system/openssl: Update for CVE

2 files changed, 56 insertions, 1 deletions

diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index cf3ac587e..851c4f7ae 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=openssl
 pkgver=1.1.1t
-pkgrel=0
+pkgrel=1
 pkgdesc="Toolkit for SSL and TLS"
 url="https://www.openssl.org/"
 arch="all"
@@ -12,6 +12,7 @@ makedepends_build="perl"
 subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
 	libssl1.1:libssl"
 source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
+	CVE-2023-0465.patch
 	ppc-auxv.patch
 	ppc64.patch
 	"
@@ -60,6 +61,8 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 #     - CVE-2019-1551
 #   1.1.1g-r0:
 #     - CVE-2020-1967
+#   1.1.1t-r1:
+#     - CVE-2023-0465
 
 build() {
 	# openssl will prepend crosscompile always core CC et al
@@ -130,5 +133,6 @@ libssl() {
 }
 
 sha512sums="628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c  openssl-1.1.1t.tar.gz
+c86d1a74387f3e0ff085e2785bd834b529fdc6b397fa8f559d413b9fa4e35848523c58ce94e00e75b17f55af28f58f0c347973a739a5d15465e205391fc59b26  CVE-2023-0465.patch
 7fd3158c6eb3451f10e4bfd78f85c3e7aef84716eb38e00503d5cfc8e414b7bdf02e0671d0299a96a453dd2e38249dcf1281136b27b6df372f3ea08fbf78329b  ppc-auxv.patch
 e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509  ppc64.patch"
diff --git a/system/openssl/CVE-2023-0465.patch b/system/openssl/CVE-2023-0465.patch
new file mode 100644
index 000000000..a270624d3
--- /dev/null
+++ b/system/openssl/CVE-2023-0465.patch
@@ -0,0 +1,51 @@
+From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 16:52:55 +0000
+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
+ certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20588)
+---
+ crypto/x509/x509_vfy.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 925fbb54125..1dfe4f9f31a 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
+     }
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
++        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
+             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+                 continue;
++            cbcalled = 1;
+             if (!verify_cb_cert(ctx, x, i,
+                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
+                 return 0;
+         }
++        if (!cbcalled) {
++            /* Should not be able to get here */
++            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
++            return 0;
++        }
++        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {