From 76c90837f0debf46a22cb85df2f471a3bf8301a7 Mon Sep 17 00:00:00 2001
From: fangxiuning <fangxiuning@huawei.com>
Date: Wed, 8 Mar 2023 03:25:40 +0000
Subject: [PATCH] modify

---
 ...e-during-BIO-setup-with-stream-is-ha.patch |  80 +++++++++++++
 ...resulting-from-a-bug-in-BIO_new_NDEF.patch | 106 ++++++++++++++++++
 ...x-GENERAL_NAME_cmp-for-x400Address-1.patch |  62 ++++++++++
 compat-openssl11.spec                         |   8 +-
 4 files changed, 255 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
 create mode 100644 backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
 create mode 100644 backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch

diff --git a/backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch b/backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
new file mode 100644
index 0000000..100edbe
--- /dev/null
+++ b/backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
@@ -0,0 +1,80 @@
+From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 17:15:18 +0000
+Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled
+ correctly
+
+Test for the issue fixed in the previous commit
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ test/recipes/80-test_cms.t  | 15 +++++++++++++--
+ test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+ create mode 100644 test/smime-certs/badrsa.pem
+
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 5dc6a3aebe..ec11bfc253 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -13,7 +13,7 @@ use warnings;
+ use POSIX;
+ use File::Spec::Functions qw/catfile/;
+ use File::Compare qw/compare_text/;
+-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
+ use OpenSSL::Test::Utils;
+ 
+ setup("test_cms");
+@@ -27,7 +27,7 @@ my $smcont   = srctop_file("test", "smcont.txt");
+ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+     = disabled qw/des dh dsa ec ec2m rc2 zlib/;
+ 
+-plan tests => 6;
++plan tests => 7;
+ 
+ my @smime_pkcs7_tests = (
+ 
+@@ -584,3 +584,14 @@ sub check_availability {
+ 
+     return "";
+ }
++
++# Check that we get the expected failure return code
++with({ exit_checker => sub { return shift == 6; } },
++    sub {
++        ok(run(app(['openssl', 'cms', '-encrypt',
++                    '-in', srctop_file("test", "smcont.txt"),
++                    '-stream', '-recip',
++                    srctop_file("test/smime-certs", "badrsa.pem"),
++                   ])),
++            "Check failure during BIO setup with -stream is handled correctly");
++    });
+diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
+new file mode 100644
+index 0000000000..f824fc2267
+--- /dev/null
++++ b/test/smime-certs/badrsa.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
++-----END CERTIFICATE-----
+-- 
+2.17.1
+
diff --git a/backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
new file mode 100644
index 0000000..81b1605
--- /dev/null
+++ b/backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
@@ -0,0 +1,106 @@
+From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 16:18:14 +0000
+Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF
+
+If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+be part of an invalid BIO chain. This causes a "use after free" when the
+BIO is eventually freed.
+
+Based on an original patch by Viktor Dukhovni and an idea from Theo
+Buehler.
+
+Thanks to Octavio Galland for reporting this issue.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index 760e4846a4..f8d4b1b9aa 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+                             void *parg);
+ 
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+     NDEF_SUPPORT *ndef_aux = NULL;
+     BIO *asn_bio = NULL;
+     const ASN1_AUX *aux = it->funcs;
+     ASN1_STREAM_ARG sarg;
++    BIO *pop_bio = NULL;
+ 
+     if (!aux || !aux->asn1_cb) {
+         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     out = BIO_push(asn_bio, out);
+     if (out == NULL)
+         goto err;
++    pop_bio = asn_bio;
+ 
+-    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+-    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++        goto err;
+ 
+     /*
+-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+-     * needs.
++     * Now let the callback prepend any digest, cipher, etc., that the BIO's
++     * ASN1 structure needs.
+      */
+ 
+     sarg.out = out;
+     sarg.ndef_bio = NULL;
+     sarg.boundary = NULL;
+ 
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++    /*
++     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++     * middle of some partially built, but not returned BIO chain.
++     */
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++        /*
++         * ndef_aux is now owned by asn_bio so we must not free it in the err
++         * clean up block
++         */
++        ndef_aux = NULL;
+         goto err;
++    }
++
++    /*
++     * We must not fail now because the callback has prepended additional
++     * BIOs to the chain
++     */
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     ndef_aux->boundary = sarg.boundary;
+     ndef_aux->out = out;
+ 
+-    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+-
+     return sarg.ndef_bio;
+ 
+  err:
++    /* BIO_pop() is NULL safe */
++    (void)BIO_pop(pop_bio);
+     BIO_free(asn_bio);
+     OPENSSL_free(ndef_aux);
+     return NULL;
+-- 
+2.17.1
+
diff --git a/backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch b/backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
new file mode 100644
index 0000000..ab9d53a
--- /dev/null
+++ b/backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
@@ -0,0 +1,62 @@
+From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/x509v3/v3_genn.c  |  2 +-
+ include/openssl/x509v3.h |  2 +-
+ test/v3nametest.c        |  8 ++++++++
+ 4 files changed, 27 insertions(+), 3 deletions(-)
+
+ 
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47c..e54ddc55c9 100644
+--- a/crypto/x509v3/v3_genn.c
++++ b/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce..e61c0f29d4 100644
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
+diff --git a/test/v3nametest.c b/test/v3nametest.c
+index d1852190b8..37819da8fd 100644
+--- a/test/v3nametest.c
++++ b/test/v3nametest.c
+@@ -646,6 +646,14 @@ static struct gennamedata {
+             0xb7, 0x09, 0x02, 0x02
+         },
+         15
++    }, {
++        /*
++         * Regression test for CVE-2023-0286.
++         */
++        {
++            0xa3, 0x00
++        },
++        2
+     }
+ };
+ 
+-- 
+2.17.1
+
diff --git a/compat-openssl11.spec b/compat-openssl11.spec
index 73cf455..00b9e0f 100644
--- a/compat-openssl11.spec
+++ b/compat-openssl11.spec
@@ -1,7 +1,7 @@
 %define soversion 1.1
 Name:        compat-openssl11
 Version:     1.1.1m
-Release:     3
+Release:     4
 Epoch:       1
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
@@ -99,6 +99,9 @@ Patch88:     backport-X509-x509_req.c-Set-modified-flag-when-X509_req_info.patch
 Patch89:     backport-ssl_cipher_process_rulestr-don-t-read-outside-rule_s.patch
 Patch90:     backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.patch
 Patch91:     backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch
+Patch92:     backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
+Patch93:     backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
+Patch94:     backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
 
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 
@@ -232,6 +235,9 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Mar 08 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-4
+- Fix some cves
+
 * Tue Mar 07 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-3
 - Fix some cves
 
-- 
Gitee