<pre style='margin:0'>
Clemens Lang (neverpanic) pushed a commit to branch master
in repository macports-ports.

</pre>
<p><a href="https://github.com/macports/macports-ports/commit/8427ae1f82e7b48e48126ef7d5b210d45bd319bb">https://github.com/macports/macports-ports/commit/8427ae1f82e7b48e48126ef7d5b210d45bd319bb</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'>     new 8427ae1f82e openssl3: Fix CVE-2025-4575
</span>8427ae1f82e is described below

<span style='display:block; white-space:pre;color:#808000;'>commit 8427ae1f82e7b48e48126ef7d5b210d45bd319bb
</span>Author: Clemens Lang <cal@macports.org>
AuthorDate: Thu May 22 16:13:40 2025 +0200

<span style='display:block; white-space:pre;color:#404040;'>    openssl3: Fix CVE-2025-4575
</span><span style='display:block; white-space:pre;color:#404040;'>    
</span><span style='display:block; white-space:pre;color:#404040;'>    No revbump of dependents, since this is a very minor CVE fix only and
</span><span style='display:block; white-space:pre;color:#404040;'>    the OpenSSL version stays the same.
</span>---
 devel/openssl3/Portfile                            |  5 +-
 ...-Fix-the-addreject-option-adding-trust-in.patch | 66 ++++++++++++++++++++++
 2 files changed, 70 insertions(+), 1 deletion(-)

<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/Portfile b/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index fd901d5b352..04078acb3b4 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -14,7 +14,7 @@ set major_v         3
</span> epoch               1
 github.setup        openssl openssl ${major_v}.5.0 openssl-
 name                openssl3
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision            0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision            1
</span> 
 github.tarball_from releases
 checksums           rmd160  a91cd921f76ba9833d2539a980f4366088f3ea8a \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -56,6 +56,9 @@ if {${os.platform} eq "darwin" && ${os.major} < 18} {
</span>     }
 }
 
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# CVE-2025-4575
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patchfiles-append   0001-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # https://github.com/macports/macports-ports/pull/26250#issuecomment-2437709579
 # OpenSSL 3.4.0 implements new intrinsic code that increases compiler
 # requirements. We can only use bootstrap Clang because the newer
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/files/0001-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch b/devel/openssl3/files/0001-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..41e49abe471
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/files/0001-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,66 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Tomas Mraz <tomas@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Tue, 20 May 2025 16:34:10 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ of rejection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes CVE-2025-4575
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(Merged from https://github.com/openssl/openssl/pull/27672)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Generator: git format-patch -1 --no-numbered --minimal --patience --src-prefix=./ --dst-prefix=./ e96d2244
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Upstream-status: Backport [e96d2244]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ apps/x509.c                 |  2 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ test/recipes/25-test_x509.t | 12 +++++++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 2 files changed, 12 insertions(+), 2 deletions(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git ./apps/x509.c ./apps/x509.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index fdae8f383a..0c340c15b3 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./apps/x509.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./apps/x509.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                            prog, opt_arg());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                 goto opthelp;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+             }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++            if (!sk_ASN1_OBJECT_push(reject, objtmp))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                 goto end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+             trustout = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+             break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git ./test/recipes/25-test_x509.t ./test/recipes/25-test_x509.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 09b61708ff..dfa0a428f5 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./test/recipes/25-test_x509.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./test/recipes/25-test_x509.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ setup("test_x509");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-plan tests => 134;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++plan tests => 138;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Prevent MSys2 filename munging for arguments that look like file paths but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # aren't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && run(app(["openssl", "verify", "-no_check_time",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+             "-trusted", $ca, "-partial_chain", $caout])));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# test trust decoration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++            "-out", "ca-trusted.pem"])));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++              1, 'trusted use - E-mail Protection');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++            "-out", "ca-rejected.pem"])));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++              1, 'rejected use - E-mail Protection');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ subtest 'x509 -- x.509 v1 certificate' => sub {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     tconversion( -type => 'x509', -prefix => 'x509v1',
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                  -in => srctop_file("test", "testx509.pem") );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-- 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+2.49.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span></pre><pre style='margin:0'>

</pre>