From 1faef5e63a49d14e8418f030095ed1fa45f0faa2 Mon Sep 17 00:00:00 2001
From: lizhipeng <lizhipeng@kylinos.cn>
Date: Thu, 2 Oct 2025 00:04:34 +0800
Subject: [PATCH] Fix CVE-2025-9230

Signed-off-by: lizhipeng <lizhipeng@kylinos.cn>
---
 Backport-Fix-CVE-2025-9230.patch | 31 +++++++++++++++++++++++++++++++
 openssl.spec                     |  6 +++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 Backport-Fix-CVE-2025-9230.patch

diff --git a/Backport-Fix-CVE-2025-9230.patch b/Backport-Fix-CVE-2025-9230.patch
new file mode 100644
index 0000000..500180b
--- /dev/null
+++ b/Backport-Fix-CVE-2025-9230.patch
@@ -0,0 +1,31 @@
+From a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index d5c3c8d399dfd..33a7ccaa76a3a 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -229,7 +229,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
diff --git a/openssl.spec b/openssl.spec
index 24f7f48..926b5bb 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1wa
-Release:     12
+Release:     13
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://gitee.com/openeuler/openssl
@@ -32,6 +32,7 @@ Patch21:     Add-Zhaoxin-GMI-rng-instruction-support.patch
 Patch22:     Add-Zhaoxin-GMI-sm3-instruction-support.patch
 Patch23:     Add-Zhaoxin-GMI-sm4-instruction-support.patch
 Patch24:     Add-Zhaoxin-GMI-sm2-instruction-support.patch
+Patch25:     Backport-Fix-CVE-2025-9230.patch
 
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -240,6 +241,9 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Oct 1 2025 lizhipeng <lizhipeng@kylinos.cn> - 1:1.1.1wa-13
+- fix CVE-2025-9230
+
 * Fri Sep 5 2025 AlanSong-oc <AlanSong-oc@zhaoxin.com> - 1:1.1.1wa-12
 - add support for Zhaoxin GMI RNG/SM2/3/4 instruction
 
-- 
Gitee