Commit in libressl/trunk (018_x509.patch PKGBUILD)

Tue, 07 Feb 2023 12:27:01 -0800 

    Date: Tuesday, February 7, 2023 @ 20:26:44
  Author: blakkheim
Revision: 1396023

upgpkg: libressl 3.6.1-2: backport x509 security fix
A malicious certificate revocation list or timestamp response token could
allow an attacker to read arbitrary memory.

Added:
  libressl/trunk/018_x509.patch
Modified:
  libressl/trunk/PKGBUILD

----------------+
 018_x509.patch |   21 +++++++++++++++++++++
 PKGBUILD       |    9 ++++++---
 2 files changed, 27 insertions(+), 3 deletions(-)

Added: 018_x509.patch
===================================================================
--- 018_x509.patch                              (rev 0)
+++ 018_x509.patch      2023-02-07 20:26:44 UTC (rev 1396023)
@@ -0,0 +1,21 @@
+OpenBSD 7.2 errata 018, February 7, 2023:
+
+A malicious certificate revocation list or timestamp response token would
+allow an attacker to read arbitrary memory.
+
+https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
+
+diff --git a/crypto/x509/x509_genn.c b/crypto/x509/x509_genn.c
+index dadf6f1e4..1905e8cac 100644
+--- a/crypto/x509/x509_genn.c
++++ b/crypto/x509/x509_genn.c
+@@ -366,7 +366,8 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+               return -1;
+       switch (a->type) {
+       case GEN_X400:
+-              result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++              result = ASN1_STRING_cmp((ASN1_STRING *)a->d.x400Address,
++                  (ASN1_STRING *)b->d.x400Address);
+               break;
+ 
+       case GEN_EDIPARTY:

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2023-02-07 19:22:16 UTC (rev 1396022)
+++ PKGBUILD    2023-02-07 20:26:44 UTC (rev 1396023)
@@ -7,7 +7,7 @@
 
 pkgname=libressl
 pkgver=3.6.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Free version of the TLS/crypto stack forked from OpenSSL"
 arch=(x86_64)
 url="https://www.libressl.org/";
@@ -15,13 +15,16 @@
 depends=(glibc)
 optdepends=(ca-certificates)
 backup=(etc/libressl/openssl.cnf)
-source=(https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${pkgver}.tar.gz{,.asc})
+source=(https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${pkgver}.tar.gz{,.asc}
+        018_x509.patch)
 sha256sums=('acfac61316e93b919c28d62d53037ca734de85c46b4d703f19fd8395cf006774'
-            'SKIP')
+            'SKIP'
+            '5ecbb5618579b2305fea0adfc59b13aa2233982ed34b5f385eef2c6c04b7ed8e')
 validpgpkeys=(A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5) # Brent Cook 
<[email protected]>
 
 prepare() {
     cd ${pkgname}-${pkgver}
+    patch -Np1 -i ../018_x509.patch
     autoreconf -vfi
 }

Reply via email to