Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Sep 2025 15:37:25 GMT
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 6a0d914d9c3e - releng/14.2 - Fix multiple security issues in OpenSSL.
Message-ID:  <202509301537.58UFbPix067793@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch releng/14.2 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=6a0d914d9c3ebd8c150b7f90e79616d16efefee8

commit 6a0d914d9c3ebd8c150b7f90e79616d16efefee8
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2025-09-30 15:27:08 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-09-30 15:31:54 +0000

    Fix multiple security issues in OpenSSL.
    
    Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230)
    Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232)
    
    Obtained from:  OpenSSL
    Approved by:    so
    Security:       FreeBSD-SA-25:08.openssl
    Security:       CVE-2025-9230
    Security:       CVE-2025-9232
    
    (cherry picked from commit 270158508d7c55a0737c2a9915cd4afc8fabdaf0)
---
 crypto/openssl/crypto/cms/cms_pwri.c  | 2 +-
 crypto/openssl/crypto/http/http_lib.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c
index 2373092bed55..6b507c3f0176 100644
--- a/crypto/openssl/crypto/cms/cms_pwri.c
+++ b/crypto/openssl/crypto/cms/cms_pwri.c
@@ -228,7 +228,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
         /* Check byte failure */
         goto err;
     }
-    if (inlen < (size_t)(tmp[0] - 4)) {
+    if (inlen < 4 + (size_t)tmp[0]) {
         /* Invalid length value */
         goto err;
     }
diff --git a/crypto/openssl/crypto/http/http_lib.c b/crypto/openssl/crypto/http/http_lib.c
index 9c41f57541d7..614fd200b7c0 100644
--- a/crypto/openssl/crypto/http/http_lib.c
+++ b/crypto/openssl/crypto/http/http_lib.c
@@ -267,6 +267,7 @@ static int use_proxy(const char *no_proxy, const char *server)
         /* strip leading '[' and trailing ']' from escaped IPv6 address */
         sl -= 2;
         strncpy(host, server + 1, sl);
+        host[sl] = '\0';
         server = host;
     }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509301537.58UFbPix067793>