Merge updates from debian/bullseye-security

debian/changelog

+openssl (1.1.1n-0+deb11u4) bullseye-security; urgency=medium
+
+  * CVE-2022-4450 (Double free after calling PEM_read_bio_ex).
+  * CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
+  * CVE-2023-0215 (Use-after-free following BIO_new_NDEF).
+  * CVE-2022-4304 (Timing Oracle in RSA Decryption).
+  * CVE-2022-2097 (AES OCB fails to encrypt some bytes).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 05 Feb 2023 22:23:17 +0100
+
 openssl (1.1.1n-0+deb11u3+apertis1) apertis; urgency=medium
 
   * Sync updates from Debian Bullseye Security

debian/patches/AES-OCB-test-vectors.patch

+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:02:37 +1000
+Subject: AES OCB test vectors
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
+index 1c02ea1e9c2d..e12670d9a4b4 100644
+--- a/test/recipes/30-test_evp_data/evpciph.txt
++++ b/test/recipes/30-test_evp_data/evpciph.txt
+@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
+ Operation = DECRYPT
+ Result = CIPHERFINAL_ERROR
+ 
++#Test vectors generated to validate aesni_ocb_encrypt on x86
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = C14DFF7D62A13C4A3422456207453190
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 41970D13737B7BD1B5FBF49ED4412CA5
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = BE0228651ED4E48A11BDED68D953F3A0
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 17BC6E10B16E5FDC52836E7D589518C7
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = E84AAC18666116990A3A37B3A5FC55BD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 3E5EA7EE064FE83B313E28D411E91EAD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
++
+ Title = AES XTS test vectors from IEEE Std 1619-2007
+ 
+ # Using the same key twice for encryption is always banned.

debian/patches/Add-a-test-for-CVE-2022-4450.patch

+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 15:02:26 +0000
+Subject: Add a test for CVE-2022-4450
+
+Call PEM_read_bio_ex() and expect a failure. There should be no dangling
+ptrs and therefore there should be no double free if we free the ptrs on
+error.
+---
+ test/pemtest.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/test/pemtest.c b/test/pemtest.c
+index 3203d976be76..edeb0a12059e 100644
+--- a/test/pemtest.c
++++ b/test/pemtest.c
+@@ -83,9 +83,39 @@ static int test_invalid(void)
+     return 1;
+ }
+ 
++static int test_empty_payload(void)
++{
++    BIO *b;
++    static char *emptypay =
++        "-----BEGIN CERTIFICATE-----\n"
++        "-\n" /* Base64 EOF character */
++        "-----END CERTIFICATE-----";
++    char *name = NULL, *header = NULL;
++    unsigned char *data = NULL;
++    long len;
++    int ret = 0;
++
++    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
++    if (!TEST_ptr(b))
++        return 0;
++
++    /* Expected to fail because the payload is empty */
++    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
++        goto err;
++
++    ret = 1;
++ err:
++    OPENSSL_free(name);
++    OPENSSL_free(header);
++    OPENSSL_free(data);
++    BIO_free(b);
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
+     ADD_TEST(test_invalid);
++    ADD_TEST(test_empty_payload);
+     return 1;
+ }

debian/patches/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch

+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 14:54:55 +0000
+Subject: Avoid dangling ptrs in header and data params for PEM_read_bio_ex
+
+In the event of a failure in PEM_read_bio_ex() we free the buffers we
+allocated for the header and data buffers. However we were not clearing
+the ptrs stored in *header and *data. Since, on success, the caller is
+responsible for freeing these ptrs this can potentially lead to a double
+free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+---
+ crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
+index 2de093595d0d..173045be21ea 100644
+--- a/crypto/pem/pem_lib.c
++++ b/crypto/pem/pem_lib.c
+@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+     *data = pem_malloc(len, flags);
+     if (*header == NULL || *data == NULL) {
+         pem_free(*header, flags, 0);
++        *header = NULL;
+         pem_free(*data, flags, 0);
++        *data = NULL;
+         goto end;
+     }
+     BIO_read(headerB, *header, headerlen);

debian/patches/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch

+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+---
+ CHANGES                  | 20 ++++++++++++++++++++
+ crypto/x509v3/v3_genn.c  |  2 +-
+ include/openssl/x509v3.h |  2 +-
+ test/v3nametest.c        |  8 ++++++++
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 3ef3fa28cfa8..265555ab95c5 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -7,6 +7,26 @@
+  https://github.com/openssl/openssl/commits/ and pick the appropriate
+  release branch.
+ 
++ Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
++
++  *) Fixed a type confusion vulnerability relating to X.400 address processing
++     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
++     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
++     vulnerability may allow an attacker who can provide a certificate chain and
++     CRL (neither of which need have a valid signature) to pass arbitrary
++     pointers to a memcmp call, creating a possible read primitive, subject to
++     some constraints. Refer to the advisory for more information. Thanks to
++     David Benjamin for discovering this issue. (CVE-2023-0286)
++
++     This issue has been fixed by changing the public header file definition of
++     GENERAL_NAME so that x400Address reflects the implementation. It was not
++     possible for any existing application to successfully use the existing
++     definition; however, if any application references the x400Address field
++     (e.g. in dead code), note that the type of this field has changed. There is
++     no ABI change.
++
++     [Hugo Landau]
++
+  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+ 
+   *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47cd9..e54ddc55c957 100644
+--- a/crypto/x509v3/v3_genn.c
++++ b/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce58..e61c0f29d4b4 100644
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
+diff --git a/test/v3nametest.c b/test/v3nametest.c
+index d1852190b84e..37819da8fd78 100644
+--- a/test/v3nametest.c
++++ b/test/v3nametest.c
+@@ -646,6 +646,14 @@ static struct gennamedata {
+             0xb7, 0x09, 0x02, 0x02
+         },
+         15
++    }, {
++        /*
++         * Regression test for CVE-2023-0286.
++         */
++        {
++            0xa3, 0x00
++        },
++        2
+     }
+ };
+ 

debian/patches/Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch

+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 17:15:18 +0000
+Subject: Check CMS failure during BIO setup with -stream is handled correctly
+
+Test for the issue fixed in the previous commit
+---
+ test/recipes/80-test_cms.t  | 15 +++++++++++++--
+ test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+ create mode 100644 test/smime-certs/badrsa.pem
+
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 5dc6a3aebe01..ec11bfc2538b 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -13,7 +13,7 @@ use warnings;
+ use POSIX;
+ use File::Spec::Functions qw/catfile/;
+ use File::Compare qw/compare_text/;
+-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
+ use OpenSSL::Test::Utils;
+ 
+ setup("test_cms");
+@@ -27,7 +27,7 @@ my $smcont   = srctop_file("test", "smcont.txt");
+ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+     = disabled qw/des dh dsa ec ec2m rc2 zlib/;
+ 
+-plan tests => 6;
++plan tests => 7;
+ 
+ my @smime_pkcs7_tests = (
+ 
+@@ -584,3 +584,14 @@ sub check_availability {
+ 
+     return "";
+ }
++
++# Check that we get the expected failure return code
++with({ exit_checker => sub { return shift == 6; } },
++    sub {
++        ok(run(app(['openssl', 'cms', '-encrypt',
++                    '-in', srctop_file("test", "smcont.txt"),
++                    '-stream', '-recip',
++                    srctop_file("test/smime-certs", "badrsa.pem"),
++                   ])),
++            "Check failure during BIO setup with -stream is handled correctly");
++    });
+diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
+new file mode 100644
+index 000000000000..f824fc226732
+--- /dev/null
++++ b/test/smime-certs/badrsa.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
++-----END CERTIFICATE-----

