Bug#1110165: unblock: jose/14-2
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: jose@packages.debian.org
Control: affects -1 + src:jose
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package jose
Only contains one bugfix (adding NULL pointer check).
unblock jose/14-2
diffstat for jose-14 jose-14
changelog | 6 +
patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch | 33 ++++++++++
patches/series | 1
3 files changed, 40 insertions(+)
diff -Nru jose-14/debian/changelog jose-14/debian/changelog
--- jose-14/debian/changelog 2024-08-10 19:16:54.000000000 +0300
+++ jose-14/debian/changelog 2025-07-10 19:04:11.000000000 +0300
@@ -1,3 +1,9 @@
+jose (14-2) unstable; urgency=high
+
+ * Cherry-pick fix to handle possible Null pointer gracefully
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 10 Jul 2025 18:04:11 +0200
+
jose (14-1) unstable; urgency=medium
* New upstream version 14
diff -Nru jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
--- jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch 1970-01-01 02:00:00.000000000 +0200
+++ jose-14/debian/patches/cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch 2025-07-10 19:04:11.000000000 +0300
@@ -0,0 +1,33 @@
+Subject: Openssl: handle NULL in jose_openssl_jwk_from_EC_KEY gracefully (#172)
+Origin: upstream, commit v14-7-g5aaaaf6 <https://github.com/latchset/jose/commit/v14-7-g5aaaaf6>
+Author: Ahmad Fatoum <ahmad@a3f.at>
+Date: Wed Jul 9 14:21:37 2025 +0200
+
+ We already check that the RSA *key is not NULL in
+ jose_openssl_jwk_from_RSA(), but fail to do so for EC_KEY *key in
+ jose_openssl_jwk_from_EC_KEY().
+
+ But EVP_PKEY_get0_EC_KEY() can return NULL too, e.g., if
+ the EVP_PKEY comes from an OpenSSL provider that is not creating a
+ keymgmt instance for a public key and the default provider is not
+ loaded[1].
+
+ Instead of crashing inside OpenSSL when we pass a NULL pointer to
+ EC_KEY_get0_private_key(), detect this case and return gracefully.
+
+ [1]: https://github.com/openssl/openssl/discussions/25679
+
+ Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+--- a/lib/openssl/jwk.c
++++ b/lib/openssl/jwk.c
+@@ -140,6 +140,9 @@
+ json_t *
+ jose_openssl_jwk_from_EC_KEY(jose_cfg_t *cfg, const EC_KEY *key)
+ {
++ if (!key)
++ return NULL;
++
+ return jose_openssl_jwk_from_EC_POINT(
+ cfg,
+ EC_KEY_get0_group(key),
diff -Nru jose-14/debian/patches/series jose-14/debian/patches/series
--- jose-14/debian/patches/series 2024-06-19 23:31:56.000000000 +0300
+++ jose-14/debian/patches/series 2025-07-10 19:04:11.000000000 +0300
@@ -1,5 +1,6 @@
# cherry-picked commits. Keep in upstream's chronological order
+cherry-picked/1752063697.v14-7-g5aaaaf6.openssl-handle-null-in-jose-openssl-jwk-from-ec-key-gracefully-172.patch
# patches for upstream
Reply to: