From 5fbf5d91cafbafae6bd8595e44a99853a23bc072 Mon Sep 17 00:00:00 2001 From: psykose Date: Tue, 28 Mar 2023 14:16:20 +0000 Subject: [PATCH] main/openssl: patch CVE-2023-0465 --- main/openssl/APKBUILD | 6 +++- main/openssl/CVE-2023-0465.patch | 53 ++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 main/openssl/CVE-2023-0465.patch diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 2570893e316..9f19ae8703f 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -2,7 +2,7 @@ pkgname=openssl pkgver=1.1.1t _abiver=${pkgver%.*} -pkgrel=1 +pkgrel=2 pkgdesc="Toolkit for Transport Layer Security (TLS)" url="https://www.openssl.org/" arch="all" @@ -15,11 +15,14 @@ subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl" source="https://www.openssl.org/source/openssl-$pkgver.tar.gz CVE-2023-0464.patch + CVE-2023-0465.patch man-section.patch ppc64.patch " # secfixes: +# 1.1.1t-r2: +# - CVE-2023-0465 # 1.1.1t-r1: # - CVE-2023-0464 # 1.1.1t-r0: @@ -143,6 +146,7 @@ _libssl() { sha512sums=" 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c openssl-1.1.1t.tar.gz 2cbe5a8ea6285fba214fdf4afa2cfa8ae3894917a7aa7bd017a9fbf4b8f9afdad5dc20168af22ff213023016d9c05fb49e9e4463dab594b5c0b4f8b46a2c5036 CVE-2023-0464.patch +170dfef8ceb9af275687a447e1131dfe8e1a74097eeb525c9c74d3492fd7067183b086833ead0149641ce61401947ef57d830e2cb25dd0881642f40dbe960358 CVE-2023-0465.patch 43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch " diff --git a/main/openssl/CVE-2023-0465.patch b/main/openssl/CVE-2023-0465.patch new file mode 100644 index 00000000000..06bf7b6eaae --- /dev/null +++ b/main/openssl/CVE-2023-0465.patch @@ -0,0 +1,53 @@ +Patch-Source: https://github.com/openssl/openssl/commit/b013765abfa80036dc779dd0e50602c57bb3bf95 +-- +From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 7 Mar 2023 16:52:55 +0000 +Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf + certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20588) +--- + crypto/x509/x509_vfy.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 925fbb541258..1dfe4f9f31a5 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx) + } + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + + if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) + continue; ++ cbcalled = 1; + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_INVALID_POLICY_EXTENSION)) + return 0; + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) {