diff options
| author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2021-11-28 15:33:14 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-28 15:33:14 +0100 |
| commit | a284564b7f75ac4db73607db02076e8da9d42c9d (patch) | |
| tree | e000da54221ba4b480732b953955113dfa4805da | |
| parent | Merge pull request #139965 from risicle/ris-wolfssl-CVE-2021-38597-r21.05 (diff) | |
| parent | libressl_3_2: add patch for CVE-2021-41581 (diff) | |
| download | nixpkgs-a284564b7f75ac4db73607db02076e8da9d42c9d.tar.gz | |
Merge pull request #142029 from risicle/ris-libressl-CVE-2021-41581-r21.05
| -rw-r--r-- | pkgs/development/libraries/libressl/CVE-2021-41581.patch | 53 | ||||
| -rw-r--r-- | pkgs/development/libraries/libressl/default.nix | 3 |
2 files changed, 56 insertions, 0 deletions
diff --git a/pkgs/development/libraries/libressl/CVE-2021-41581.patch b/pkgs/development/libraries/libressl/CVE-2021-41581.patch new file mode 100644 index 000000000000..244792567192 --- /dev/null +++ b/pkgs/development/libraries/libressl/CVE-2021-41581.patch @@ -0,0 +1,53 @@ +Based on upstream https://github.com/openbsd/src/commit/62ceddea5b1d64a1a362bbb7071d9e15adcde6b1 +with paths switched to apply to libressl-portable and CVS header +hunk removed. + +--- a/crypto/x509/x509_constraints.c ++++ b/crypto/x509/x509_constraints.c +@@ -339,16 +339,16 @@ + if (c == '.') + goto bad; + } +- if (wi > DOMAIN_PART_MAX_LEN) +- goto bad; + if (accept) { ++ if (wi >= DOMAIN_PART_MAX_LEN) ++ goto bad; + working[wi++] = c; + accept = 0; + continue; + } + if (candidate_local != NULL) { + /* We are looking for the domain part */ +- if (wi > DOMAIN_PART_MAX_LEN) ++ if (wi >= DOMAIN_PART_MAX_LEN) + goto bad; + working[wi++] = c; + if (i == len - 1) { +@@ -363,7 +363,7 @@ + continue; + } + /* We are looking for the local part */ +- if (wi > LOCAL_PART_MAX_LEN) ++ if (wi >= LOCAL_PART_MAX_LEN) + break; + + if (quoted) { +@@ -383,6 +383,8 @@ + */ + if (c == 9) + goto bad; ++ if (wi >= LOCAL_PART_MAX_LEN) ++ goto bad; + working[wi++] = c; + continue; /* all's good inside our quoted string */ + } +@@ -412,6 +414,8 @@ + } + if (!local_part_ok(c)) + goto bad; ++ if (wi >= LOCAL_PART_MAX_LEN) ++ goto bad; + working[wi++] = c; + } + if (candidate_local == NULL || candidate_domain == NULL) diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index 3dffccf5f41d..e94128bbf423 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -71,5 +71,8 @@ in { libressl_3_2 = generic { version = "3.2.5"; sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr"; + patches = [ + ./CVE-2021-41581.patch + ]; }; } |