From 1cade96ef9695b92bbd33dd6284233a51cd7ae8b Mon Sep 17 00:00:00 2001 From: Duncaen Date: Sun, 30 Apr 2017 02:20:32 +0200 Subject: [PATCH] libressl: fix CVE-2017-8301 --- srcpkgs/libressl/patches/CVE-2017-8301.patch | 28 ++++++++++++++++++++ srcpkgs/libressl/template | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/libressl/patches/CVE-2017-8301.patch diff --git a/srcpkgs/libressl/patches/CVE-2017-8301.patch b/srcpkgs/libressl/patches/CVE-2017-8301.patch new file mode 100644 index 0000000000..634fd904da --- /dev/null +++ b/srcpkgs/libressl/patches/CVE-2017-8301.patch @@ -0,0 +1,28 @@ +From e4ea34f17cdd3b81ab1b6bd4df3712fbe49dc136 Mon Sep 17 00:00:00 2001 +From: beck <> +Date: Fri, 28 Apr 2017 23:03:58 +0000 +Subject: [PATCH] Revert previous change that forced consistency between return + value and error code, since this breaks the documented API. Under certain + circumstances this will result in incorrect successful certiticate + verification (where a user supplied callback always returns 1, and later code + checks the error code to potentially abort post verification) + +--- crypto/x509/x509_vfy.c ++++ crypto/x509/x509_vfy.c +@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx) + /* Safety net, error returns must set ctx->error */ + if (ok <= 0 && ctx->error == X509_V_OK) + ctx->error = X509_V_ERR_UNSPECIFIED; +- +- /* +- * Safety net, if user provided verify callback indicates sucess +- * make sure they have set error to X509_V_OK +- */ +- if (ctx->verify_cb != null_callback && ok == 1) +- ctx->error = X509_V_OK; +- +- return(ctx->error == X509_V_OK); ++ return ok; + } + + /* Given a STACK_OF(X509) find the issuer of cert (if any) diff --git a/srcpkgs/libressl/template b/srcpkgs/libressl/template index c25f0cce8d..2824de0b6c 100644 --- a/srcpkgs/libressl/template +++ b/srcpkgs/libressl/template @@ -1,7 +1,7 @@ # Template file for 'libressl' pkgname=libressl version=2.5.3 -revision=1 +revision=2 bootstrap=yes build_style=gnu-configure short_desc="Version of the TLS/crypto stack forked from OpenSSL"