[AUTO-CHERRYPICK] Patch openssl for CVE-2025-69419, CVE-2026-22795, and CVE-2026-22796 - branch 3.0-dev (#15698)

Co-authored-by: corvus-callidus <lyrydber@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/openssl/CVE-2025-69419.patch

@@ -0,0 +1,48 @@
+From a26a90d38edec3748566129d824e664b54bee2e2 Mon Sep 17 00:00:00 2001
+From: Norbert Pocs <norbertp@openssl.org>
+Date: Thu, 11 Dec 2025 12:49:00 +0100
+Subject: [PATCH] Check return code of UTF8_putc
+
+Signed-off-by: Norbert Pocs <norbertp@openssl.org>
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29376)
+---
+ crypto/asn1/a_strex.c   | 6 ++++--
+ crypto/pkcs12/p12_utl.c | 5 +++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
+index 683b8a06fc540..68c2e31a70a28 100644
+--- a/crypto/asn1/a_strex.c
++++ b/crypto/asn1/a_strex.c
+@@ -198,8 +198,10 @@ static int do_buf(unsigned char *buf, int buflen,
+             orflags = CHARTYPE_LAST_ESC_2253;
+         if (type & BUF_TYPE_CONVUTF8) {
+             unsigned char utfbuf[6];
+-            int utflen;
+-            utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++            int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++
++            if (utflen < 0)
++                return -1; /* error happened with UTF8 */
+             for (i = 0; i < utflen; i++) {
+                 /*
+                  * We don't need to worry about setting orflags correctly
+diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
+index 1669ef5b07939..9360f9930713f 100644
+--- a/crypto/pkcs12/p12_utl.c
++++ b/crypto/pkcs12/p12_utl.c
+@@ -206,6 +206,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
+     /* re-run the loop emitting UTF-8 string */
+     for (asclen = 0, i = 0; i < unilen; ) {
+         j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
++        /* when UTF8_putc fails */
++        if (j < 0) {
++            OPENSSL_free(asctmp);
++            return NULL;
++        }
+         if (j == 4) i += 4;
+         else        i += 2;
+         asclen += j;

SPECS/openssl/CVE-2026-22796.patch

@@ -0,0 +1,73 @@
+From eeee3cbd4d682095ed431052f00403004596373e Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+
+Fixes CVE-2026-22796, CVE-2026-22795
+---
+ apps/s_client.c          |  3 ++-
+ crypto/pkcs12/p12_kiss.c | 10 ++++++++--
+ crypto/pkcs7/pk7_doit.c  |  2 ++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/apps/s_client.c b/apps/s_client.c
+index c5b7384a290a4..1f52cf378fbbc 100644
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -2832,8 +2832,9 @@ int s_client_main(int argc, char **argv)
+                 goto end;
+             }
+             atyp = ASN1_generate_nconf(genstr, cnf);
+-            if (atyp == NULL) {
++            if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
+                 NCONF_free(cnf);
++                ASN1_TYPE_free(atyp);
+                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+                 goto end;
+             }
+diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
+index 10b581612dbb2..d0236e34fe9df 100644
+--- a/crypto/pkcs12/p12_kiss.c
++++ b/crypto/pkcs12/p12_kiss.c
+@@ -196,11 +196,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+ 
+     switch (PKCS12_SAFEBAG_get_nid(bag)) {
+     case NID_keyBag:
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 74f863af8fa52..6353fec47c068 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -1178,6 +1178,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+ 

SPECS/openssl/openssl.spec

@@ -9,7 +9,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.3.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz
@@ -75,6 +75,8 @@ Patch105: 0001-Fix-heap-buffer-overflow-in-BIO_f_linebuffer.patch
 Patch106: 0001-Fix-OCB-AES-NI-HW-stream-path-unauthenticated-unencr.patch
 Patch107: 0001-Verify-ASN1-object-s-types-before-attempting-to-acce.patch
 Patch108: 0001-Add-NULL-check-to-PKCS12_item_decrypt_d2i_ex.patch
+Patch109: CVE-2025-69419.patch
+Patch110: CVE-2026-22796.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -368,6 +370,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Jan 29 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 3.3.5-3
+- Patch CVE-2025-69419, CVE-2026-22795, and CVE-2026-22796
+
 * Tue Jan 27 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 3.3.5-2
 - Patch CVE-2025-15467, CVE-2025-15468, CVE-2025-66199, CVE-2025-68160,
   CVE-2025-69418, CVE-2025-69420, and CVE-2025-69421

