main/openssl: patch CVE-2023-0465

2026-05-08 05:46:38 +02:00 · 2023-03-28 14:16:20 +00:00 · 2023-03-28 14:16:20 +00:00 · 5fbf5d91ca
commit 5fbf5d91ca
parent 7634277dca
2 changed files with 58 additions and 1 deletions
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@ -2,7 +2,7 @@
 pkgname=openssl
 pkgver=1.1.1t
 _abiver=${pkgver%.*}
-pkgrel=1
+pkgrel=2
 pkgdesc="Toolkit for Transport Layer Security (TLS)"
 url="https://www.openssl.org/"
 arch="all"
@ -15,11 +15,14 @@ subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
 	libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
 source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
 	CVE-2023-0464.patch
+	CVE-2023-0465.patch
 	man-section.patch
 	ppc64.patch
 	"

 # secfixes:
+#   1.1.1t-r2:
+#     - CVE-2023-0465
 #   1.1.1t-r1:
 #     - CVE-2023-0464
 #   1.1.1t-r0:
@ -143,6 +146,7 @@ _libssl() {
 sha512sums="
 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c  openssl-1.1.1t.tar.gz
 2cbe5a8ea6285fba214fdf4afa2cfa8ae3894917a7aa7bd017a9fbf4b8f9afdad5dc20168af22ff213023016d9c05fb49e9e4463dab594b5c0b4f8b46a2c5036  CVE-2023-0464.patch
+170dfef8ceb9af275687a447e1131dfe8e1a74097eeb525c9c74d3492fd7067183b086833ead0149641ce61401947ef57d830e2cb25dd0881642f40dbe960358  CVE-2023-0465.patch
 43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a  man-section.patch
 e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509  ppc64.patch
 "
--- a/main/openssl/CVE-2023-0465.patch
+++ b/main/openssl/CVE-2023-0465.patch
@ -0,0 +1,53 @@
+Patch-Source: https://github.com/openssl/openssl/commit/b013765abfa80036dc779dd0e50602c57bb3bf95
+--
+From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 16:52:55 +0000
+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
+ certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20588)
+---
+ crypto/x509/x509_vfy.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 925fbb541258..1dfe4f9f31a5 100644
+--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
+     }
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
+        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
+             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+                 continue;
+            cbcalled = 1;
+             if (!verify_cb_cert(ctx, x, i,
+                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
+                 return 0;
+         }
+        if (!cbcalled) {
+            /* Should not be able to get here */
+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {