mirror of
https://github.com/void-linux/void-packages.git
synced 2025-06-09 00:23:52 +02:00
iojs: fix CVE-2015-1793.
This commit is contained in:
Enno Boland
parent
8a7f85cc48
commit
21cd45057e
3 changed files with 88 additions and 1 deletions
75
srcpkgs/iojs/patches/X509_verify_cert.patch
Normal file
75
srcpkgs/iojs/patches/X509_verify_cert.patch
Normal file
|
|
@ -0,0 +1,75 @@
|
||||||
|
--- deps/openssl/openssl/crypto/x509/x509_vfy.c
|
||||||
|
+++ deps/openssl/openssl/crypto/x509/x509_vfy.c
|
||||||
|
@@ -193,6 +193,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
||||||
|
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ if (ctx->chain != NULL) {
|
||||||
|
+ /*
|
||||||
|
+ * This X509_STORE_CTX has already been used to verify a cert. We
|
||||||
|
+ * cannot do another one.
|
||||||
|
+ */
|
||||||
|
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
cb = ctx->verify_cb;
|
||||||
|
|
||||||
|
@@ -200,15 +208,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
||||||
|
* first we make sure the chain we are going to build is present and that
|
||||||
|
* the first entry is in place
|
||||||
|
*/
|
||||||
|
- if (ctx->chain == NULL) {
|
||||||
|
- if (((ctx->chain = sk_X509_new_null()) == NULL) ||
|
||||||
|
- (!sk_X509_push(ctx->chain, ctx->cert))) {
|
||||||
|
- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
|
||||||
|
- ctx->last_untrusted = 1;
|
||||||
|
+ if (((ctx->chain = sk_X509_new_null()) == NULL) ||
|
||||||
|
+ (!sk_X509_push(ctx->chain, ctx->cert))) {
|
||||||
|
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
+ CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
|
||||||
|
+ ctx->last_untrusted = 1;
|
||||||
|
|
||||||
|
/* We use a temporary STACK so we can chop and hack at it */
|
||||||
|
if (ctx->untrusted != NULL
|
||||||
|
--- deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
|
||||||
|
+++ deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
|
||||||
|
@@ -40,10 +40,15 @@ is no longer valid.
|
||||||
|
If B<ctx> is NULL nothing is done.
|
||||||
|
|
||||||
|
X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
|
||||||
|
-The trusted certificate store is set to B<store>, the end entity certificate
|
||||||
|
-to be verified is set to B<x509> and a set of additional certificates (which
|
||||||
|
-will be untrusted but may be used to build the chain) in B<chain>. Any or
|
||||||
|
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
|
||||||
|
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
|
||||||
|
+good for one call to X509_verify_cert(); if you want to verify a second
|
||||||
|
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
|
||||||
|
+and then X509_STORE_CTX_init() again before the second call to
|
||||||
|
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
|
||||||
|
+entity certificate to be verified is set to B<x509> and a set of additional
|
||||||
|
+certificates (which will be untrusted but may be used to build the chain) in
|
||||||
|
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
|
||||||
|
+B<NULL>.
|
||||||
|
|
||||||
|
X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
|
||||||
|
to B<sk>. This is an alternative way of specifying trusted certificates
|
||||||
|
diff --git a/doc/crypto/X509_verify_cert.pod b/doc/crypto/X509_verify_cert.pod
|
||||||
|
index e5cfc6f..48055b0 100644
|
||||||
|
--- deps/openssl/openssl/doc/crypto/X509_verify_cert.pod
|
||||||
|
+++ deps/openssl/openssl/doc/crypto/X509_verify_cert.pod
|
||||||
|
@@ -32,7 +32,8 @@ OpenSSL internally for certificate validation, in both the S/MIME and
|
||||||
|
SSL/TLS code.
|
||||||
|
|
||||||
|
The negative return value from X509_verify_cert() can only occur if no
|
||||||
|
-certificate is set in B<ctx> (due to a programming error) or if a retry
|
||||||
|
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
|
||||||
|
+twice without reinitialising B<ctx> in between; or if a retry
|
||||||
|
operation is requested during internal lookups (which never happens with
|
||||||
|
standard lookup methods). It is however recommended that application check
|
||||||
|
for <= 0 return value on error.
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
--- deps/openssl/openssl/crypto/x509/x509_vfy.c
|
||||||
|
+++ deps/openssl/openssl/crypto/x509/x509_vfy.c
|
||||||
|
@@ -392,8 +392,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
|
||||||
|
xtmp = sk_X509_pop(ctx->chain);
|
||||||
|
X509_free(xtmp);
|
||||||
|
num--;
|
||||||
|
- ctx->last_untrusted--;
|
||||||
|
}
|
||||||
|
+ ctx->last_untrusted = sk_X509_num(ctx->chain);
|
||||||
|
retry = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Template file for 'iojs'
|
# Template file for 'iojs'
|
||||||
pkgname=iojs
|
pkgname=iojs
|
||||||
version=2.3.3
|
version=2.3.3
|
||||||
revision=1
|
revision=2
|
||||||
wrksrc=iojs-v${version}
|
wrksrc=iojs-v${version}
|
||||||
hostmakedepends="pkg-config python"
|
hostmakedepends="pkg-config python"
|
||||||
makedepends="zlib-devel python-devel
|
makedepends="zlib-devel python-devel
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue