aboutsummaryrefslogtreecommitdiffstats
path: root/main/libressl/fix-CVE-2017-8301.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libressl/fix-CVE-2017-8301.patch')
-rw-r--r--main/libressl/fix-CVE-2017-8301.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/main/libressl/fix-CVE-2017-8301.patch b/main/libressl/fix-CVE-2017-8301.patch
new file mode 100644
index 0000000000..c6684b25d0
--- /dev/null
+++ b/main/libressl/fix-CVE-2017-8301.patch
@@ -0,0 +1,32 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Thu, 27 Apr 2017 20:02:00 +0200
+Subject: [PATCH] Fix CVE-2017-8301
+
+This patch reverts commit ddd98f8ea741a122952185a36c1396c14c2fda74
+that introduced the vulnerability.
+
+See also:
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8301
+* https://github.com/libressl-portable/portable/issues/307
+* https://github.com/libressl-portable/openbsd/commit/ddd98f8ea741a122952185a36c1396c14c2fda74
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -541,15 +541,7 @@
+ /* Safety net, error returns must set ctx->error */
+ if (ok <= 0 && ctx->error == X509_V_OK)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+-
+- /*
+- * Safety net, if user provided verify callback indicates sucess
+- * make sure they have set error to X509_V_OK
+- */
+- if (ctx->verify_cb != null_callback && ok == 1)
+- ctx->error = X509_V_OK;
+-
+- return(ctx->error == X509_V_OK);
++ return ok;
+ }
+
+ /* Given a STACK_OF(X509) find the issuer of cert (if any)
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-16 09:21:15 +0000