Skip to content
Snippets Groups Projects
Commit caa93e2a authored by Sebastian Andrzej Siewior's avatar Sebastian Andrzej Siewior Committed by Ritesh Raj Sarraf
Browse files

Import Debian changes 1.1.1n-0+deb11u3

parent ec3ab683
Branches upstream/bookworm
Tags upstream/2.74.6
3 merge requests!50Merge changes from apertis/v2022-updates into apertis/v2022,!46Merge updates from release v2023dev3,!45Update from debian/bullseye-security for apertis/v2023dev3
Pipeline #623955 canceled
Stage: build-env
    Stage: update
      Stage: merge
        Expand all Hide whitespace changes
        Inline Side-by-side
        Showing
        with 1476 additions and 0 deletions
        debian/changelog
        + 13
        0
        View file @ caa93e2a
        openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium
        * CVE-2022-2068 (The c_rehash script allows command injection).
        * Update expired certs.
        -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Fri, 24 Jun 2022 22:22:19 +0200
        openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium
        * CVE-2022-1292 (The c_rehash script allows command injection).
        -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Tue, 10 May 2022 20:37:36 +0200
        openssl (1.1.1n-0+deb11u1) bullseye; urgency=medium
        * New upstream version.
        ......
        debian/patches/Fix-file-operations-in-c_rehash.patch 0 → 100644
        + 216
        0
        View file @ caa93e2a
        From: Daniel Fiala <daniel@openssl.org>
        Date: Sun, 29 May 2022 20:11:24 +0200
        Subject: Fix file operations in c_rehash.
        CVE-2022-2068
        Reviewed-by: Matt Caswell <matt@openssl.org>
        Reviewed-by: Richard Levitte <levitte@openssl.org>
        [bigeasy: ported from the 3.0 branch with the compat patch]
        ---
        tools/c_rehash.in | 131 ++++++++++++++++++++++++------------------------------
        1 file changed, 59 insertions(+), 72 deletions(-)
        diff --git a/tools/c_rehash.in b/tools/c_rehash.in
        index 914be03da14f..a8511ac816d8 100644
        --- a/tools/c_rehash.in
        +++ b/tools/c_rehash.in
        @@ -1,7 +1,7 @@
        #!{- $config{HASHBANGPERL} -}
        # {- join("\n# ", @autowarntext) -}
        -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
        +# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
        #
        # Licensed under the OpenSSL license (the "License"). You may not use
        # this file except in compliance with the License. You can obtain a copy
        @@ -99,18 +99,41 @@ foreach (@dirlist) {
        }
        exit($errorcount);
        +sub copy_file {
        + my ($src_fname, $dst_fname) = @_;
        +
        + if (open(my $in, "<", $src_fname)) {
        + if (open(my $out, ">", $dst_fname)) {
        + print $out $_ while (<$in>);
        + close $out;
        + } else {
        + warn "Cannot open $dst_fname for write, $!";
        + }
        + close $in;
        + } else {
        + warn "Cannot open $src_fname for read, $!";
        + }
        +}
        +
        sub hash_dir {
        + my $dir = shift;
        my %hashlist;
        - print "Doing $_[0]\n";
        - chdir $_[0];
        - opendir(DIR, ".");
        +
        + print "Doing $dir\n";
        +
        + if (!chdir $dir) {
        + print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
        + return;
        + }
        +
        + opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
        my @flist = sort readdir(DIR);
        closedir DIR;
        if ( $removelinks ) {
        # Delete any existing symbolic links
        foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
        if (-l $_) {
        - print "unlink $_" if $verbose;
        + print "unlink $_\n" if $verbose;
        unlink $_ || warn "Can't unlink $_, $!\n";
        }
        }
        @@ -123,17 +146,18 @@ sub hash_dir {
        next;
        }
        link_hash_cert($fname) if ($cert);
        - link_hash_cert_old($fname) if ($cert);
        link_hash_crl($fname) if ($crl);
        - link_hash_crl_old($fname) if ($crl);
        }
        +
        + chdir $pwd;
        }
        sub check_file {
        my ($is_cert, $is_crl) = (0,0);
        my $fname = $_[0];
        - open IN, $fname;
        - while(<IN>) {
        +
        + open(my $in, "<", $fname);
        + while(<$in>) {
        if (/^-----BEGIN (.*)-----/) {
        my $hdr = $1;
        if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
        @@ -145,7 +169,7 @@ sub check_file {
        }
        }
        }
        - close IN;
        + close $in;
        return ($is_cert, $is_crl);
        }
        @@ -174,9 +198,24 @@ sub compute_hash {
        # certificate fingerprints
        sub link_hash_cert {
        - my $fname = $_[0];
        - my $x509hash = $_[1] || '-subject_hash';
        - my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
        + link_hash($_[0], 'cert', '-subject_hash');
        + link_hash($_[0], 'cert', '-subject_hash_old');
        +}
        +
        +# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
        +
        +sub link_hash_crl {
        + link_hash($_[0], 'crl', '-hash');
        + link_hash($_[0], 'crl', '-hash_old');
        +}
        +
        +sub link_hash {
        + my ($fname, $type, $hash_name) = @_;
        + my $is_cert = $type eq 'cert' or $type eq 'cert_old';
        +
        + my ($hash, $fprint) = compute_hash($openssl,
        + $is_cert ? "x509" : "crl",
        + $hash_name,
        "-fingerprint", "-noout",
        "-in", $fname);
        chomp $hash;
        @@ -186,75 +225,23 @@ sub link_hash_cert {
        $fprint =~ tr/://d;
        my $suffix = 0;
        # Search for an unused hash filename
        - while(exists $hashlist{"$hash.$suffix"}) {
        + my $crlmark = $is_cert ? "" : "r";
        + while(exists $hashlist{"$hash.$crlmark$suffix"}) {
        # Hash matches: if fingerprint matches its a duplicate cert
        - if ($hashlist{"$hash.$suffix"} eq $fprint) {
        - print STDERR "WARNING: Skipping duplicate certificate $fname\n";
        + if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
        + my $what = $is_cert ? 'certificate' : 'CRL';
        + print STDERR "WARNING: Skipping duplicate $what $fname\n";
        return;
        }
        $suffix++;
        }
        - $hash .= ".$suffix";
        + $hash .= ".$crlmark$suffix";
        if ($symlink_exists) {
        print "link $fname -> $hash\n" if $verbose;
        symlink $fname, $hash || warn "Can't symlink, $!";
        } else {
        print "copy $fname -> $hash\n" if $verbose;
        - if (open($in, "<", $fname)) {
        - if (open($out,">", $hash)) {
        - print $out $_ while (<$in>);
        - close $out;
        - } else {
        - warn "can't open $hash for write, $!";
        - }
        - close $in;
        - } else {
        - warn "can't open $fname for read, $!";
        - }
        - }
        - $hashlist{$hash} = $fprint;
        -}
        -
        -sub link_hash_cert_old {
        - link_hash_cert($_[0], '-subject_hash_old');
        -}
        -
        -sub link_hash_crl_old {
        - link_hash_crl($_[0], '-hash_old');
        -}
        -
        -
        -# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
        -
        -sub link_hash_crl {
        - my $fname = $_[0];
        - my $crlhash = $_[1] || "-hash";
        - my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
        - "-fingerprint", "-noout",
        - "-in", $fname);
        - chomp $hash;
        - chomp $fprint;
        - return if !$hash;
        - $fprint =~ s/^.*=//;
        - $fprint =~ tr/://d;
        - my $suffix = 0;
        - # Search for an unused hash filename
        - while(exists $hashlist{"$hash.r$suffix"}) {
        - # Hash matches: if fingerprint matches its a duplicate cert
        - if ($hashlist{"$hash.r$suffix"} eq $fprint) {
        - print STDERR "WARNING: Skipping duplicate CRL $fname\n";
        - return;
        - }
        - $suffix++;
        - }
        - $hash .= ".r$suffix";
        - if ($symlink_exists) {
        - print "link $fname -> $hash\n" if $verbose;
        - symlink $fname, $hash || warn "Can't symlink, $!";
        - } else {
        - print "cp $fname -> $hash\n" if $verbose;
        - system ("cp", $fname, $hash);
        - warn "Can't copy, $!" if ($? >> 8) != 0;
        + copy_file($fname, $hash);
        }
        $hashlist{$hash} = $fprint;
        }
        debian/patches/Update-expired-SCT-certificates.patch 0 → 100644
        + 187
        0
        View file @ caa93e2a
        From: Tomas Mraz <tomas@openssl.org>
        Date: Wed, 1 Jun 2022 12:47:44 +0200
        Subject: Update expired SCT certificates
        Reviewed-by: Matt Caswell <matt@openssl.org>
        Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
        (Merged from https://github.com/openssl/openssl/pull/18446)
        ---
        test/certs/embeddedSCTs1-key.pem | 38 ++++++++++++++++++++++-----------
        test/certs/embeddedSCTs1.pem | 35 +++++++++++++++---------------
        test/certs/embeddedSCTs1.sct | 12 +++++------
        test/certs/embeddedSCTs1_issuer-key.pem | 15 +++++++++++++
        test/certs/embeddedSCTs1_issuer.pem | 30 +++++++++++++-------------
        5 files changed, 79 insertions(+), 51 deletions(-)
        create mode 100644 test/certs/embeddedSCTs1_issuer-key.pem
        diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem
        index e3e66d55c510..28dd206dbe8d 100644
        --- a/test/certs/embeddedSCTs1-key.pem
        +++ b/test/certs/embeddedSCTs1-key.pem
        @@ -1,15 +1,27 @@
        -----BEGIN RSA PRIVATE KEY-----
        -MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
        -WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
        -EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
        -AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
        -PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
        -flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
        -X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
        -pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
        -b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
        -9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
        -83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
        -n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
        -1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
        +MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw
        +XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT
        +48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ
        +b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L
        +eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG
        +a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm
        +tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf
        +3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r
        +zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF
        +nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ
        +XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw
        +ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ
        +S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi
        +BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3
        +2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn
        +MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU
        +JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn
        +j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA
        +jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu
        +ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk
        +3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P
        +o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI
        +fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1
        +5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP
        +RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4=
        -----END RSA PRIVATE KEY-----
        diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem
        index d1e85120a043..d2a111fb8235 100644
        --- a/test/certs/embeddedSCTs1.pem
        +++ b/test/certs/embeddedSCTs1.pem
        @@ -1,20 +1,21 @@
        -----BEGIN CERTIFICATE-----
        -MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
        +MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
        MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
        -YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
        -MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu
        -c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G
        -CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/
        -BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk
        -EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw
        -FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q
        -Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD
        -VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w
        -DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK
        -BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L
        -vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw
        -KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG
        -SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE
        -oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr
        -5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg
        +YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy
        +NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3
        +DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK
        +/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE
        +FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI
        +0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I
        +QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S
        +wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB
        +CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I
        +Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD
        +ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI
        +/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB
        +u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ
        +BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR
        +RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1
        +IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W
        +YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw==
        -----END CERTIFICATE-----
        diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct
        index 59362dcee1f4..35c9eb9e3bed 100644
        --- a/test/certs/embeddedSCTs1.sct
        +++ b/test/certs/embeddedSCTs1.sct
        @@ -2,11 +2,11 @@
        Version : v1 (0x0)
        Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C:
        79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64
        - Timestamp : Apr 5 17:04:16.275 2013 GMT
        + Timestamp : Jan 1 00:00:00.000 2020 GMT
        Extensions: none
        Signature : ecdsa-with-SHA256
        - 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F:
        - D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3:
        - E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2:
        - F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1:
        - 05:51:9D:89:ED:BF:08
        \ No newline at end of file
        + 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A:
        + D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4:
        + BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F:
        + 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7:
        + 60:EB:A8:AF:03:5E:C3
        \ No newline at end of file
        diff --git a/test/certs/embeddedSCTs1_issuer-key.pem b/test/certs/embeddedSCTs1_issuer-key.pem
        new file mode 100644
        index 000000000000..9326e38b1eb7
        --- /dev/null
        +++ b/test/certs/embeddedSCTs1_issuer-key.pem
        @@ -0,0 +1,15 @@
        +-----BEGIN RSA PRIVATE KEY-----
        +MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR
        +yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm
        +JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB
        +AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK
        +QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL
        +GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq
        +r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr
        +4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw
        ++mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ
        +b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY
        +xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN
        +lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei
        +T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU=
        +-----END RSA PRIVATE KEY-----
        diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem
        index 1fa449d5a098..6aa9455f09ed 100644
        --- a/test/certs/embeddedSCTs1_issuer.pem
        +++ b/test/certs/embeddedSCTs1_issuer.pem
        @@ -1,18 +1,18 @@
        -----BEGIN CERTIFICATE-----
        -MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
        +MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
        MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
        -YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
        -MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu
        -c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf
        -MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7
        -jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP
        -KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL
        -svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk
        -tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG
        -A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO
        -MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB
        -/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt
        -OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy
        -f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP
        -OwqULg==
        +YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw
        +ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy
        +YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w
        +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG
        +0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4
        +SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG
        +acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw
        +wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw
        +CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB
        +MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD
        +AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq
        ++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo
        +2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c
        +Doud4XrO
        -----END CERTIFICATE-----
        debian/patches/Update-further-expiring-certificates-that-affect-tests.patch 0 → 100644
        + 959
        0
        View file @ caa93e2a
        This diff is collapsed.
        debian/patches/c_rehash-Do-not-use-shell-to-invoke-openssl.patch 0 → 100644
        + 72
        0
        View file @ caa93e2a
        From: Tomas Mraz <tomas@openssl.org>
        Date: Tue, 26 Apr 2022 12:40:24 +0200
        Subject: c_rehash: Do not use shell to invoke openssl
        Except on VMS where it is safe.
        This fixes CVE-2022-1292.
        Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
        Reviewed-by: Matt Caswell <matt@openssl.org>
        ---
        tools/c_rehash.in | 29 +++++++++++++++++++++++++----
        1 file changed, 25 insertions(+), 4 deletions(-)
        diff --git a/tools/c_rehash.in b/tools/c_rehash.in
        index a7e538a72d7d..914be03da14f 100644
        --- a/tools/c_rehash.in
        +++ b/tools/c_rehash.in
        @@ -149,6 +149,23 @@ sub check_file {
        return ($is_cert, $is_crl);
        }
        +sub compute_hash {
        + my $fh;
        + if ( $^O eq "VMS" ) {
        + # VMS uses the open through shell
        + # The file names are safe there and list form is unsupported
        + if (!open($fh, "-|", join(' ', @_))) {
        + print STDERR "Cannot compute hash on '$fname'\n";
        + return;
        + }
        + } else {
        + if (!open($fh, "-|", @_)) {
        + print STDERR "Cannot compute hash on '$fname'\n";
        + return;
        + }
        + }
        + return (<$fh>, <$fh>);
        +}
        # Link a certificate to its subject name hash value, each hash is of
        # the form <hash>.<n> where n is an integer. If the hash value already exists
        @@ -159,10 +176,12 @@ sub check_file {
        sub link_hash_cert {
        my $fname = $_[0];
        my $x509hash = $_[1] || '-subject_hash';
        - $fname =~ s/\"/\\\"/g;
        - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
        + my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
        + "-fingerprint", "-noout",
        + "-in", $fname);
        chomp $hash;
        chomp $fprint;
        + return if !$hash;
        $fprint =~ s/^.*=//;
        $fprint =~ tr/://d;
        my $suffix = 0;
        @@ -210,10 +229,12 @@ sub link_hash_crl_old {
        sub link_hash_crl {
        my $fname = $_[0];
        my $crlhash = $_[1] || "-hash";
        - $fname =~ s/'/'\\''/g;
        - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
        + my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
        + "-fingerprint", "-noout",
        + "-in", $fname);
        chomp $hash;
        chomp $fprint;
        + return if !$hash;
        $fprint =~ s/^.*=//;
        $fprint =~ tr/://d;
        my $suffix = 0;
        debian/patches/ct_test.c-Update-the-epoch-time.patch 0 → 100644
        + 24
        0
        View file @ caa93e2a
        From: Tomas Mraz <tomas@openssl.org>
        Date: Wed, 1 Jun 2022 13:06:46 +0200
        Subject: ct_test.c: Update the epoch time
        Reviewed-by: Matt Caswell <matt@openssl.org>
        Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
        (Merged from https://github.com/openssl/openssl/pull/18446)
        ---
        test/ct_test.c | 2 +-
        1 file changed, 1 insertion(+), 1 deletion(-)
        diff --git a/test/ct_test.c b/test/ct_test.c
        index 78d11ca98cf7..535897d09a77 100644
        --- a/test/ct_test.c
        +++ b/test/ct_test.c
        @@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name)
        if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
        goto end;
        fixture->test_case_name = test_case_name;
        - fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */
        + fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
        if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
        || !TEST_int_eq(
        CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
        debian/patches/series
        + 5
        0
        View file @ caa93e2a
        ......@@ -4,3 +4,8 @@ no-symbolic.patch
        pic.patch
        c_rehash-compat.patch
        Set-systemwide-default-settings-for-libssl-users.patch
        c_rehash-Do-not-use-shell-to-invoke-openssl.patch
        Fix-file-operations-in-c_rehash.patch
        Update-expired-SCT-certificates.patch
        ct_test.c-Update-the-epoch-time.patch
        Update-further-expiring-certificates-that-affect-tests.patch
        0% or .
        You are about to add 0 people to the discussion. Proceed with caution.
        Finish editing this message first!
        Please register or to comment
        Apertis Website Terms of Use Privacy Policy