libressl: fix CVE-2017-8301
This commit is contained in:
parent
9401e89012
commit
1cade96ef9
2 changed files with 29 additions and 1 deletions
28
srcpkgs/libressl/patches/CVE-2017-8301.patch
Normal file
28
srcpkgs/libressl/patches/CVE-2017-8301.patch
Normal file
|
@ -0,0 +1,28 @@
|
|||
From e4ea34f17cdd3b81ab1b6bd4df3712fbe49dc136 Mon Sep 17 00:00:00 2001
|
||||
From: beck <>
|
||||
Date: Fri, 28 Apr 2017 23:03:58 +0000
|
||||
Subject: [PATCH] Revert previous change that forced consistency between return
|
||||
value and error code, since this breaks the documented API. Under certain
|
||||
circumstances this will result in incorrect successful certiticate
|
||||
verification (where a user supplied callback always returns 1, and later code
|
||||
checks the error code to potentially abort post verification)
|
||||
|
||||
--- crypto/x509/x509_vfy.c
|
||||
+++ crypto/x509/x509_vfy.c
|
||||
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
|
||||
/* Safety net, error returns must set ctx->error */
|
||||
if (ok <= 0 && ctx->error == X509_V_OK)
|
||||
ctx->error = X509_V_ERR_UNSPECIFIED;
|
||||
-
|
||||
- /*
|
||||
- * Safety net, if user provided verify callback indicates sucess
|
||||
- * make sure they have set error to X509_V_OK
|
||||
- */
|
||||
- if (ctx->verify_cb != null_callback && ok == 1)
|
||||
- ctx->error = X509_V_OK;
|
||||
-
|
||||
- return(ctx->error == X509_V_OK);
|
||||
+ return ok;
|
||||
}
|
||||
|
||||
/* Given a STACK_OF(X509) find the issuer of cert (if any)
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'libressl'
|
||||
pkgname=libressl
|
||||
version=2.5.3
|
||||
revision=1
|
||||
revision=2
|
||||
bootstrap=yes
|
||||
build_style=gnu-configure
|
||||
short_desc="Version of the TLS/crypto stack forked from OpenSSL"
|
||||
|
|
Loading…
Reference in a new issue