import UBI socat-1.7.4.1-5.el9_4.2
This commit is contained in:
parent
816678fdd1
commit
62e83a8dc1
102
SOURCES/socat-1.7.4.1-ipv6-peername-segfault.patch
Normal file
102
SOURCES/socat-1.7.4.1-ipv6-peername-segfault.patch
Normal file
@ -0,0 +1,102 @@
|
||||
commit 1477334905be18c08bd6dc77be5a62e36b573de4
|
||||
Author: Gerhard Rieger <gerhard@dest-unreach.org>
|
||||
Date: Tue Oct 26 19:26:18 2021 +0200
|
||||
|
||||
OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
|
||||
|
||||
diff --git a/test.sh b/test.sh
|
||||
index 6ca21f3..c0e98a3 100755
|
||||
--- a/test.sh
|
||||
+++ b/test.sh
|
||||
@@ -15040,6 +15040,60 @@ PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
|
||||
+# Bug fix, OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
|
||||
+NAME=OPENSSL_CLIENT_IP6_CN
|
||||
+case "$TESTS" in
|
||||
+*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%ip6%*|*%socket%*|*%$NAME%*)
|
||||
+TEST="$NAME: Test if OpenSSL server may be crashed by client cert with IPv6 address"
|
||||
+# Socat 1.7.4.1 had a bug that caused OpenSSL server to crash with SIGSEGV when
|
||||
+# it checked a client certificate containing IPv6 address in SubjectAltName and
|
||||
+# no openssl-commonname option was given
|
||||
+if ! eval $NUMCOND; then :;
|
||||
+elif ! testfeats openssl >/dev/null; then
|
||||
+ $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||
+ numCANT=$((numCANT+1))
|
||||
+ listCANT="$listCANT $N"
|
||||
+elif ! testfeats tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
|
||||
+ $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
|
||||
+ numCANT=$((numCANT+1))
|
||||
+ listCANT="$listCANT $N"
|
||||
+else
|
||||
+gentestcert testsrv
|
||||
+gentestaltcert testalt
|
||||
+tf="$td/test$N.stdout"
|
||||
+te="$td/test$N.stderr"
|
||||
+tdiff="$td/test$N.diff"
|
||||
+da="test$N $(date) $RANDOM"
|
||||
+CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,reuseaddr,cert=./testsrv.pem,cafile=./testalt.crt -"
|
||||
+CMD1="$TRACE $SOCAT $opts -u - OPENSSL-CONNECT:localhost:$PORT,cafile=testsrv.crt,cert=testalt.pem,verify=0"
|
||||
+printf "test $F_n $TEST... " $N
|
||||
+$CMD0 >/dev/null >"${tf}0" 2>"${te}0" &
|
||||
+pid0=$!
|
||||
+waittcp4port $PORT 1
|
||||
+echo "$da" |$CMD1 2>"${te}1"
|
||||
+rc1=$?
|
||||
+kill $pid0 2>/dev/null; wait
|
||||
+if [ $rc1 -eq 0 ] && echo "$da" |diff - "${tf}0" >$tdiff; then
|
||||
+ $PRINTF "$OK\n"
|
||||
+ numOK=$((numOK+1))
|
||||
+else
|
||||
+ $PRINTF "$FAILED\n"
|
||||
+ echo "$CMD0 &" >&2
|
||||
+ cat "${te}0" >&2
|
||||
+ echo "$CMD1" >&2
|
||||
+ cat "${te}1" >&2
|
||||
+ numFAIL=$((numFAIL+1))
|
||||
+ listFAIL="$listFAIL $N"
|
||||
+fi
|
||||
+fi # NUMCOND
|
||||
+ ;;
|
||||
+esac
|
||||
+PORT=$((PORT+1))
|
||||
+N=$((N+1))
|
||||
+
|
||||
+
|
||||
+# end of common tests
|
||||
+
|
||||
##################################################################################
|
||||
#=================================================================================
|
||||
# here come tests that might affect your systems integrity. Put normal tests
|
||||
diff --git a/xio-openssl.c b/xio-openssl.c
|
||||
index 94fe44e..dc47798 100644
|
||||
--- a/xio-openssl.c
|
||||
+++ b/xio-openssl.c
|
||||
@@ -1775,15 +1775,17 @@ static int openssl_handle_peer_certificate(struct single *xfd,
|
||||
#if WITH_IP6
|
||||
case 16: /* IPv6 */
|
||||
inet_ntop(AF_INET6, data, aBuffer, sizeof(aBuffer));
|
||||
- xioip6_pton(peername, &ip6bin);
|
||||
- if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
|
||||
- Debug2("subjectAltName \"%s\" matches peername \"%s\"",
|
||||
- aBuffer, peername);
|
||||
- ok = 1;
|
||||
- } else {
|
||||
- Info2("subjectAltName \"%s\" does not match peername \"%s\"",
|
||||
- aBuffer, peername);
|
||||
- }
|
||||
+ if (peername != NULL) {
|
||||
+ xioip6_pton(peername, &ip6bin);
|
||||
+ if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
|
||||
+ Debug2("subjectAltName \"%s\" matches peername \"%s\"",
|
||||
+ aBuffer, peername);
|
||||
+ ok = 1;
|
||||
+ } else {
|
||||
+ Info2("subjectAltName \"%s\" does not match peername \"%s\"",
|
||||
+ aBuffer, peername);
|
||||
+ }
|
||||
+ }
|
||||
break;
|
||||
#endif
|
||||
}
|
@ -3,12 +3,15 @@
|
||||
Summary: Bidirectional data relay between two data channels ('netcat++')
|
||||
Name: socat
|
||||
Version: 1.7.4.1
|
||||
Release: 5%{?dist}
|
||||
Release: 5%{?dist}.2
|
||||
License: GPLv2
|
||||
Url: http://www.dest-unreach.org/socat/
|
||||
Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch1: socat-1.7.3.3-warn.patch
|
||||
# https://issues.redhat.com/browse/RHEL-32914
|
||||
# Based on: https://repo.or.cz/socat.git/commit/1477334905be18c08bd6dc77be5a62e36b573de4
|
||||
Patch2: socat-1.7.4.1-ipv6-peername-segfault.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
@ -30,6 +33,7 @@ line editor (readline), a program, or a combination of two of these.
|
||||
iconv -f iso8859-1 -t utf-8 CHANGES > CHANGES.utf8
|
||||
mv CHANGES.utf8 CHANGES
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -73,6 +77,9 @@ export OD_C=/usr/bin/od
|
||||
%doc %{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Thu Apr 18 2024 Martin Osvald <mosvald@redhat.com> - 1.7.4.1-5.2
|
||||
- Fix IPv6 peername segfault (RHEL-32914)
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-5
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
Loading…
Reference in New Issue
Block a user