diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2017-04-27 20:07:48 +0200 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2017-04-27 20:11:07 +0200 |
commit | 500f378f52a862e91c61de633df00197d4afd366 (patch) | |
tree | 5cdbc8b01afd2e4e3bbe6d7a6f2605316013502f /main/libressl | |
parent | d87a1c42f9490a5a6441ef4ea6d01d7d26a8555c (diff) | |
download | aports-500f378f52a862e91c61de633df00197d4afd366.tar.bz2 aports-500f378f52a862e91c61de633df00197d4afd366.tar.xz |
main/libressl: fix CVE-2017-8301
Diffstat (limited to 'main/libressl')
-rw-r--r-- | main/libressl/APKBUILD | 13 | ||||
-rw-r--r-- | main/libressl/fix-CVE-2017-8301.patch | 32 |
2 files changed, 42 insertions, 3 deletions
diff --git a/main/libressl/APKBUILD b/main/libressl/APKBUILD index 0ae101abbc..94129859b4 100644 --- a/main/libressl/APKBUILD +++ b/main/libressl/APKBUILD @@ -1,10 +1,15 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Contributor: Orion <systmkor@gmail.com> # Maintainer: Orion <systmkor@gmail.com> +# +# secfixes: +# 2.5.3-r1: +# - CVE-2017-8301 +# pkgname=libressl pkgver=2.5.3 _namever=${pkgname}${pkgver%.*} -pkgrel=0 +pkgrel=1 pkgdesc="Version of the TLS/crypto stack forked from OpenSSL" url="http://www.libressl.org/" arch="all" @@ -16,7 +21,8 @@ makedepends="$makedepends_host" replaces="openssl" subpackages="$pkgname-dbg $_namever-libcrypto:_libs $_namever-libssl:_libs $_namever-libtls:_libs $pkgname-dev $pkgname-doc" -source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz" +source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz + fix-CVE-2017-8301.patch" builddir="$srcdir/$pkgname-$pkgver" build() { @@ -57,4 +63,5 @@ _libs() { done } -sha512sums="e5ba2abb8a0835a025d2777d9c0e8e95813777af8167e322d8e5ae20485c32b628ced77141b156fd3619b65a5afae1a5bc90a7252166a9a54f7e3d23388b3bd0 libressl-2.5.3.tar.gz" +sha512sums="e5ba2abb8a0835a025d2777d9c0e8e95813777af8167e322d8e5ae20485c32b628ced77141b156fd3619b65a5afae1a5bc90a7252166a9a54f7e3d23388b3bd0 libressl-2.5.3.tar.gz +cc4da197c9ba0c80f45f0141e3ec80bbce5dcd4f815a3b55e26dc7fc5930f15078907a1ed1ac79e852966b1d63f48b09d9c98a766211dee88c42fc06477f862f fix-CVE-2017-8301.patch" diff --git a/main/libressl/fix-CVE-2017-8301.patch b/main/libressl/fix-CVE-2017-8301.patch new file mode 100644 index 0000000000..c6684b25d0 --- /dev/null +++ b/main/libressl/fix-CVE-2017-8301.patch @@ -0,0 +1,32 @@ +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Thu, 27 Apr 2017 20:02:00 +0200 +Subject: [PATCH] Fix CVE-2017-8301 + +This patch reverts commit ddd98f8ea741a122952185a36c1396c14c2fda74 +that introduced the vulnerability. + +See also: + +* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8301 +* https://github.com/libressl-portable/portable/issues/307 +* https://github.com/libressl-portable/openbsd/commit/ddd98f8ea741a122952185a36c1396c14c2fda74 + +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -541,15 +541,7 @@ + /* Safety net, error returns must set ctx->error */ + if (ok <= 0 && ctx->error == X509_V_OK) + ctx->error = X509_V_ERR_UNSPECIFIED; +- +- /* +- * Safety net, if user provided verify callback indicates sucess +- * make sure they have set error to X509_V_OK +- */ +- if (ctx->verify_cb != null_callback && ok == 1) +- ctx->error = X509_V_OK; +- +- return(ctx->error == X509_V_OK); ++ return ok; + } + + /* Given a STACK_OF(X509) find the issuer of cert (if any) |