aboutsummaryrefslogtreecommitdiffstats
path: root/main/libressl
diff options
context:
space:
mode:
authorJakub Jirutka <jakub@jirutka.cz>2017-04-27 20:07:48 +0200
committerJakub Jirutka <jakub@jirutka.cz>2017-04-27 20:11:07 +0200
commit500f378f52a862e91c61de633df00197d4afd366 (patch)
tree5cdbc8b01afd2e4e3bbe6d7a6f2605316013502f /main/libressl
parentd87a1c42f9490a5a6441ef4ea6d01d7d26a8555c (diff)
downloadaports-500f378f52a862e91c61de633df00197d4afd366.tar.bz2
aports-500f378f52a862e91c61de633df00197d4afd366.tar.xz
main/libressl: fix CVE-2017-8301
Diffstat (limited to 'main/libressl')
-rw-r--r--main/libressl/APKBUILD13
-rw-r--r--main/libressl/fix-CVE-2017-8301.patch32
2 files changed, 42 insertions, 3 deletions
diff --git a/main/libressl/APKBUILD b/main/libressl/APKBUILD
index 0ae101abbc..94129859b4 100644
--- a/main/libressl/APKBUILD
+++ b/main/libressl/APKBUILD
@@ -1,10 +1,15 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Contributor: Orion <systmkor@gmail.com>
# Maintainer: Orion <systmkor@gmail.com>
+#
+# secfixes:
+# 2.5.3-r1:
+# - CVE-2017-8301
+#
pkgname=libressl
pkgver=2.5.3
_namever=${pkgname}${pkgver%.*}
-pkgrel=0
+pkgrel=1
pkgdesc="Version of the TLS/crypto stack forked from OpenSSL"
url="http://www.libressl.org/"
arch="all"
@@ -16,7 +21,8 @@ makedepends="$makedepends_host"
replaces="openssl"
subpackages="$pkgname-dbg $_namever-libcrypto:_libs $_namever-libssl:_libs
$_namever-libtls:_libs $pkgname-dev $pkgname-doc"
-source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz"
+source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz
+ fix-CVE-2017-8301.patch"
builddir="$srcdir/$pkgname-$pkgver"
build() {
@@ -57,4 +63,5 @@ _libs() {
done
}
-sha512sums="e5ba2abb8a0835a025d2777d9c0e8e95813777af8167e322d8e5ae20485c32b628ced77141b156fd3619b65a5afae1a5bc90a7252166a9a54f7e3d23388b3bd0 libressl-2.5.3.tar.gz"
+sha512sums="e5ba2abb8a0835a025d2777d9c0e8e95813777af8167e322d8e5ae20485c32b628ced77141b156fd3619b65a5afae1a5bc90a7252166a9a54f7e3d23388b3bd0 libressl-2.5.3.tar.gz
+cc4da197c9ba0c80f45f0141e3ec80bbce5dcd4f815a3b55e26dc7fc5930f15078907a1ed1ac79e852966b1d63f48b09d9c98a766211dee88c42fc06477f862f fix-CVE-2017-8301.patch"
diff --git a/main/libressl/fix-CVE-2017-8301.patch b/main/libressl/fix-CVE-2017-8301.patch
new file mode 100644
index 0000000000..c6684b25d0
--- /dev/null
+++ b/main/libressl/fix-CVE-2017-8301.patch
@@ -0,0 +1,32 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Thu, 27 Apr 2017 20:02:00 +0200
+Subject: [PATCH] Fix CVE-2017-8301
+
+This patch reverts commit ddd98f8ea741a122952185a36c1396c14c2fda74
+that introduced the vulnerability.
+
+See also:
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8301
+* https://github.com/libressl-portable/portable/issues/307
+* https://github.com/libressl-portable/openbsd/commit/ddd98f8ea741a122952185a36c1396c14c2fda74
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -541,15 +541,7 @@
+ /* Safety net, error returns must set ctx->error */
+ if (ok <= 0 && ctx->error == X509_V_OK)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+-
+- /*
+- * Safety net, if user provided verify callback indicates sucess
+- * make sure they have set error to X509_V_OK
+- */
+- if (ctx->verify_cb != null_callback && ok == 1)
+- ctx->error = X509_V_OK;
+-
+- return(ctx->error == X509_V_OK);
++ return ok;
+ }
+
+ /* Given a STACK_OF(X509) find the issuer of cert (if any)