From ba8edd5ea8fe43152980b7ce1fcc082db3325395 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 15:46:46 +0200 Subject: [PATCH] Certificate policy check not enabled Resolves: rhbz#2187431 --- 0117-CVE-2023-0466.patch | 27 +++++++++++++++++++++++++++ openssl.spec | 3 +++ 2 files changed, 30 insertions(+) create mode 100644 0117-CVE-2023-0466.patch diff --git a/0117-CVE-2023-0466.patch b/0117-CVE-2023-0466.patch new file mode 100644 index 0000000..ef06edf --- /dev/null +++ b/0117-CVE-2023-0466.patch @@ -0,0 +1,27 @@ +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 75a1677022..43c1900bca 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/openssl.spec b/openssl.spec index 3002cb9..e178aac 100644 --- a/openssl.spec +++ b/openssl.spec @@ -183,6 +183,7 @@ Patch114: 0114-FIPS-enforce-EMS-support.patch # X.509 policies minor CVEs Patch115: 0115-CVE-2023-0464.patch Patch116: 0116-CVE-2023-0465.patch +Patch117: 0117-CVE-2023-0466.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -520,6 +521,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2186661 - Fix invalid certificate policies in leaf certificates check Resolves: rhbz#2187429 +- Certificate policy check not enabled + Resolves: rhbz#2187431 * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved