[gentoo-commits] repo/proj/libressl:master commit in: dev-libs/libressl/files/, dev-libs/libressl/, profiles/

[gentoo-commits] repo/proj/libressl:master commit in: dev-libs/libressl/files/, dev-libs/libressl/, profiles/

[Quentin Retornaz]

commit:     0c759747d0b7d726e0ab72fab846f912a3716c83
Author:     itZzenXX <codeberg.giovanni <AT> aleeas <DOT> com>
AuthorDate: Sat Oct  2 20:41:42 2021 +0000
Commit:     Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
CommitDate: Sat Oct  2 21:53:38 2021 +0000
URL:        https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=0c759747

Rev bump LibreSSL 3.4.0-r1: patch to fix CVE-2021-41581

Signed-off-by: itZzenXX <codeberg.giovanni <AT> aleeas.com>
Closes: https://github.com/gentoo/libressl/pull/360
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>

 dev-libs/libressl/files/libressl-3.4.0-x509.patch  | 51 ++++++++++++++++++++++
 ...ressl-3.4.0.ebuild => libressl-3.4.0-r1.ebuild} |  3 ++
 profiles/package.mask                              |  4 ++
 3 files changed, 58 insertions(+)

diff --git a/dev-libs/libressl/files/libressl-3.4.0-x509.patch b/dev-libs/libressl/files/libressl-3.4.0-x509.patch
new file mode 100644
index 0000000..c7d83e0
--- /dev/null
+++ b/dev-libs/libressl/files/libressl-3.4.0-x509.patch
@@ -0,0 +1,51 @@
+diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c
+index fade58c..9ad5d4b 100644
+--- a/crypto/x509/x509_constraints.c
++++ b/crypto/x509/x509_constraints.c
+@@ -339,16 +339,16 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
+ 			if (c == '.')
+ 				goto bad;
+ 		}
+-		if (wi > DOMAIN_PART_MAX_LEN)
+-			goto bad;
+ 		if (accept) {
++		        if (wi > DOMAIN_PART_MAX_LEN)
++			        goto bad;
+ 			working[wi++] = c;
+ 			accept = 0;
+ 			continue;
+ 		}
+ 		if (candidate_local != NULL) {
+ 			/* We are looking for the domain part */
+-			if (wi > DOMAIN_PART_MAX_LEN)
++			if (wi >= DOMAIN_PART_MAX_LEN)
+ 				goto bad;
+ 			working[wi++] = c;
+ 			if (i == len - 1) {
+@@ -363,7 +363,7 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
+ 			continue;
+ 		}
+ 		/* We are looking for the local part */
+-		if (wi > LOCAL_PART_MAX_LEN)
++		if (wi >= LOCAL_PART_MAX_LEN)
+ 			break;
+ 
+ 		if (quoted) {
+@@ -383,6 +383,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
+ 			 */
+ 			if (c == 9)
+ 				goto bad;
++			if (wi >= LOCAL_PART_MAX_LEN)
++			        goto bad;
+ 			working[wi++] = c;
+ 			continue; /* all's good inside our quoted string */
+ 		}
+@@ -412,6 +414,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
+ 		}
+ 		if (!local_part_ok(c))
+ 			goto bad;
++		if (wi >= LOCAL_PART_MAX_LEN)
++		        goto bad;
+ 		working[wi++] = c;
+ 	}
+ 	if (candidate_local == NULL || candidate_domain == NULL)

diff --git a/dev-libs/libressl/libressl-3.4.0.ebuild b/dev-libs/libressl/libressl-3.4.0-r1.ebuild
similarity index 96%
rename from dev-libs/libressl/libressl-3.4.0.ebuild
rename to dev-libs/libressl/libressl-3.4.0-r1.ebuild
index b92c362..5b10386 100644
--- a/dev-libs/libressl/libressl-3.4.0.ebuild
+++ b/dev-libs/libressl/libressl-3.4.0-r1.ebuild
@@ -40,6 +40,9 @@ src_prepare() {
 		Makefile.in || die "Removing tests failed"
 	fi
 
+	# CVE-2021-41581
+	eapply "${FILESDIR}"/${PN}-3.4.0-x509.patch
+
 	eapply "${FILESDIR}"/${PN}-2.8.3-solaris10.patch
 	#eapply "${FILESDIR}"/${PN}-3.2.2-build.patch
 	eapply_user

diff --git a/profiles/package.mask b/profiles/package.mask
index bac8f13..6689349 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -1,4 +1,8 @@
 # 2021-10-02
 # LibreSSL 3.4.0 is causing build issues on many packages.
 # Masked until build issues are solved.
+=dev-libs/libressl-3.4.0-r1
+
+# 2021-10-02
+# This version is affected by a vulnerability: CVE-2021-41581
 =dev-libs/libressl-3.4.0