From 01cc988d9669f29855d82175a4614d90aa4bfe75 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sun, 3 Oct 2021 16:00:33 +0100
Subject: libressl_3_2, libressl_3_4: add patch for CVE-2021-41581

---
 .../libraries/libressl/CVE-2021-41581.patch        | 53 ++++++++++++++++++++++
 pkgs/development/libraries/libressl/default.nix    |  7 +++
 2 files changed, 60 insertions(+)
 create mode 100644 pkgs/development/libraries/libressl/CVE-2021-41581.patch

(limited to 'pkgs/development/libraries/libressl')

diff --git a/pkgs/development/libraries/libressl/CVE-2021-41581.patch b/pkgs/development/libraries/libressl/CVE-2021-41581.patch
new file mode 100644
index 0000000000000..244792567192a
--- /dev/null
+++ b/pkgs/development/libraries/libressl/CVE-2021-41581.patch
@@ -0,0 +1,53 @@
+Based on upstream https://github.com/openbsd/src/commit/62ceddea5b1d64a1a362bbb7071d9e15adcde6b1
+with paths switched to apply to libressl-portable and CVS header
+hunk removed.
+
+--- a/crypto/x509/x509_constraints.c
++++ b/crypto/x509/x509_constraints.c
+@@ -339,16 +339,16 @@
+ 			if (c == '.')
+ 				goto bad;
+ 		}
+-		if (wi > DOMAIN_PART_MAX_LEN)
+-			goto bad;
+ 		if (accept) {
++			if (wi >= DOMAIN_PART_MAX_LEN)
++				goto bad;
+ 			working[wi++] = c;
+ 			accept = 0;
+ 			continue;
+ 		}
+ 		if (candidate_local != NULL) {
+ 			/* We are looking for the domain part */
+-			if (wi > DOMAIN_PART_MAX_LEN)
++			if (wi >= DOMAIN_PART_MAX_LEN)
+ 				goto bad;
+ 			working[wi++] = c;
+ 			if (i == len - 1) {
+@@ -363,7 +363,7 @@
+ 			continue;
+ 		}
+ 		/* We are looking for the local part */
+-		if (wi > LOCAL_PART_MAX_LEN)
++		if (wi >= LOCAL_PART_MAX_LEN)
+ 			break;
+ 
+ 		if (quoted) {
+@@ -383,6 +383,8 @@
+ 			 */
+ 			if (c == 9)
+ 				goto bad;
++			if (wi >= LOCAL_PART_MAX_LEN)
++				goto bad;
+ 			working[wi++] = c;
+ 			continue; /* all's good inside our quoted string */
+ 		}
+@@ -412,6 +414,8 @@
+ 		}
+ 		if (!local_part_ok(c))
+ 			goto bad;
++		if (wi >= LOCAL_PART_MAX_LEN)
++			goto bad;
+ 		working[wi++] = c;
+ 	}
+ 	if (candidate_local == NULL || candidate_domain == NULL)
diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix
index 23bc088ba11f9..d70672f63ac35 100644
--- a/pkgs/development/libraries/libressl/default.nix
+++ b/pkgs/development/libraries/libressl/default.nix
@@ -3,6 +3,7 @@
 , lib
 , cmake
 , cacert
+, fetchpatch
 , buildShared ? !stdenv.hostPlatform.isStatic
 }:
 
@@ -82,9 +83,15 @@ in {
   libressl_3_2 = generic {
     version = "3.2.5";
     sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
   };
   libressl_3_4 = generic {
     version = "3.4.0";
     sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
   };
 }
-- 
cgit 1.4.1