From 0a7bb3d748d631ab03c487baf30889490b634170 Mon Sep 17 00:00:00 2001
From: yangxinyu <yangxinyu@nfschina.com>
Date: Tue, 9 Sep 2025 14:47:49 +0800
Subject: [PATCH] [CVE] fix cve-2023-0215 cve-2022-4450 to #bug24150 #bug24163
 fix cve-2023-0215 cve-2022-4450 Project: TC2024080204 Signed-off-by:yangxinyu
 <yangxinyu@nfschina.com>

---
 openssl-1.1.1-cve-2022-4450.patch |  38 +++++++++++
 openssl-1.1.1-cve-2023-0215.patch | 103 ++++++++++++++++++++++++++++++
 openssl1.1.spec                   |  13 +++-
 3 files changed, 152 insertions(+), 2 deletions(-)
 create mode 100644 openssl-1.1.1-cve-2022-4450.patch
 create mode 100644 openssl-1.1.1-cve-2023-0215.patch

diff --git a/openssl-1.1.1-cve-2022-4450.patch b/openssl-1.1.1-cve-2022-4450.patch
new file mode 100644
index 0000000..e371720
--- /dev/null
+++ b/openssl-1.1.1-cve-2022-4450.patch
@@ -0,0 +1,38 @@
+From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 14:54:55 +0000
+Subject: [PATCH] Avoid dangling ptrs in header and data params for
+ PEM_read_bio_ex
+
+In the event of a failure in PEM_read_bio_ex() we free the buffers we
+allocated for the header and data buffers. However we were not clearing
+the ptrs stored in *header and *data. Since, on success, the caller is
+responsible for freeing these ptrs this can potentially lead to a double
+free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+---
+ crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
+index d416d939ead56..328c30cdbb27e 100644
+--- a/crypto/pem/pem_lib.c
++++ b/crypto/pem/pem_lib.c
+@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+     *data = pem_malloc(len, flags);
+     if (*header == NULL || *data == NULL) {
+         pem_free(*header, flags, 0);
++        *header = NULL;
+         pem_free(*data, flags, 0);
++        *data = NULL;
+         goto end;
+     }
+     BIO_read(headerB, *header, headerlen);
diff --git a/openssl-1.1.1-cve-2023-0215.patch b/openssl-1.1.1-cve-2023-0215.patch
new file mode 100644
index 0000000..c1ba2cd
--- /dev/null
+++ b/openssl-1.1.1-cve-2023-0215.patch
@@ -0,0 +1,103 @@
+From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 16:18:14 +0000
+Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF
+
+If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+be part of an invalid BIO chain. This causes a "use after free" when the
+BIO is eventually freed.
+
+Based on an original patch by Viktor Dukhovni and an idea from Theo
+Buehler.
+
+Thanks to Octavio Galland for reporting this issue.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index 760e4846a4744..f8d4b1b9aa670 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+                             void *parg);
+ 
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+     NDEF_SUPPORT *ndef_aux = NULL;
+     BIO *asn_bio = NULL;
+     const ASN1_AUX *aux = it->funcs;
+     ASN1_STREAM_ARG sarg;
++    BIO *pop_bio = NULL;
+ 
+     if (!aux || !aux->asn1_cb) {
+         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     out = BIO_push(asn_bio, out);
+     if (out == NULL)
+         goto err;
++    pop_bio = asn_bio;
+ 
+-    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+-    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++        goto err;
+ 
+     /*
+-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+-     * needs.
++     * Now let the callback prepend any digest, cipher, etc., that the BIO's
++     * ASN1 structure needs.
+      */
+ 
+     sarg.out = out;
+     sarg.ndef_bio = NULL;
+     sarg.boundary = NULL;
+ 
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++    /*
++     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++     * middle of some partially built, but not returned BIO chain.
++     */
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++        /*
++         * ndef_aux is now owned by asn_bio so we must not free it in the err
++         * clean up block
++         */
++        ndef_aux = NULL;
+         goto err;
++    }
++
++    /*
++     * We must not fail now because the callback has prepended additional
++     * BIOs to the chain
++     */
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     ndef_aux->boundary = sarg.boundary;
+     ndef_aux->out = out;
+ 
+-    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+-
+     return sarg.ndef_bio;
+ 
+  err:
++    /* BIO_pop() is NULL safe */
++    (void)BIO_pop(pop_bio);
+     BIO_free(asn_bio);
+     OPENSSL_free(ndef_aux);
+     return NULL;
diff --git a/openssl1.1.spec b/openssl1.1.spec
index 895f630..a5ffc81 100644
--- a/openssl1.1.spec
+++ b/openssl1.1.spec
@@ -1,4 +1,4 @@
-%define anolis_release 5
+%define anolis_release 6
 %bcond_without devel
 %define soversion 1.1
 %global _performance_build 1
@@ -72,6 +72,11 @@ Patch1053: openssl-1.1.1-fips-crng-test.patch
 Patch1055: openssl-1.1.1-arm-update.patch
 Patch1056: openssl-1.1.1-s390x-ecc.patch
 
+#https://github.com/openssl/openssl/commit/bbcf509bd046b34cca19c766bbddc31683d0858b
+Patch1072: openssl-1.1.1-cve-2022-4450.patch
+#https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344
+Patch1073: openssl-1.1.1-cve-2023-0215.patch
+
 %description
 The %{real_name} toolkit provides support for secure communications between
 machines. This version of %{real_name} package contains only the libraries
@@ -142,7 +147,8 @@ cp %{SOURCE3} test/
 %patch1069 -p1 -b .alpn-cb
 %patch1070 -p1 -b .rewire-fips-drbg
 %patch1071 -p1
-
+%patch1072 -p1
+%patch1073 -p1
 
 %build
 sslarch=%{_os}-%{_target_cpu}
@@ -276,6 +282,9 @@ rm -rf %{buildroot}/%{_libdir}/pkgconfig
 %ldconfig_scriptlets
 
 %changelog
+* Tue Sep 9 2025 yangxinyu <yangxinyu@nfschina.com> - 1:1.1.1q-6
+- fix cve-2022-4450 cve-2023-0215
+
 * Thu May 8 2025 Yihao Yan <yan.yihao@zte.com.cn> - 1:1.1.1q-5
 - add support for riscv64
 
-- 
Gitee