aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpsykose <alice@ayaya.dev>2023-03-28 14:16:20 +0000
committerpsykose <alice@ayaya.dev>2023-03-28 16:17:33 +0200
commit5fbf5d91cafbafae6bd8595e44a99853a23bc072 (patch)
tree5c12428ea5670fa9bd7777148d5b12e4c6a12211
parent7634277dcac41e1d0a19db0f318684d9be162c69 (diff)
downloadaports-5fbf5d91cafbafae6bd8595e44a99853a23bc072.tar.gz
aports-5fbf5d91cafbafae6bd8595e44a99853a23bc072.tar.bz2
aports-5fbf5d91cafbafae6bd8595e44a99853a23bc072.tar.xz
main/openssl: patch CVE-2023-0465
-rw-r--r--main/openssl/APKBUILD6
-rw-r--r--main/openssl/CVE-2023-0465.patch53
2 files changed, 58 insertions, 1 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 2570893e316..9f19ae8703f 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -2,7 +2,7 @@
pkgname=openssl
pkgver=1.1.1t
_abiver=${pkgver%.*}
-pkgrel=1
+pkgrel=2
pkgdesc="Toolkit for Transport Layer Security (TLS)"
url="https://www.openssl.org/"
arch="all"
@@ -15,11 +15,14 @@ subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
CVE-2023-0464.patch
+ CVE-2023-0465.patch
man-section.patch
ppc64.patch
"
# secfixes:
+# 1.1.1t-r2:
+# - CVE-2023-0465
# 1.1.1t-r1:
# - CVE-2023-0464
# 1.1.1t-r0:
@@ -143,6 +146,7 @@ _libssl() {
sha512sums="
628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c openssl-1.1.1t.tar.gz
2cbe5a8ea6285fba214fdf4afa2cfa8ae3894917a7aa7bd017a9fbf4b8f9afdad5dc20168af22ff213023016d9c05fb49e9e4463dab594b5c0b4f8b46a2c5036 CVE-2023-0464.patch
+170dfef8ceb9af275687a447e1131dfe8e1a74097eeb525c9c74d3492fd7067183b086833ead0149641ce61401947ef57d830e2cb25dd0881642f40dbe960358 CVE-2023-0465.patch
43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch
e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch
"
diff --git a/main/openssl/CVE-2023-0465.patch b/main/openssl/CVE-2023-0465.patch
new file mode 100644
index 00000000000..06bf7b6eaae
--- /dev/null
+++ b/main/openssl/CVE-2023-0465.patch
@@ -0,0 +1,53 @@
+Patch-Source: https://github.com/openssl/openssl/commit/b013765abfa80036dc779dd0e50602c57bb3bf95
+--
+From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 16:52:55 +0000
+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
+ certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20588)
+---
+ crypto/x509/x509_vfy.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 925fbb541258..1dfe4f9f31a5 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
+ }
+ /* Invalid or inconsistent extensions */
+ if (ret == X509_PCY_TREE_INVALID) {
+- int i;
++ int i, cbcalled = 0;
+
+ /* Locate certificates with bad extensions and notify callback. */
+- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+ X509 *x = sk_X509_value(ctx->chain, i);
+
+ if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+ continue;
++ cbcalled = 1;
+ if (!verify_cb_cert(ctx, x, i,
+ X509_V_ERR_INVALID_POLICY_EXTENSION))
+ return 0;
+ }
++ if (!cbcalled) {
++ /* Should not be able to get here */
++ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ /* The callback ignored the error so we return success */
+ return 1;
+ }
+ if (ret == X509_PCY_TREE_FAILURE) {