From 4dd540505d40babe488404f3174ec39f49a84485 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Mon, 4 Aug 2025 15:10:21 -0500
Subject: [PATCH] openssl: properly check return value when writing to BIO
 objects

In particular, we will read out of bounds, and then write the invalid
memory, if BIO_write() fails when getting the PROP_CERTIFICATE_PEM
property. Here we attempt to check the return value, but the check is
not correct.

This also fixes a leak of the BIO in the same place.

Also add error checking to PROP_SUBJECT_NAME and PROP_ISSUER_NAME, for
good measure.

Fixes #226

CVE: CVE-2025-60018

Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib-networking/-/commit/4dd540505d40babe488404f3174ec39f49a84485]

Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
---
 tls/openssl/gtlscertificate-openssl.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
index 648f3e8..b536559 100644
--- a/tls/openssl/gtlscertificate-openssl.c
+++ b/tls/openssl/gtlscertificate-openssl.c
@@ -362,15 +362,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
     case PROP_CERTIFICATE_PEM:
       bio = BIO_new (BIO_s_mem ());

-      if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1))
-        certificate_pem = NULL;
-      else
+      if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
         {
           BIO_get_mem_data (bio, &certificate_pem);
           g_value_set_string (value, certificate_pem);
-
-          BIO_free_all (bio);
         }
+      BIO_free_all (bio);
       break;

     case PROP_PRIVATE_KEY:
@@ -411,8 +408,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
     case PROP_SUBJECT_NAME:
       bio = BIO_new (BIO_s_mem ());
       name = X509_get_subject_name (openssl->cert);
-      X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
-      BIO_write (bio, "\0", 1);
+      if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+          BIO_write (bio, "\0", 1) != 1)
+        {
+          BIO_free_all (bio);
+          break;
+        }
       BIO_get_mem_data (bio, (char **)&name_string);
       g_value_set_string (value, name_string);
       BIO_free_all (bio);
@@ -421,9 +422,13 @@ g_tls_certificate_openssl_get_property (GObject    *object,
     case PROP_ISSUER_NAME:
       bio = BIO_new (BIO_s_mem ());
       name = X509_get_issuer_name (openssl->cert);
-      X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
-      BIO_write (bio, "\0", 1);
-      BIO_get_mem_data (bio, &name_string);
+      if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+          BIO_write (bio, "\0", 1) != 1)
+        {
+          BIO_free_all (bio);
+          break;
+        }
+      BIO_get_mem_data (bio, (char **)&name_string);
       g_value_set_string (value, name_string);
       BIO_free_all (bio);
       break;
--
2.48.1