git: 75d258af9fe9 - releng/14.3 - Fix multiple security issues in OpenSSL.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Sep 2025 15:37:16 UTC
The branch releng/14.3 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=75d258af9fe98e79ead9c54d7f15b30f970155a7
commit 75d258af9fe98e79ead9c54d7f15b30f970155a7
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2025-09-30 15:27:08 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-09-30 15:31:43 +0000
Fix multiple security issues in OpenSSL.
Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230)
Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232)
Obtained from: OpenSSL
Approved by: so
Security: FreeBSD-SA-25:08.openssl
Security: CVE-2025-9230
Security: CVE-2025-9232
(cherry picked from commit 270158508d7c55a0737c2a9915cd4afc8fabdaf0)
---
crypto/openssl/crypto/cms/cms_pwri.c | 2 +-
crypto/openssl/crypto/http/http_lib.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c
index 2373092bed55..6b507c3f0176 100644
--- a/crypto/openssl/crypto/cms/cms_pwri.c
+++ b/crypto/openssl/crypto/cms/cms_pwri.c
@@ -228,7 +228,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
/* Check byte failure */
goto err;
}
- if (inlen < (size_t)(tmp[0] - 4)) {
+ if (inlen < 4 + (size_t)tmp[0]) {
/* Invalid length value */
goto err;
}
diff --git a/crypto/openssl/crypto/http/http_lib.c b/crypto/openssl/crypto/http/http_lib.c
index 9c41f57541d7..614fd200b7c0 100644
--- a/crypto/openssl/crypto/http/http_lib.c
+++ b/crypto/openssl/crypto/http/http_lib.c
@@ -267,6 +267,7 @@ static int use_proxy(const char *no_proxy, const char *server)
/* strip leading '[' and trailing ']' from escaped IPv6 address */
sl -= 2;
strncpy(host, server + 1, sl);
+ host[sl] = '\0';
server = host;
}