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.5-2.azl3.aarch64.rpm
-openssl-devel-3.3.5-2.azl3.aarch64.rpm
-openssl-libs-3.3.5-2.azl3.aarch64.rpm
-openssl-perl-3.3.5-2.azl3.aarch64.rpm
-openssl-static-3.3.5-2.azl3.aarch64.rpm
+openssl-3.3.5-3.azl3.aarch64.rpm
+openssl-devel-3.3.5-3.azl3.aarch64.rpm
+openssl-libs-3.3.5-3.azl3.aarch64.rpm
+openssl-perl-3.3.5-3.azl3.aarch64.rpm
+openssl-static-3.3.5-3.azl3.aarch64.rpm
 libcap-2.69-12.azl3.aarch64.rpm
 libcap-devel-2.69-12.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.5-2.azl3.x86_64.rpm
-openssl-devel-3.3.5-2.azl3.x86_64.rpm
-openssl-libs-3.3.5-2.azl3.x86_64.rpm
-openssl-perl-3.3.5-2.azl3.x86_64.rpm
-openssl-static-3.3.5-2.azl3.x86_64.rpm
+openssl-3.3.5-3.azl3.x86_64.rpm
+openssl-devel-3.3.5-3.azl3.x86_64.rpm
+openssl-libs-3.3.5-3.azl3.x86_64.rpm
+openssl-perl-3.3.5-3.azl3.x86_64.rpm
+openssl-static-3.3.5-3.azl3.x86_64.rpm
 libcap-2.69-12.azl3.x86_64.rpm
 libcap-devel-2.69-12.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -287,12 +287,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm
 npth-devel-1.6-4.azl3.aarch64.rpm
 ntsysv-1.25-1.azl3.aarch64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.5-2.azl3.aarch64.rpm
-openssl-debuginfo-3.3.5-2.azl3.aarch64.rpm
-openssl-devel-3.3.5-2.azl3.aarch64.rpm
-openssl-libs-3.3.5-2.azl3.aarch64.rpm
-openssl-perl-3.3.5-2.azl3.aarch64.rpm
-openssl-static-3.3.5-2.azl3.aarch64.rpm
+openssl-3.3.5-3.azl3.aarch64.rpm
+openssl-debuginfo-3.3.5-3.azl3.aarch64.rpm
+openssl-devel-3.3.5-3.azl3.aarch64.rpm
+openssl-libs-3.3.5-3.azl3.aarch64.rpm
+openssl-perl-3.3.5-3.azl3.aarch64.rpm
+openssl-static-3.3.5-3.azl3.aarch64.rpm
 p11-kit-0.25.0-1.azl3.aarch64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
 p11-kit-devel-0.25.0-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -295,12 +295,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm
 npth-devel-1.6-4.azl3.x86_64.rpm
 ntsysv-1.25-1.azl3.x86_64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.5-2.azl3.x86_64.rpm
-openssl-debuginfo-3.3.5-2.azl3.x86_64.rpm
-openssl-devel-3.3.5-2.azl3.x86_64.rpm
-openssl-libs-3.3.5-2.azl3.x86_64.rpm
-openssl-perl-3.3.5-2.azl3.x86_64.rpm
-openssl-static-3.3.5-2.azl3.x86_64.rpm
+openssl-3.3.5-3.azl3.x86_64.rpm
+openssl-debuginfo-3.3.5-3.azl3.x86_64.rpm
+openssl-devel-3.3.5-3.azl3.x86_64.rpm
+openssl-libs-3.3.5-3.azl3.x86_64.rpm
+openssl-perl-3.3.5-3.azl3.x86_64.rpm
+openssl-static-3.3.5-3.azl3.x86_64.rpm
 p11-kit-0.25.0-1.azl3.x86_64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
 p11-kit-devel-0.25.0-1.azl3.x86_64.rpm