ptype != V_ASN1_SEQUENCE) + goto err; + +- p = alg->parameter->value.sequence->data; +- plen = alg->parameter->value.sequence->length; ++ p = ASN1_STRING_get0_data(parameter); ++ plen = ASN1_STRING_length(parameter); + kekalg = d2i_X509_ALGOR(NULL, &p, plen); + if (kekalg == NULL) + goto err; +diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c +index 5b0984f09a60..e408753855c9 100644 +--- a/crypto/cms/cms_ec.c ++++ b/crypto/cms/cms_ec.c +@@ -165,21 +165,27 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) + int plen, keylen; + EVP_CIPHER *kekcipher = NULL; + EVP_CIPHER_CTX *kekctx; ++ const ASN1_OBJECT *aoid = NULL; ++ int ptype = 0; ++ const void *parameter = NULL; ++ + char name[OSSL_MAX_NAME_SIZE]; + + if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) + return 0; + +- if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { ++ X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg); ++ ++ if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) { + ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR); + return 0; + } + +- if (alg->parameter->type != V_ASN1_SEQUENCE) ++ if (ptype != V_ASN1_SEQUENCE) + return 0; + +- p = alg->parameter->value.sequence->data; +- plen = alg->parameter->value.sequence->length; ++ p = ASN1_STRING_get0_data(parameter); ++ plen = ASN1_STRING_length(parameter); + kekalg = d2i_X509_ALGOR(NULL, &p, plen); + if (kekalg == NULL) + goto err; diff -Nru openssl-3.0.19/debian/patches/Fix-NULL-deref-in-rsa_cms_decrypt.patch openssl-3.0.19/debian/patches/Fix-NULL-deref-in-rsa_cms_decrypt.patch --- openssl-3.0.19/debian/patches/Fix-NULL-deref-in-rsa_cms_decrypt.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Fix-NULL-deref-in-rsa_cms_decrypt.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,82 @@ +From: Neil Horman +Date: Wed, 1 Apr 2026 10:56:44 +0200 +Subject: Fix NULL deref in rsa_cms_decrypt + +Very simmilar to CVE-2026-28389, ensure that if we are missing +parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo, +we don't segfault when decrypting. + +Co-authored-by: Tomas Mraz + +Fixes CVE-2026-28390 +--- + crypto/cms/cms_rsa.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c +index d31e8c5e5573..5cf12101df1b 100644 +--- a/crypto/cms/cms_rsa.c ++++ b/crypto/cms/cms_rsa.c +@@ -42,10 +42,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) + X509_ALGOR *cmsalg; + int nid; + int rv = -1; +- unsigned char *label = NULL; ++ const unsigned char *label = NULL; + int labellen = 0; + const EVP_MD *mgf1md = NULL, *md = NULL; + RSA_OAEP_PARAMS *oaep; ++ const ASN1_OBJECT *aoid; ++ const void *parameter = NULL; ++ int ptype = 0; + + pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (pkctx == NULL) +@@ -75,21 +78,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) + goto err; + + if (oaep->pSourceFunc != NULL) { +- X509_ALGOR *plab = oaep->pSourceFunc; ++ X509_ALGOR_get0(&aoid, &ptype, ¶meter, oaep->pSourceFunc); + +- if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { ++ if (OBJ_obj2nid(aoid) != NID_pSpecified) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_LABEL_SOURCE); + goto err; + } +- if (plab->parameter->type != V_ASN1_OCTET_STRING) { ++ if (ptype != V_ASN1_OCTET_STRING) { + ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_LABEL); + goto err; + } + +- label = plab->parameter->value.octet_string->data; +- /* Stop label being freed when OAEP parameters are freed */ +- plab->parameter->value.octet_string->data = NULL; +- labellen = plab->parameter->value.octet_string->length; ++ label = ASN1_STRING_get0_data(parameter); ++ labellen = ASN1_STRING_length(parameter); + } + + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) +@@ -98,10 +99,16 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) + goto err; + if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) + goto err; +- if (label != NULL +- && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) { +- OPENSSL_free(label); +- goto err; ++ if (label != NULL) { ++ unsigned char *dup_label = OPENSSL_memdup(label, labellen); ++ ++ if (dup_label == NULL) ++ goto err; ++ ++ if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) { ++ OPENSSL_free(dup_label); ++ goto err; ++ } + } + /* Carry on */ + rv = 1; diff -Nru openssl-3.0.19/debian/patches/Test-for-DH-ECDH-CMS-KARI-processing-NULL-pointer-derefer.patch openssl-3.0.19/debian/patches/Test-for-DH-ECDH-CMS-KARI-processing-NULL-pointer-derefer.patch --- openssl-3.0.19/debian/patches/Test-for-DH-ECDH-CMS-KARI-processing-NULL-pointer-derefer.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/Test-for-DH-ECDH-CMS-KARI-processing-NULL-pointer-derefer.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,157 @@ +From: Neil Horman +Date: Tue, 31 Mar 2026 14:38:03 -0400 +Subject: Test for DH/ECDH CMS KARI processing NULL pointer dereference + +Test to ensure that, if we attempt to decrypt a CMS message with a +missing parameter field of KeyEncryptionAlgorithmIdentifier +we fail, rather than segfault. + +Co-authored-by: Tomas Mraz +--- + test/recipes/80-test_cms.t | 33 ++++++++++++++++++++++++++++- + test/recipes/80-test_cms_data/dh-cert.pem | 31 +++++++++++++++++++++++++++ + test/recipes/80-test_cms_data/dh-key.pem | 15 +++++++++++++ + test/recipes/80-test_cms_data/ecdh-cert.pem | 10 +++++++++ + test/recipes/80-test_cms_data/ecdh-key.pem | 5 +++++ + 5 files changed, 93 insertions(+), 1 deletion(-) + create mode 100644 test/recipes/80-test_cms_data/dh-cert.pem + create mode 100644 test/recipes/80-test_cms_data/dh-key.pem + create mode 100644 test/recipes/80-test_cms_data/ecdh-cert.pem + create mode 100644 test/recipes/80-test_cms_data/ecdh-key.pem + +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 8c58152759e7..725aa4519d8c 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -51,7 +51,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + + $no_rc2 = 1 if disabled("legacy"); + +-plan tests => 20; ++plan tests => 22; + + ok(run(test(["pkcs7_test"])), "test pkcs7"); + +@@ -1106,6 +1106,37 @@ with({ exit_checker => sub { return shift == 3; } }, + "Check for failure when cipher does not have an assigned OID (issue#22225)"); + }); + ++# Test cases for CVE-2026-28389 ++my $smcont_malformed = srctop_file("test", "recipes", "80-test_cms_data", "dh-malformed.der"); ++my $smdhcert = srctop_file("test", "recipes", "80-test_cms_data", "dh-cert.pem"); ++my $smdhkey = srctop_file("test", "recipes", "80-test_cms_data", "dh-key.pem"); ++ ++with({ exit_checker => sub { return shift == 4; } }, ++ sub { ++ SKIP: { ++ skip "DH is not supported in this build", 1 if $no_dh; ++ ++ ok(run(app(["openssl", "cms", @prov, "-decrypt", "-in", $smcont_malformed, ++ "-inform", "DER", "-recip", $smdhcert, "-inkey", $smdhkey])), ++ "Must not crash on malformed cms inputs with dh key"); ++ } ++ }); ++ ++$smcont_malformed = srctop_file("test", "recipes", "80-test_cms_data", "ecdh-malformed.der"); ++my $smecdhcert = srctop_file("test", "recipes", "80-test_cms_data", "ecdh-cert.pem"); ++my $smecdhkey = srctop_file("test", "recipes", "80-test_cms_data", "ecdh-key.pem"); ++ ++with({ exit_checker => sub { return shift == 4; } }, ++ sub { ++ SKIP: { ++ skip "EC is not supported in this build", 1 if $no_ec; ++ ++ ok(run(app(["openssl", "cms", @prov, "-decrypt", "-in", $smcont_malformed, ++ "-inform", "DER", "-recip", $smecdhcert, "-inkey", $smecdhkey])), ++ "Must not crash on malformed cms inputs with ecdh key"); ++ } ++ }); ++ + # Test encrypt to three recipients, and decrypt using key-only; + # i.e. do not follow the recommended practice of providing the + # recipient cert in the decrypt op. +diff --git a/test/recipes/80-test_cms_data/dh-cert.pem b/test/recipes/80-test_cms_data/dh-cert.pem +new file mode 100644 +index 000000000000..f5fb90b9009b +--- /dev/null ++++ b/test/recipes/80-test_cms_data/dh-cert.pem +@@ -0,0 +1,31 @@ ++-----BEGIN CERTIFICATE----- ++MIIFSjCCBDKgAwIBAgIUAV5WB+HkJTxtCmGX88OYfIRfEu8wDQYJKoZIhvcNAQEL ++BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM ++GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGcm9vdENBMB4XDTI2 ++MDMzMTA4NDUwOVoXDTI2MDQwMTA4NDUwOVowDjEMMAoGA1UEAwwDcG9jMIIDJzCC ++AhkGByqGSM4+AgEwggIMAoIBAQD//////////634VFiiu0qar9xWICc9PPHYucWD ++zi02lanhNkEUZDP7zJOdziSbPvl9L+NjYwx12PaBsgKuxGF6098e1dX9ZWEkM/Uf ++XwZu0IVjZVU97RrztVcTXn9XyTWYTwxw4OaLd+Kmidrz7+hyHfFYoTat5zUwrMpP ++SDp5erwKsYKzJPth0QipS7LI4/u5atq3YNf0aB1PQqPeOU30rlbt52NyuxkLB6fI ++7gptcJ4C/OHN9+LswDQEzSg0L2GRcv6c6YWD/45PEjLu8oGDw/47G0xvrXM7tfy8 ++LsIgBcWO8YN9FoOyxvNKJsGy7/qIa0I4YShcl///////////AgECAoIBAH////// ++////1vwqLFFdpU1X7isQE56eeOxc4sHnFptK1PCbIIoyGf3mSc7nEk2ffL6X8bGx ++hjrse0DZAVdiML1p749q6v6ysJIZ+o+vgzdoQrGyqp72jXnaq4mvP6vkmswnhjhw ++c0W78VNE7Xn39DkO+KxQm1bzmphWZSekHTy9XgVYwVmSfbDohFSl2WRx/dy1bVuw ++a/o0DqehUe8cpvpXK3bzsbldjIWD0+R3BTa4TwF+cOb78XZgGgJmlBoXsMi5f050 ++wsH/xyeJGXd5QMHh/x2NpjfWuZ3a/l4XYRAC4sd4wb6LQdljeaUTYNl3/UQ1oRww ++lC5L//////////8DggEGAAKCAQEA8IGxSTAsrdMqlK3rFejocWZ0fmXhLzlhnARX ++l3RL+jHyiFoCyCPRLmGBMaL9HqfcVp7E98IvFBxEjtDVc2tcbUJrbv922QaNYqQl ++IwuUhdBHDpg0aSbDTV0Vvbny0hDuD7T7VTUO5D7XJammA2hlbpcfO8xuWFmRjdBJ ++ctA+MaUbWL21ZzsF8A5rz58mVRHchrAez5ksNb8xaLd0lZqtbiBDntA52XnSp1bO ++M2CPlKcb4qMMxVop2DGakChcxu7BUzob22HpRQl+k5K4Tq+kkToHKMR6obpl9Leu ++lzJdR8cH9WqF6TE2YFYkpvzE7V7/Rp4uC6UqOGr62oS4thwLtqNTMFEwHwYDVR0j ++BBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0wDwYDVR0TAQH/BAUwAwEB/zAdBgNV ++HQ4EFgQUIpXhOwY+ufefb4dBhx3niO/ntO0wDQYJKoZIhvcNAQELBQADggEBABWo ++cJfSVwpnYmDHi9U0r0yickvRyFLiOK1vruoKfbkxfYk9J9OwLr4n4S5P5bGXXOSW ++AAVXnvYKs6Xn07sg+1X1Sti/1wd/OLOvjaz1ebRqP5MiZRbKIlRHkv2maJEmcdyp ++JGR4gHGnu/0I5Zp4DOi+xv1R3vGIkkcl/WIncrJflMJcCRMM4YdMV838kFU2esGm ++eB8pTv7acyYsGeSTIk+AYEtS84w3ZQ2sOuGAep0hp9saV/LKiRzNUG0yX2LWP8EO ++VMqGSXJqg1TYgAa7lcidtXfQgm+xdTeZzJRbl8Ti3d5YbgXW2vt4vhwkXtPGy5Y3 ++NGpnrpeWX4rk4kQmx/I= ++-----END CERTIFICATE----- +diff --git a/test/recipes/80-test_cms_data/dh-key.pem b/test/recipes/80-test_cms_data/dh-key.pem +new file mode 100644 +index 000000000000..16010785214e +--- /dev/null ++++ b/test/recipes/80-test_cms_data/dh-key.pem +@@ -0,0 +1,15 @@ ++-----BEGIN PRIVATE KEY----- ++MIICQAIBADCCAhkGByqGSM4+AgEwggIMAoIBAQD//////////634VFiiu0qar9xW ++ICc9PPHYucWDzi02lanhNkEUZDP7zJOdziSbPvl9L+NjYwx12PaBsgKuxGF6098e ++1dX9ZWEkM/UfXwZu0IVjZVU97RrztVcTXn9XyTWYTwxw4OaLd+Kmidrz7+hyHfFY ++oTat5zUwrMpPSDp5erwKsYKzJPth0QipS7LI4/u5atq3YNf0aB1PQqPeOU30rlbt ++52NyuxkLB6fI7gptcJ4C/OHN9+LswDQEzSg0L2GRcv6c6YWD/45PEjLu8oGDw/47 ++G0xvrXM7tfy8LsIgBcWO8YN9FoOyxvNKJsGy7/qIa0I4YShcl///////////AgEC ++AoIBAH//////////1vwqLFFdpU1X7isQE56eeOxc4sHnFptK1PCbIIoyGf3mSc7n ++Ek2ffL6X8bGxhjrse0DZAVdiML1p749q6v6ysJIZ+o+vgzdoQrGyqp72jXnaq4mv ++P6vkmswnhjhwc0W78VNE7Xn39DkO+KxQm1bzmphWZSekHTy9XgVYwVmSfbDohFSl ++2WRx/dy1bVuwa/o0DqehUe8cpvpXK3bzsbldjIWD0+R3BTa4TwF+cOb78XZgGgJm ++lBoXsMi5f050wsH/xyeJGXd5QMHh/x2NpjfWuZ3a/l4XYRAC4sd4wb6LQdljeaUT ++YNl3/UQ1oRwwlC5L//////////8EHgIcJmHQRSrQ2wQnNyMZhx9Xdkf8hro/xi1r ++xDHoWg== ++-----END PRIVATE KEY----- +diff --git a/test/recipes/80-test_cms_data/ecdh-cert.pem b/test/recipes/80-test_cms_data/ecdh-cert.pem +new file mode 100644 +index 000000000000..3a0ab6624ca2 +--- /dev/null ++++ b/test/recipes/80-test_cms_data/ecdh-cert.pem +@@ -0,0 +1,10 @@ ++-----BEGIN CERTIFICATE----- ++MIIBcTCCARegAwIBAgIUFyBfipahA11TzFxBhYY2WfTejGswCgYIKoZIzj0EAwIw ++DjEMMAoGA1UEAwwDcG9jMB4XDTI2MDMzMTA3MzQyOVoXDTI2MDQwMTA3MzQyOVow ++DjEMMAoGA1UEAwwDcG9jMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6iA2FR7s ++OgRtpf8cRXDSLSSB5nSzQt2/hzueZTiQXUT1Knto2U5zRqUoioZ/FKsazdhQVQQC ++EN0/WYGND+XwmaNTMFEwHwYDVR0jBBgwFoAU+AH0MqgJJ4WYRK+BmEDebmjREYcw ++DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+AH0MqgJJ4WYRK+BmEDebmjREYcw ++CgYIKoZIzj0EAwIDSAAwRQIhAPTS8MWoylN+jfLgRfr75WkJqNFlsrfxCDvMtWV+ ++NT2yAiBaY72EVG36EP2gGFEhkBaXb0vLx0r7umDgejEwBWQ9mQ== ++-----END CERTIFICATE----- +diff --git a/test/recipes/80-test_cms_data/ecdh-key.pem b/test/recipes/80-test_cms_data/ecdh-key.pem +new file mode 100644 +index 000000000000..ef9488b3c516 +--- /dev/null ++++ b/test/recipes/80-test_cms_data/ecdh-key.pem +@@ -0,0 +1,5 @@ ++-----BEGIN PRIVATE KEY----- ++MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgeDjy2W+FHVPt1Kg1 ++unwzzD9yBC+NtbH/UaZ9PY4wZP6hRANCAATqIDYVHuw6BG2l/xxFcNItJIHmdLNC ++3b+HO55lOJBdRPUqe2jZTnNGpSiKhn8UqxrN2FBVBAIQ3T9ZgY0P5fCZ ++-----END PRIVATE KEY----- diff -Nru openssl-3.0.19/debian/patches/dane_match_cert-should-X509_free-on-mcert-instead.patch openssl-3.0.19/debian/patches/dane_match_cert-should-X509_free-on-mcert-instead.patch --- openssl-3.0.19/debian/patches/dane_match_cert-should-X509_free-on-mcert-instead.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/dane_match_cert-should-X509_free-on-mcert-instead.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,32 @@ +From: Alexandr Nedvedicky +Date: Tue, 3 Mar 2026 13:23:46 +0100 +Subject: dane_match_cert() should X509_free() on ->mcert instead of + OPENSSL_free() + +Fixes: 170b735820ac "DANE support for X509_verify_cert()" + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +Reviewed-by: Neil Horman +MergeDate: Thu Mar 5 12:37:17 2026 +(Merged from https://github.com/openssl/openssl/pull/30250) + +(cherry picked from commit 8b5cd6a682f0f6e7b8bf55137137c567d1899c4a) +--- + crypto/x509/x509_vfy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 1f1fe26b98c7..baf334107b23 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -2813,7 +2813,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) + if (matched || dane->mdpth < 0) { + dane->mdpth = depth; + dane->mtlsa = t; +- OPENSSL_free(dane->mcert); ++ X509_free(dane->mcert); + dane->mcert = cert; + X509_up_ref(cert); + } diff -Nru openssl-3.0.19/debian/patches/rsa_kem-test-RSA_public_encrypt-result-in-RSASVE.patch openssl-3.0.19/debian/patches/rsa_kem-test-RSA_public_encrypt-result-in-RSASVE.patch --- openssl-3.0.19/debian/patches/rsa_kem-test-RSA_public_encrypt-result-in-RSASVE.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/rsa_kem-test-RSA_public_encrypt-result-in-RSASVE.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,108 @@ +From: Nikola Pajkovsky +Date: Mon, 23 Mar 2026 08:41:20 +0100 +Subject: rsa_kem: test RSA_public_encrypt() result in RSASVE + +RSA_public_encrypt() returns the number of bytes written on success and +-1 on failure. + +Add regression coverage in evp_extra_test using invalid RSA pubkey +which triggers -1 in RSA_public_encrypt() using encapsulation. + +Fixes: https://github.com/openssl/srt/issues/95 +Signed-off-by: Nikola Pajkovsky +--- + test/evp_extra_test.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 67 insertions(+) + +diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c +index cfe4a406eccd..d38914c3b9e5 100644 +--- a/test/evp_extra_test.c ++++ b/test/evp_extra_test.c +@@ -638,6 +638,32 @@ static EVP_PKEY *load_example_ec_key(void) + #endif + + #ifndef OPENSSL_NO_DEPRECATED_3_0 ++ ++static EVP_PKEY *make_bad_rsa_pubkey(void) ++{ ++ RSA *rsa = NULL; ++ BIGNUM *n = NULL, *e = NULL; ++ EVP_PKEY *pkey = NULL; ++ ++ /* Deliberately invalid public key: n = 17, e = 17 */ ++ if (!TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_ptr(rsa = RSA_new()) ++ || !TEST_ptr(n = BN_new()) ++ || !TEST_ptr(e = BN_new()) ++ || !TEST_true(BN_set_word(n, 17)) ++ || !TEST_true(BN_set_word(e, 17)) ++ || !TEST_true(RSA_set0_key(rsa, n, e, NULL)) ++ || !EVP_PKEY_assign_RSA(pkey, rsa)) ++ goto err; ++ ++ return pkey; ++err: ++ BN_free(n); ++ BN_free(e); ++ RSA_free(rsa); ++ return NULL; ++} ++ + #ifndef OPENSSL_NO_DH + static EVP_PKEY *load_example_dh_key(void) + { +@@ -4854,6 +4880,46 @@ static int test_custom_ciph_meth(void) + return testresult; + } + ++static int test_rsasve_kem_with_invalid_pub_key(void) ++{ ++ RSA *rsa = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ unsigned char *ct = NULL; ++ unsigned char *secret = NULL; ++ size_t ctlen = 0, secretlen = 0; ++ int testresult = 0; ++ ++ if (nullprov != NULL) { ++ testresult = TEST_skip("Test does not support a non-default library context"); ++ goto err; ++ } ++ ++ if (!TEST_ptr(pkey = make_bad_rsa_pubkey())) ++ goto err; ++ ++ if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL)) ++ || !TEST_int_eq(EVP_PKEY_encapsulate_init(ctx, NULL), 1) ++ || !TEST_int_eq(EVP_PKEY_CTX_set_kem_op(ctx, "RSASVE"), 1) ++ || !TEST_int_eq(EVP_PKEY_encapsulate(ctx, NULL, &ctlen, NULL, &secretlen), 1) ++ || !TEST_ptr(ct = OPENSSL_malloc(ctlen)) ++ || !TEST_ptr(secret = OPENSSL_malloc(secretlen))) ++ goto err; ++ ++ if (!TEST_int_eq(EVP_PKEY_encapsulate(ctx, ct, &ctlen, secret, &secretlen), 0)) ++ goto err; ++ ++ testresult = 1; ++ ++err: ++ OPENSSL_free(secret); ++ OPENSSL_free(ct); ++ EVP_PKEY_CTX_free(ctx); ++ RSA_free(rsa); ++ EVP_PKEY_free(pkey); ++ return testresult; ++} ++ + #ifndef OPENSSL_NO_DYNAMIC_ENGINE + /* Test we can create a signature keys with an associated ENGINE */ + static int test_signatures_with_engine(int tst) +@@ -5505,6 +5571,7 @@ int setup_tests(void) + ADD_TEST(test_evp_md_cipher_meth); + ADD_TEST(test_custom_md_meth); + ADD_TEST(test_custom_ciph_meth); ++ ADD_TEST(test_rsasve_kem_with_invalid_pub_key); + + #ifndef OPENSSL_NO_DYNAMIC_ENGINE + /* Tests only support the default libctx */ diff -Nru openssl-3.0.19/debian/patches/rsa_kem-validate-RSA_public_encrypt-result-in-RSASVE.patch openssl-3.0.19/debian/patches/rsa_kem-validate-RSA_public_encrypt-result-in-RSASVE.patch --- openssl-3.0.19/debian/patches/rsa_kem-validate-RSA_public_encrypt-result-in-RSASVE.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/patches/rsa_kem-validate-RSA_public_encrypt-result-in-RSASVE.patch 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1,56 @@ +From: Nikola Pajkovsky +Date: Thu, 19 Mar 2026 12:16:08 +0100 +Subject: rsa_kem: validate RSA_public_encrypt() result in RSASVE + +RSA_public_encrypt() returns the number of bytes written on success and +-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM +encapsulation can incorrectly succeed when the underlying RSA public +encrypt operation fails. In that case the code reports success, returns +lengths as if encapsulation completed normally, and leaves the freshly +generated secret available instead of discarding it. + +Tighten the success condition so RSASVE only succeeds when +RSA_public_encrypt() returns a positive value equal to the modulus-sized +output expected for RSA_NO_PADDING. Any other return value is treated as +failure, and the generated secret is cleansed before returning. + +Fixes CVE: CVE-2026-31790 +Fixes: https://github.com/openssl/srt/issues/95 +Signed-off-by: Nikola Pajkovsky +--- + providers/implementations/kem/rsa_kem.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 8383b49150c4..39eac8923565 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -282,17 +282,19 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, + return 0; + + /* Step(3): out = RSAEP((n,e), z) */ +- ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING); +- if (ret) { +- ret = 1; +- if (outlen != NULL) +- *outlen = nlen; +- if (secretlen != NULL) +- *secretlen = nlen; +- } else { ++ ret = RSA_public_encrypt((int)nlen, secret, out, prsactx->rsa, ++ RSA_NO_PADDING); ++ if (ret <= 0 || ret != (int)nlen) { + OPENSSL_cleanse(secret, nlen); ++ return 0; + } +- return ret; ++ ++ if (outlen != NULL) ++ *outlen = nlen; ++ if (secretlen != NULL) ++ *secretlen = nlen; ++ ++ return 1; + } + + /** diff -Nru openssl-3.0.19/debian/patches/series openssl-3.0.19/debian/patches/series --- openssl-3.0.19/debian/patches/series 2026-02-22 17:28:38.000000000 +0000 +++ openssl-3.0.19/debian/patches/series 2026-04-03 12:29:32.000000000 +0000 @@ -7,3 +7,13 @@ Remove-the-provider-section.patch conf-Serialize-allocation-free-of-ssl_names.patch Fix-tests-for-new-default-security-level.patch +dane_match_cert-should-X509_free-on-mcert-instead.patch +Fix-NULL-Dereference-When-Delta-CRL-Lacks-CRL-Number-Exte.patch +Added-test-for-CVE-2026-28388.patch +Fix-NULL-deref-in-ec-dh_cms_set_shared_info.patch +Test-for-DH-ECDH-CMS-KARI-processing-NULL-pointer-derefer.patch +Fix-NULL-deref-in-rsa_cms_decrypt.patch +Add-test-for-CMS-decryption-with-RSA-keys.patch +Avoid-possible-buffer-overflow-in-buf2hex-conversion.patch +rsa_kem-validate-RSA_public_encrypt-result-in-RSASVE.patch +rsa_kem-test-RSA_public_encrypt-result-in-RSASVE.patch diff -Nru openssl-3.0.19/debian/rules openssl-3.0.19/debian/rules --- openssl-3.0.19/debian/rules 2026-02-22 17:00:26.000000000 +0000 +++ openssl-3.0.19/debian/rules 2026-04-03 12:29:32.000000000 +0000 @@ -48,6 +48,7 @@ dh $@ --without autoreconf override_dh_auto_configure: + tar xf debian/binary.tar test -z "$(OPTS)" || for opt in $(OPTS); \ do \ set -xe; \ diff -Nru openssl-3.0.19/debian/source/include-binaries openssl-3.0.19/debian/source/include-binaries --- openssl-3.0.19/debian/source/include-binaries 1970-01-01 00:00:00.000000000 +0000 +++ openssl-3.0.19/debian/source/include-binaries 2026-04-03 12:29:32.000000000 +0000 @@ -0,0 +1 @@ +debian/binary.tar