summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch56
1 files changed, 0 insertions, 56 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
deleted file mode 100644
index 57fd494464..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Mar 2023 16:52:55 +0000
-Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
-
-Even though we check the leaf cert to confirm it is valid, we
-later ignored the invalid flag and did not notice that the leaf
-cert was bad.
-
-Fixes: CVE-2023-0465
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20587)
-
-Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb]
-CVE: CVE-2023-0465
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- crypto/x509/x509_vfy.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 9384f1d..a0282c3 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
- goto memerr;
- /* Invalid or inconsistent extensions */
- if (ret == X509_PCY_TREE_INVALID) {
-- int i;
-+ int i, cbcalled = 0;
-
- /* Locate certificates with bad extensions and notify callback. */
-- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
- X509 *x = sk_X509_value(ctx->chain, i);
-
-+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
-+ cbcalled = 1;
- CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
- ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
- }
-+ if (!cbcalled) {
-+ /* Should not be able to get here */
-+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+ /* The callback ignored the error so we return success */
- return 1;
- }
- if (ret == X509_PCY_TREE_FAILURE) {
---
-2.35.7
-
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-17 20:56:19 +0000