From 5554b85c4f1d3d9750ecf2b2637dda480abfd64d Mon Sep 17 00:00:00 2001 From: Sinong Chen Date: Thu, 11 Jun 2026 20:59:21 +0800 Subject: [PATCH] backport patch to fix CVE-2026-45447 Signed-off-by: Sinong Chen --- ...ix-possible-use-after-free-in-OpenSS.patch | 45 +++++++++++++++++++ shim.spec | 8 +++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 backport-0012-CVE-2026-45447-Fix-possible-use-after-free-in-OpenSS.patch diff --git a/backport-0012-CVE-2026-45447-Fix-possible-use-after-free-in-OpenSS.patch b/backport-0012-CVE-2026-45447-Fix-possible-use-after-free-in-OpenSS.patch new file mode 100644 index 0000000..6256d99 --- /dev/null +++ b/backport-0012-CVE-2026-45447-Fix-possible-use-after-free-in-OpenSS.patch @@ -0,0 +1,45 @@ +From f5691c4366236e1fcdb3c6ca7811b6e55e107aba Mon Sep 17 00:00:00 2001 +From: Sinong Chen +Date: Thu, 11 Jun 2026 20:41:21 +0800 +Subject: [PATCH] Fix possible use-after-free in OpenSSL PKCS7_verify() + +Fixes CVE-2026-45447 + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Norbert Pocs +MergeDate: Mon Jun 8 20:32:32 2026 +--- + Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c +index b27b0f6..b520e03 100644 +--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c ++++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c +@@ -260,6 +260,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + int i, j = 0, k, ret = 0; + BIO *p7bio = NULL; + BIO *tmpin = NULL, *tmpout = NULL; ++ BIO *next = NULL; + + if (!p7) { + PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_INVALID_NULL_POINTER); +@@ -412,11 +413,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + + err: + OPENSSL_free(buf); +- if (tmpin == indata) { +- if (indata) +- BIO_pop(p7bio); ++ while (p7bio != NULL && p7bio != indata) { ++ next = BIO_pop(p7bio); ++ BIO_free(p7bio); ++ p7bio = next; + } +- BIO_free_all(p7bio); + sk_X509_free(signers); + return ret; + } +-- +2.43.7 + diff --git a/shim.spec b/shim.spec index 066ba5b..0a8f082 100644 --- a/shim.spec +++ b/shim.spec @@ -19,7 +19,7 @@ Summary: First-stage UEFI bootloader Name: shim Version: 15.7 -Release: 12%{?dist} +Release: 13%{?dist} License: BSD URL: https://github.com/rhboot/shim Source0: %{url}/releases/download/%{version}/shim-%{version}.tar.bz2 @@ -38,6 +38,7 @@ Patch0008: backport-0008-CVE-2023-40548-Fix-integer-overflow-on-SBAT-section Patch0009: backport-0009-Further-mitigations-against-CVE-2023-40546-as-a-clas.patch Patch0010: backport-0010-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch Patch0011: backport-0011-pe-Align-section-size-up-to-page-size-for-mem-attrs.patch +Patch0012: backport-0012-CVE-2026-45447-Fix-possible-use-after-free-in-OpenSS.patch # Feature for shim SMx support Patch3000: openssl-add-ecdsa-and-ec-support-for-shim.patch @@ -120,6 +121,11 @@ rm -rf %{buildroot}/usr/src/debug %{efi_esp_boot}/*%{efi_arch_upper}.EFI %changelog +* Thu Jun 11 2026 Sinong Chen - 15.7-13 +- [Type] Security +- [Desc] Backport patch to fix CVE-2026-45447 +- Fix possible use-after-free in OpenSSL PKCS7_verify() + * Fri Apr 3 2026 Sinong Chen - 15.7-12 - [Type] Bugfix - [Desc] Backport patch to fix PE image section alignment -- Gitee