diff options
author | Robert Scott <code@humanleg.org.uk> | 2021-10-03 16:00:33 +0100 |
---|---|---|
committer | Robert Scott <code@humanleg.org.uk> | 2021-10-03 17:02:21 +0100 |
commit | 01cc988d9669f29855d82175a4614d90aa4bfe75 (patch) | |
tree | adc60bb1d955d4a06667538da8850941cb96e857 /pkgs/development | |
parent | 0f88e9ff053dddbb03e4c7cc87c49648e75492f7 (diff) |
libressl_3_2, libressl_3_4: add patch for CVE-2021-41581
Diffstat (limited to 'pkgs/development')
-rw-r--r-- | pkgs/development/libraries/libressl/CVE-2021-41581.patch | 53 | ||||
-rw-r--r-- | pkgs/development/libraries/libressl/default.nix | 7 |
2 files changed, 60 insertions, 0 deletions
diff --git a/pkgs/development/libraries/libressl/CVE-2021-41581.patch b/pkgs/development/libraries/libressl/CVE-2021-41581.patch new file mode 100644 index 0000000000000..244792567192a --- /dev/null +++ b/pkgs/development/libraries/libressl/CVE-2021-41581.patch @@ -0,0 +1,53 @@ +Based on upstream https://github.com/openbsd/src/commit/62ceddea5b1d64a1a362bbb7071d9e15adcde6b1 +with paths switched to apply to libressl-portable and CVS header +hunk removed. + +--- a/crypto/x509/x509_constraints.c ++++ b/crypto/x509/x509_constraints.c +@@ -339,16 +339,16 @@ + if (c == '.') + goto bad; + } +- if (wi > DOMAIN_PART_MAX_LEN) +- goto bad; + if (accept) { ++ if (wi >= DOMAIN_PART_MAX_LEN) ++ goto bad; + working[wi++] = c; + accept = 0; + continue; + } + if (candidate_local != NULL) { + /* We are looking for the domain part */ +- if (wi > DOMAIN_PART_MAX_LEN) ++ if (wi >= DOMAIN_PART_MAX_LEN) + goto bad; + working[wi++] = c; + if (i == len - 1) { +@@ -363,7 +363,7 @@ + continue; + } + /* We are looking for the local part */ +- if (wi > LOCAL_PART_MAX_LEN) ++ if (wi >= LOCAL_PART_MAX_LEN) + break; + + if (quoted) { +@@ -383,6 +383,8 @@ + */ + if (c == 9) + goto bad; ++ if (wi >= LOCAL_PART_MAX_LEN) ++ goto bad; + working[wi++] = c; + continue; /* all's good inside our quoted string */ + } +@@ -412,6 +414,8 @@ + } + if (!local_part_ok(c)) + goto bad; ++ if (wi >= LOCAL_PART_MAX_LEN) ++ goto bad; + working[wi++] = c; + } + if (candidate_local == NULL || candidate_domain == NULL) diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index 23bc088ba11f9..d70672f63ac35 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -3,6 +3,7 @@ , lib , cmake , cacert +, fetchpatch , buildShared ? !stdenv.hostPlatform.isStatic }: @@ -82,9 +83,15 @@ in { libressl_3_2 = generic { version = "3.2.5"; sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr"; + patches = [ + ./CVE-2021-41581.patch + ]; }; libressl_3_4 = generic { version = "3.4.0"; sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5"; + patches = [ + ./CVE-2021-41581.patch + ]; }; } |