<pre style='margin:0'>
Clemens Lang (neverpanic) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/da7f63aed72c3427ced8a5ccb717d84201b8e9cf">https://github.com/macports/macports-ports/commit/da7f63aed72c3427ced8a5ccb717d84201b8e9cf</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new da7f63aed72 openssl3: Fix CVE-2023-0465, CVE-2023-0466
</span>da7f63aed72 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit da7f63aed72c3427ced8a5ccb717d84201b8e9cf
</span>Author: Clemens Lang <cal@macports.org>
AuthorDate: Thu Mar 30 20:58:47 2023 +0200
<span style='display:block; white-space:pre;color:#404040;'> openssl3: Fix CVE-2023-0465, CVE-2023-0466
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> See https://www.openssl.org/news/secadv/20230328.txt for the advisory.
</span><span style='display:block; white-space:pre;color:#404040;'> Both of these are low severity fixes and do not change ABI or installed
</span><span style='display:block; white-space:pre;color:#404040;'> files. For these reasons, no bump of the openssl port or the other ports
</span><span style='display:block; white-space:pre;color:#404040;'> mentioned in the Portfile is required.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> CVE: CVE-2023-0465, CVE-2023-0466
</span>---
devel/openssl3/Portfile | 6 ++-
.../facfb1ab745646e97a1920977ae4a9965ea61d5c.patch | 54 ++++++++++++++++++++++
.../fc814a30fc4f0bc54fcea7d9a7462f5457aab061.patch | 48 +++++++++++++++++++
3 files changed, 106 insertions(+), 2 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/Portfile b/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 381543c884e..fd562020d83 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -11,7 +11,7 @@ legacysupport.newest_darwin_requires_legacy 8
</span> set major_v 3
name openssl$major_v
version ${major_v}.1.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 2
</span>
# Please revbump these ports when updating the openssl3 version/revision
# - freeradius (#43461)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -55,7 +55,9 @@ patchfiles avx512.patch \
</span> patch-openssl3-ppc-asm.diff \
2017771e2db3e2b96f89bbe8766c3209f6a99545.patch \
d79bb5316e1318bd776d6b2d6723a36778e07f9d.patch \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- 52a38144b019cfda6b0e5eaa0aca88ae11661a26.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 52a38144b019cfda6b0e5eaa0aca88ae11661a26.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ facfb1ab745646e97a1920977ae4a9965ea61d5c.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fc814a30fc4f0bc54fcea7d9a7462f5457aab061.patch
</span>
if {${os.platform} eq "darwin" && ${os.major} < 11} {
# Having the stdlib set to libc++ on 10.6 causes a dependency on a
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/files/facfb1ab745646e97a1920977ae4a9965ea61d5c.patch b/devel/openssl3/files/facfb1ab745646e97a1920977ae4a9965ea61d5c.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..e41a884dd1f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/files/facfb1ab745646e97a1920977ae4a9965ea61d5c.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,54 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From facfb1ab745646e97a1920977ae4a9965ea61d5c Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Matt Caswell <matt@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Tue, 7 Mar 2023 16:52:55 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ certs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Even though we check the leaf cert to confirm it is valid, we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+later ignored the invalid flag and did not notice that the leaf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cert was bad.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes: CVE-2023-0465
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Hugo Landau <hlandau@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Tomas Mraz <tomas@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(Merged from https://github.com/openssl/openssl/pull/20586)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/facfb1ab]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crypto/x509/x509_vfy.c | 12 ++++++++++--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 1 file changed, 10 insertions(+), 2 deletions(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 9384f1da9b..a0282c3ef1 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./crypto/x509/x509_vfy.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./crypto/x509/x509_vfy.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto memerr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Invalid or inconsistent extensions */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ret == X509_PCY_TREE_INVALID) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i, cbcalled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Locate certificates with bad extensions and notify callback. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509 *x = sk_X509_value(ctx->chain, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cbcalled = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!cbcalled) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Should not be able to get here */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The callback ignored the error so we return success */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ret == X509_PCY_TREE_FAILURE) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+2.40.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/files/fc814a30fc4f0bc54fcea7d9a7462f5457aab061.patch b/devel/openssl3/files/fc814a30fc4f0bc54fcea7d9a7462f5457aab061.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..6c2bf23850c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/files/fc814a30fc4f0bc54fcea7d9a7462f5457aab061.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,48 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From fc814a30fc4f0bc54fcea7d9a7462f5457aab061 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Tomas Mraz <tomas@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Tue, 21 Mar 2023 16:15:47 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The function was incorrectly documented as enabling policy checking.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes: CVE-2023-0466
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Paul Dale <pauli@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Matt Caswell <matt@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(Merged from https://github.com/openssl/openssl/pull/20562)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/fc814a30fc]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 3 files changed, 17 insertions(+), 2 deletions(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 20aea99b5b..fcbbfc4c30 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./doc/man3/X509_VERIFY_PARAM_set_flags.pod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./doc/man3/X509_VERIFY_PARAM_set_flags.pod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -98,8 +98,9 @@ B<trust>.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ B<t>. Normally the current time is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-by default) and adds B<policy> to the acceptable policy set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Contrary to preexisting documentation of this function it does not enable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++policy checking.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ by default) and sets the acceptable policy set to B<policies>. Any existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++enabling policy checking however the implementation has never done this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The documentation was changed to align with the implementation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ =head1 COPYRIGHT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+2.40.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span></pre><pre style='margin:0'>
</pre>