CVS commit: pkgsrc/security/openssl

["Tim Zingelman" <tez%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tez
Date:           Fri Sep 22 21:02:43 UTC 2017

Modified Files:
        pkgsrc/security/openssl: Makefile distinfo
Added Files:
        pkgsrc/security/openssl/patches: patch-crypto_x509v3_v3_addr.c

Log Message:
openssl: fix for CVE-2017-3735


To generate a diff of this commit:
cvs rdiff -u -r1.231 -r1.232 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.127 -r1.128 pkgsrc/security/openssl/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/openssl/patches/patch-crypto_x509v3_v3_addr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssl/Makefile
diff -u pkgsrc/security/openssl/Makefile:1.231 pkgsrc/security/openssl/Makefile:1.232
--- pkgsrc/security/openssl/Makefile:1.231      Sat Aug  5 11:06:29 2017
+++ pkgsrc/security/openssl/Makefile    Fri Sep 22 21:02:43 2017
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.231 2017/08/05 11:06:29 bsiegert Exp $
+# $NetBSD: Makefile,v 1.232 2017/09/22 21:02:43 tez Exp $
 
 DISTNAME=      openssl-1.0.2k
+PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  https://www.openssl.org/source/
 

Index: pkgsrc/security/openssl/distinfo
diff -u pkgsrc/security/openssl/distinfo:1.127 pkgsrc/security/openssl/distinfo:1.128
--- pkgsrc/security/openssl/distinfo:1.127      Thu Jan 26 16:31:57 2017
+++ pkgsrc/security/openssl/distinfo    Fri Sep 22 21:02:43 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.127 2017/01/26 16:31:57 jperkin Exp $
+$NetBSD: distinfo,v 1.128 2017/09/22 21:02:43 tez Exp $
 
 SHA1 (openssl-1.0.2k.tar.gz) = 5f26a624479c51847ebd2f22bb9f84b3b44dcb44
 RMD160 (openssl-1.0.2k.tar.gz) = 56b70831e49f83987ec14b3878d0d693f9a7d862
@@ -11,4 +11,5 @@ SHA1 (patch-apps_Makefile) = 60113291f2a
 SHA1 (patch-config) = 345cadece3bdf0ef0a273a6c9ba6d0cbb1026a31
 SHA1 (patch-crypto_bn_bn__prime.pl) = a516f3709a862d85e659d466e895419b1e0a94c8
 SHA1 (patch-crypto_des_Makefile) = 7a23f9883ff6c93ec0e5d08e1332cc95de8cdba2
+SHA1 (patch-crypto_x509v3_v3_addr.c) = 0782668ce0748b58eda9036ee93fa926e575698b
 SHA1 (patch-tools_Makefile) = 67f0b9b501969382fd89b678c277d32bf5d294bc

Added files:

Index: pkgsrc/security/openssl/patches/patch-crypto_x509v3_v3_addr.c
diff -u /dev/null pkgsrc/security/openssl/patches/patch-crypto_x509v3_v3_addr.c:1.1
--- /dev/null   Fri Sep 22 21:02:43 2017
+++ pkgsrc/security/openssl/patches/patch-crypto_x509v3_v3_addr.c       Fri Sep 22 21:02:43 2017
@@ -0,0 +1,25 @@
+$NetBSD: patch-crypto_x509v3_v3_addr.c,v 1.1 2017/09/22 21:02:43 tez Exp $
+
+Patch for CVE-2017-3735 from 
+https://github.com/openssl/openssl/commit/31c8b265591a0aaa462a1f3eb5770661aaac67db
+
+
+--- crypto/x509v3/v3_addr.c
++++ crypto/x509v3/v3_addr.c
+@@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi)
+  */
+ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
+ {
+-    return ((f != NULL &&
+-             f->addressFamily != NULL && f->addressFamily->data != NULL)
+-            ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1]))
+-            : 0);
++    if (f == NULL
++            || f->addressFamily == NULL
++            || f->addressFamily->data == NULL
++            || f->addressFamily->length < 2)
++        return 0;
++    return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
+ }
+ 
+ /*