debian/patches/Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch

+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:00:22 +1000
+Subject: Fix AES OCB encrypt/decrypt for x86 AES-NI
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
+that performs operations on 6 16-byte blocks concurrently (the
+"grandloop") and then proceeds to handle the "short" tail (which can
+be anywhere from 0 to 5 blocks) that remain.
+
+As part of initialization, the assembly initializes $len to the true
+length, less 96 bytes and converts it to a pointer so that the $inp
+can be compared to it. Each iteration of "grandloop" checks to see if
+there's a full 96-byte chunk to process, and if so, continues. Once
+this has been exhausted, it falls through to "short", which handles
+the remaining zero to five blocks.
+
+Unfortunately, the jump at the end of "grandloop" had a fencepost
+error, doing a `jb` ("jump below") rather than `jbe` (jump below or
+equal). This should be `jbe`, as $inp is pointing to the *end* of the
+chunk currently being handled. If $inp == $len, that means that
+there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
+then there's 5 or fewer 16-byte blocks left to be handled, and the
+fall-through is intended.
+
+The net effect of `jb` instead of `jbe` is that the last 16-byte block
+of the last 96-byte chunk was completely omitted. The contents of
+`out` in this position were never written to. Additionally, since
+those bytes were never processed, the authentication tag generated is
+also incorrect.
+
+The same fencepost error, and identical logic, exists in both
+aesni_ocb_encrypt and aesni_ocb_decrypt.
+
+This addresses CVE-2022-2097.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/aes/asm/aesni-x86.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
+index fe2b26542ab6..812758e02e04 100644
+--- a/crypto/aes/asm/aesni-x86.pl
++++ b/crypto/aes/asm/aesni-x86.pl
+@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
++	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);
+@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ 	&pxor		($rndkey1,$inout5);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
++	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);

debian/patches/Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch

+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 14 Dec 2022 16:18:14 +0000
+Subject: Fix a UAF resulting from a bug in BIO_new_NDEF
+
+If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+be part of an invalid BIO chain. This causes a "use after free" when the
+BIO is eventually freed.
+
+Based on an original patch by Viktor Dukhovni and an idea from Theo
+Buehler.
+
+Thanks to Octavio Galland for reporting this issue.
+---
+ crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index 760e4846a474..f8d4b1b9aa67 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+                             void *parg);
+ 
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+     NDEF_SUPPORT *ndef_aux = NULL;
+     BIO *asn_bio = NULL;
+     const ASN1_AUX *aux = it->funcs;
+     ASN1_STREAM_ARG sarg;
++    BIO *pop_bio = NULL;
+ 
+     if (!aux || !aux->asn1_cb) {
+         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     out = BIO_push(asn_bio, out);
+     if (out == NULL)
+         goto err;
++    pop_bio = asn_bio;
+ 
+-    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+-    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++        goto err;
+ 
+     /*
+-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+-     * needs.
++     * Now let the callback prepend any digest, cipher, etc., that the BIO's
++     * ASN1 structure needs.
+      */
+ 
+     sarg.out = out;
+     sarg.ndef_bio = NULL;
+     sarg.boundary = NULL;
+ 
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++    /*
++     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++     * middle of some partially built, but not returned BIO chain.
++     */
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++        /*
++         * ndef_aux is now owned by asn_bio so we must not free it in the err
++         * clean up block
++         */
++        ndef_aux = NULL;
+         goto err;
++    }
++
++    /*
++     * We must not fail now because the callback has prepended additional
++     * BIOs to the chain
++     */
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     ndef_aux->boundary = sarg.boundary;
+     ndef_aux->out = out;
+ 
+-    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+-
+     return sarg.ndef_bio;
+ 
+  err:
++    /* BIO_pop() is NULL safe */
++    (void)BIO_pop(pop_bio);
+     BIO_free(asn_bio);
+     OPENSSL_free(ndef_aux);
+     return NULL;

debian/patches/series

@@ -9,3 +9,11 @@ Fix-file-operations-in-c_rehash.patch
 Update-expired-SCT-certificates.patch
 ct_test.c-Update-the-epoch-time.patch
 Update-further-expiring-certificates-that-affect-tests.patch
+Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch
+Add-a-test-for-CVE-2022-4450.patch
+CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch
+Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
+Check-CMS-failure-during-BIO-setup-with-stream-is-handled.patch
+Fix-Timing-Oracle-in-RSA-decryption.patch
+Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
+AES-OCB-test-vectors.patch