Merge PR "[AUTO-CHERRYPICK] Patch openssl for PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL - branch main" #16166

Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/openssl/openssl-1.1.1-check-oct-argument-for-NULL.patch

@@ -0,0 +1,38 @@
+Commit 00a87a8e: Add NULL check to PKCS12_item_decrypt_d2i_ex
+
+Address CVE-2025-69421
+
+Add NULL check for oct parameter
+
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/premium/pull/12)
+
+Upstream Reference Patch: https://msazure.visualstudio.com/PlatformCrypto/_git/openssl-msft/commit/00a87a8e7bc2a3cc780fcd645c3c4341b7d1bc54?path=/crypto/pkcs12
+---
+ crypto/pkcs12/p12_decr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
+index 3c86058..da2133d 100644
+--- a/crypto/pkcs12/p12_decr.c
++++ b/crypto/pkcs12/p12_decr.c
+@@ -88,6 +88,12 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen;
+ 
++    if (oct == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
++                  PKCS12_R_INVALID_NULL_ARGUMENT);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
+                           &out, &outlen, 0)) {
+         PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
+-- 
+2.45.4
+

SPECS/openssl/openssl.spec

@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        38%{?dist}
+Release:        39%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -72,6 +72,7 @@ Patch48:        openssl-1.1.1-fix-heap-buffer-overflow-in-BIO_f_linebuffer.patch
 Patch49:        openssl-1.1.1-fix-OCB-AES-NI-HW-stream-path-unauthenticated-unencrypted.patch
 Patch50:        openssl-1.1.1-check-return-code-of-UTF8_putc.patch
 Patch51:        openssl-1.1.1-verify-ASN1-objects-types.patch
+Patch52:        openssl-1.1.1-check-oct-argument-for-NULL.patch
 
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
@@ -335,6 +336,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Wed Mar 11 2026 Archana Shettigar <v-shettigara@microsoft.com> - 1.1.1k-39
+- Patch PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
+
 * Fri Feb 20 2026 Kanishk Bansal <kanbansal@microsoft.com> - 1.1.1k-38
 - Ensure ASN1 types are checked before use in s_client, PKCS12, and PKCS7
 - Fix heap buffer overflow in BIO_f_linebuffer on short writes

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-38.cm2.aarch64.rpm
-openssl-devel-1.1.1k-38.cm2.aarch64.rpm
-openssl-libs-1.1.1k-38.cm2.aarch64.rpm
-openssl-perl-1.1.1k-38.cm2.aarch64.rpm
-openssl-static-1.1.1k-38.cm2.aarch64.rpm
+openssl-1.1.1k-39.cm2.aarch64.rpm
+openssl-devel-1.1.1k-39.cm2.aarch64.rpm
+openssl-libs-1.1.1k-39.cm2.aarch64.rpm
+openssl-perl-1.1.1k-39.cm2.aarch64.rpm
+openssl-static-1.1.1k-39.cm2.aarch64.rpm
 libcap-2.60-7.cm2.aarch64.rpm
 libcap-devel-2.60-7.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-38.cm2.x86_64.rpm
-openssl-devel-1.1.1k-38.cm2.x86_64.rpm
-openssl-libs-1.1.1k-38.cm2.x86_64.rpm
-openssl-perl-1.1.1k-38.cm2.x86_64.rpm
-openssl-static-1.1.1k-38.cm2.x86_64.rpm
+openssl-1.1.1k-39.cm2.x86_64.rpm
+openssl-devel-1.1.1k-39.cm2.x86_64.rpm
+openssl-libs-1.1.1k-39.cm2.x86_64.rpm
+openssl-perl-1.1.1k-39.cm2.x86_64.rpm
+openssl-static-1.1.1k-39.cm2.x86_64.rpm
 libcap-2.60-7.cm2.x86_64.rpm
 libcap-devel-2.60-7.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-38.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-38.cm2.aarch64.rpm
-openssl-devel-1.1.1k-38.cm2.aarch64.rpm
-openssl-libs-1.1.1k-38.cm2.aarch64.rpm
-openssl-perl-1.1.1k-38.cm2.aarch64.rpm
-openssl-static-1.1.1k-38.cm2.aarch64.rpm
+openssl-1.1.1k-39.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-39.cm2.aarch64.rpm
+openssl-devel-1.1.1k-39.cm2.aarch64.rpm
+openssl-libs-1.1.1k-39.cm2.aarch64.rpm
+openssl-perl-1.1.1k-39.cm2.aarch64.rpm
+openssl-static-1.1.1k-39.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-38.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-38.cm2.x86_64.rpm
-openssl-devel-1.1.1k-38.cm2.x86_64.rpm
-openssl-libs-1.1.1k-38.cm2.x86_64.rpm
-openssl-perl-1.1.1k-38.cm2.x86_64.rpm
-openssl-static-1.1.1k-38.cm2.x86_64.rpm
+openssl-1.1.1k-39.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-39.cm2.x86_64.rpm
+openssl-devel-1.1.1k-39.cm2.x86_64.rpm
+openssl-libs-1.1.1k-39.cm2.x86_64.rpm
+openssl-perl-1.1.1k-39.cm2.x86_64.rpm
+openssl-static-1.1.1k-39.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm