git: c0dbaf2b5dbd - stable/13 - Fix issue from OpenSSL.

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Tue, 30 Sep 2025 15:30:02 UTC

The branch stable/13 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=c0dbaf2b5dbd16c113a6346ee748fd474fe192e5

commit c0dbaf2b5dbd16c113a6346ee748fd474fe192e5
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2025-09-30 15:28:59 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-09-30 15:28:59 +0000

    Fix issue from OpenSSL.
    
    Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230)
    
    Obtained from:  OpenSSL
    Approved by:    so
    Security:       FreeBSD-SA-25:08.openssl
    Security:       CVE-2025-9230
---
 crypto/openssl/crypto/cms/cms_pwri.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c
index d7414883396c..9f98840244ea 100644
--- a/crypto/openssl/crypto/cms/cms_pwri.c
+++ b/crypto/openssl/crypto/cms/cms_pwri.c
@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
         /* Check byte failure */
         goto err;
     }
-    if (inlen < (size_t)(tmp[0] - 4)) {
+    if (inlen < 4 + (size_t)tmp[0]) {
         /* Invalid length value */
         goto err;
     }