From cf605e922eaa7871a2103f9fc935cf4be8af4bf0 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 1 Oct 2025 08:50:32 +0200
Subject: [PATCH] main/openssl: fix CVE-2025-9230, CVE-2025-9232

Backport fixes from upstream

ref: https://openssl-library.org/news/secadv/20250930.txt
---
 main/openssl/APKBUILD            |  8 ++++++++
 main/openssl/CVE-2025-9230.patch | 31 +++++++++++++++++++++++++++++++
 main/openssl/CVE-2025-9232.patch | 29 +++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 main/openssl/CVE-2025-9230.patch
 create mode 100644 main/openssl/CVE-2025-9232.patch

diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 72459c1e041..ab196012c8d 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -18,10 +18,15 @@ subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
 source="https://github.com/openssl/openssl/releases/download/openssl-$pkgver/openssl-$pkgver.tar.gz
 	auxv.patch
 	man-section.patch
+	CVE-2025-9230.patch
+	CVE-2025-9232.patch
 	"
 builddir="$srcdir/openssl-$pkgver"
 
 # secfixes:
+#   3.1.8-r1:
+#     - CVE-2025-9230
+#     - CVE-2025-9232
 #   3.1.8-r0:
 #     - CVE-2024-13176
 #   3.1.7-r1:
@@ -116,6 +121,7 @@ builddir="$srcdir/openssl-$pkgver"
 #     - CVE-2022-2274
 #     - CVE-2023-0466
 #     - CVE-2023-4807
+#     - CVE-2025-9231
 
 build() {
 	local _target _optflags
@@ -233,4 +239,6 @@ sha512sums="
 faf066b207184a67387d4659b68de0bb89c4ec847b835998c8cc57ee4a8759f3fc3b7fe2db85f394bf8c54720ce044447168e0fa2fda6f0901c4d9a1697d9a6e  openssl-3.1.8.tar.gz
 63f7b46f11c222d2c49200f252937516cbca0bfeb475f008a18ad1abeb1d73110ba7a0506898353c8c6c760c5cb446215da7c83a420afa57e0d73f7fb8c3af7a  auxv.patch
 8c44e990fe8a820f649631b9f81cf28225b7516065169a7f68e2dd7c067b30df9b2c6cb88fa826afbc9fcdaf156360aabf7c498d2d9ed452968815b12b004809  man-section.patch
+175ec2f0e2ce32e3152fdeafbae020a0a5299caf975b7bf5261d269f2f09d4c1203922f5d8755d18e5fc38b740b4c985952051381cd80aa05239d0a732f510b7  CVE-2025-9230.patch
+fbcd8a91979e68a4ada2e7c69e9370ea46bed37004ed1cec8c6443aa8aa983ab0a6f95d06d6c69af66b6ff4fe476396972329e5bbea0ac8c29067b92a145bf27  CVE-2025-9232.patch
 "
diff --git a/main/openssl/CVE-2025-9230.patch b/main/openssl/CVE-2025-9230.patch
new file mode 100644
index 00000000000..500180b56f2
--- /dev/null
+++ b/main/openssl/CVE-2025-9230.patch
@@ -0,0 +1,31 @@
+From a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index d5c3c8d399dfd..33a7ccaa76a3a 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -229,7 +229,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
diff --git a/main/openssl/CVE-2025-9232.patch b/main/openssl/CVE-2025-9232.patch
new file mode 100644
index 00000000000..a929f8ae44f
--- /dev/null
+++ b/main/openssl/CVE-2025-9232.patch
@@ -0,0 +1,29 @@
+From 654dc11d23468a74fc8ea4672b702dd3feb7be4b Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 11 Sep 2025 18:43:55 +0200
+Subject: [PATCH] use_proxy(): Add missing terminating NUL byte
+
+Fixes CVE-2025-9232
+
+There is a missing terminating NUL byte after strncpy() call.
+Issue and a proposed fix reported by Stanislav Fort (Aisle Research).
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 6bca15039e99d37ce3a3564eb862a3b1ff40e63d)
+---
+ crypto/http/http_lib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c
+index 9c41f57541d74..614fd200b7c0c 100644
+--- a/crypto/http/http_lib.c
++++ b/crypto/http/http_lib.c
+@@ -267,6 +267,7 @@ static int use_proxy(const char *no_proxy, const char *server)
+         /* strip leading '[' and trailing ']' from escaped IPv6 address */
+         sl -= 2;
+         strncpy(host, server + 1, sl);
++        host[sl] = '\0';
+         server = host;
+     }
+