From: Igor Ustinov Date: Sat, 16 May 2026 06:22:53 +0000 (+0200) Subject: Test for CVE-2026-45447 (UAF in PKCS7_verify) X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=463b444cb16474fdcf2f5ce66227afe2a215f38c;p=thirdparty%2Fopenssl.git Test for CVE-2026-45447 (UAF in PKCS7_verify) The test data were created with a tool developed by Thai Duong . Reviewed-by: Eugene Syromiatnikov Reviewed-by: Tomas Mraz MergeDate: Mon Jun 8 20:22:52 2026 --- diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 160ad81ae38..34b5fc41712 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -56,7 +56,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 38; +plan tests => 39; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1263,6 +1263,23 @@ subtest "CMS code signing test" => sub { "fail verify CMS signature with code signing certificate for purpose smime_sign"); }; +# Regression test for PKCS7_verify() ownership handling when +# digestAlgorithms is an empty SET. +# The malformed structure must fail cleanly without crashing or +# triggering use-after-free behaviour. +with({ exit_checker => sub { return shift == 4; } }, + sub { + ok(run(app([ + 'openssl', 'smime', + '-verify', + '-noverify', + '-in', + srctop_file('test', 'smime-eml', + 'pkcs7-empty-digest-set.eml'), + ])), + "Check empty digestAlgorithms SET is handled safely"); + }); + # Test case for missing MD algorithm (must not segfault) with({ exit_checker => sub { return shift == 4; } }, diff --git a/test/smime-eml/pkcs7-empty-digest-set.eml b/test/smime-eml/pkcs7-empty-digest-set.eml new file mode 100644 index 00000000000..a6db2c38adf --- /dev/null +++ b/test/smime-eml/pkcs7-empty-digest-set.eml @@ -0,0 +1,45 @@ +MIME-Version: 1.0 +Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E0314CC5D732C92AE2D7A3BACDCDCFCE" + +This is an S/MIME signed message + +------E0314CC5D732C92AE2D7A3BACDCDCFCE +This is the content to be signed. + +------E0314CC5D732C92AE2D7A3BACDCDCFCE +Content-Type: application/x-pkcs7-signature; name="smime.p7s" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="smime.p7s" + +MIIFWgYJKoZIhvcNAQcCoIIFSzCCBUcCAQExADALBgkqhkiG9w0BBwGgggLuMIIC +6jCCAdKgAwIBAgIUL5E46FxyhsT7C3G1NS27OtR7XAowDQYJKoZIhvcNAQELBQAw +FTETMBEGA1UEAwwKUG9DIFNpZ25lcjAeFw0yNjA1MDgxMDIwNDhaFw0yNzA1MDgx +MDIwNDhaMBUxEzARBgNVBAMMClBvQyBTaWduZXIwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDSSu/gupmIlclvmTMHiqOrCqmB8NRTjAMoI//MPJrnFXYp +FjDPMk7Y/kCcHztudaIvADkowaFtOm4oMinQFhjwCNCo5K5WrrlAitnpcd5QH2nA +iVZXjjohQUJEd7n33AGqTwo5EGaCK+alAZL7tA7bdhNi/aZ33L3bUNYqoHbXiNsE +u1tj8frLfIjduOt0TMPSOrrFjjEsrL3T3tg+HmxpalDHz7E6o9zJu0wlk8bcR2Xk +mpX8RdYCu7K9m39N1F2WKa9WJh24NQLpWRfwD213jaIFK2EXy/XHePDUeiMYtVOV +oovCSmY7OqowupA7J+4dcsnRjFqgZECctHhAfk+PAgMBAAGjMjAwMB0GA1UdDgQW +BBRZlupXNYq4fny0SE76sr/CdQ2DUTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQANOlttTWVz620JNTrPzhiR4x9+5UiF4GSqv8BRJQFj3Xh7fsUp ++3GDs9M27f4FVh3utJsjt7Sa9ZWLpBVdgjGBwGLAtPsoYMjhnUgZTUvwEk5+aXyv +zJxn4I7mMbDhlNCMHcVtGdtA+2UOEuvdGfuEilpzPsV8DzM1K3xU5bSWoo0BRFKK +srHkyEfxCFPAQOcX80ZbMO6zdcXeJjC6mQXGqy2aqeQob0vuSZJ7QHZBlRjY5YHR +wWlIqG8G3Eist16iTqdX2PQFZT1/QAEQ/LnXARTUUjUroccdci8YNASoeHDpcjRL +MBrN+QBNZVt5qLhDogwZb2ZwqKfZ8Aqg3oAkMYICPzCCAjsCAQEwLTAVMRMwEQYD +VQQDDApQb0MgU2lnbmVyAhQvkTjoXHKGxPsLcbU1Lbs61HtcCjANBglghkgBZQME +AgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP +Fw0yNjA1MDgxMDIwNDhaMC8GCSqGSIb3DQEJBDEiBCAvyoHfycLqb8UzVPizy1uA +o3h7tza3HebeiJaSnpIJHzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjAL +BglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMC +AgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkq +hkiG9w0BAQEFAASCAQBIpl7U2j4YiU1vdZHyx2dCK41ZahtTVOB4RVJcrmopgans +fICdkSTfb0dVqc13++bYn4i1b2R2os5YIkoGxdrM5aZB7KF9r1xwgrendTF4/BwP +gQq2khNtKebv9Yr0kOPynFIsgx5BHk99wrzfwidJUFuJJgQ9W0YOf7EGkbnZvPT+ +hV0aeLmJAb5jjWhbDciqUjR3O23JQhzVj4U3vo2TeN7VYmNJsX+fA4sZzIbYSei9 +ps7GZruiRcKgqgUj1l8HjIGMHqd9lccchk/BYyAGxAbgGisntvfJdPZO09wG8rHh +eS6FYkkXAKBO49WbhE9aVLJH0zgA6gTfyEvOOOS1 + +------E0314CC5D732C92AE2D7A3BACDCDCFCE-- +