backport some patches

backport-x509-Fix-possible-use-after-free-when-OOM.patch

@@ -0,0 +1,65 @@
+From b1cc84e82d41ab669bf804ea519f5332c48a3d77 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Wed, 24 May 2023 12:22:25 +0200
+Subject: [PATCH] x509: Fix possible use-after-free when OOM
+
+ossl_policy_level_add_node() first adds the new node to the level->nodes
+stack, and then attempts to add extra data if extra_data is true. If
+memory allocation or adding the extra data to tree->extra_data fails,
+the allocated node (that has already been added to the level->nodes
+stack) is freed using ossl_policy_node_free(), which leads to
+a potential use after free.
+
+Additionally, the tree's node count and the parent's child count would
+not be updated, despite the new node being added.
+
+Fix this by either performing the function's purpose completely, or not
+at all by reverting the changes on error.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21066)
+---
+ crypto/x509v3/pcy_node.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
+index d574fb9d66..c6c01cbb39 100644
+--- a/crypto/x509v3/pcy_node.c
++++ b/crypto/x509v3/pcy_node.c
+@@ -100,11 +100,11 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+             X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+-            goto node_error;
++            goto extra_data_error;
+         }
+         if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
+             X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+-            goto node_error;
++            goto extra_data_error;
+         }
+     }
+ 
+@@ -114,6 +114,14 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ 
+     return node;
+ 
++ extra_data_error:
++    if (level != NULL) {
++        if (level->anyPolicy == node)
++            level->anyPolicy = NULL;
++        else
++            (void) sk_X509_POLICY_NODE_pop(level->nodes);
++    }
++
+  node_error:
+     policy_node_free(node);
+     return NULL;
+-- 
+2.27.0
+

backport-x509-Handle-ossl_policy_level_add_node-errors.patch

@@ -0,0 +1,72 @@
+From 3cc6933555a0c66328ec659b5bb86c57b6402e1e Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Wed, 24 May 2023 13:12:54 +0200
+Subject: [PATCH] x509: Handle ossl_policy_level_add_node errors
+
+The invocation of ossl_policy_level_add_node in tree_calculate_user_set
+did not have any error handling. Add it to prevent a memory leak for the
+allocated extra policy data.
+
+Also add error handling to sk_X509_POLICY_NODE_push to ensure that if
+a new node was allocated, but could not be added to the stack, it is
+freed correctly.
+
+Fix error handling if tree->user_policies cannot be allocated by
+returning 0, indicating failure, rather than 1.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21066)
+---
+ crypto/x509v3/pcy_tree.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
+index 6c7fd35405..3c504e82c6 100644
+--- a/crypto/x509v3/pcy_tree.c
++++ b/crypto/x509v3/pcy_tree.c
+@@ -25,6 +25,8 @@
+ # define OPENSSL_POLICY_TREE_NODES_MAX 1000
+ #endif
+ 
++static void exnode_free(X509_POLICY_NODE *node);
++
+ /*
+  * Enable this to print out the complete policy tree at various point during
+  * evaluation.
+@@ -572,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->qualifier_set = anyPolicy->data->qualifier_set;
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+-            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
++            node = level_add_node(NULL, extra, anyPolicy->parent,
++                                  tree, 1);
++            if (node == NULL) {
++                policy_data_free(extra);
++                return 0;
++            }
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+-            if (!tree->user_policies)
+-                return 1;
++            if (!tree->user_policies) {
++                exnode_free(node);
++                return 0;
++            }
+         }
+-        if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
++        if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
++            exnode_free(node);
+             return 0;
++        }
+     }
+     return 1;
+ }
+-- 
+2.27.0
+

openssl.spec

@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1m
-Release:     23
+Release:     24
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -65,6 +65,8 @@ Patch54:     backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-
 Patch55:     backport-update-expired-certificates-for-sm2.patch
 Patch56:     backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch
 Patch57:     backport-CVE-2023-3817-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch
+Patch58:     backport-x509-Handle-ossl_policy_level_add_node-errors.patch
+Patch59:     backport-x509-Fix-possible-use-after-free-when-OOM.patch
 
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -271,6 +273,9 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue Aug 08 2023 zcfsite <zhchf2010@126.com> - 1:1.1.1m-24
+* backport some patches
+
 * Tue Aug 08 2023 steven <steven_ygui@163.com> - 1:1.1.1m-23
 - fix CVE-2023-3817