compat-openssl11-1.1.1k-5.el9.2
エラータID: AXSA:2026-843:02
リリース日:
2026/06/24 Wednesday - 02:42
題名:
compat-openssl11-1.1.1k-5.el9.2
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSSL の PKCS12_get_friendlyname() 関数には、バッファサイズ
の算出処理に不備に起因したメモリ領域の範囲外書き込みの問題がある
ため、リモートの攻撃者により、細工された PKCS#12 形式のファイル
の処理を介して、情報の漏洩、データ破壊、およびサービス拒否攻撃
などを可能とする脆弱性が存在します。(CVE-2025-69419)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-69419
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.
追加情報:
N/A
ダウンロード:
SRPMS
- compat-openssl11-1.1.1k-5.el9.2.src.rpm
MD5: a0a2da39ef895e0b35b5196a830bb5c1
SHA-256: 86c9b5ad525fd505628cb3e68d58909ca096ec0aeda72059e8be3b875cd52acc
Size: 7.28 MB
Asianux Server 9 for x86_64
- compat-openssl11-1.1.1k-5.el9.2.i686.rpm
MD5: 5277a27310f3f2a4def486ee4e73c361
SHA-256: d674eda9766645b3bbf49ec842c66392c805a89bc2020c8338d0d4d3abe16bda
Size: 1.44 MB - compat-openssl11-1.1.1k-5.el9.2.x86_64.rpm
MD5: ff1a99c80bb35b1e5fe8f2b8351ddf50
SHA-256: 9358054e1242d8b353a0536a4ca9fdf5b1e62fd8f9fab10eeb7f56c2945e942b
Size: 1.45 MB