diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/libressl')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/libressl/CVE-2021-41581.patch | 53 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/libraries/libressl/default.nix | 24 |
2 files changed, 12 insertions, 65 deletions
diff --git a/nixpkgs/pkgs/development/libraries/libressl/CVE-2021-41581.patch b/nixpkgs/pkgs/development/libraries/libressl/CVE-2021-41581.patch deleted file mode 100644 index 244792567192..000000000000 --- a/nixpkgs/pkgs/development/libraries/libressl/CVE-2021-41581.patch +++ /dev/null @@ -1,53 +0,0 @@ -Based on upstream https://github.com/openbsd/src/commit/62ceddea5b1d64a1a362bbb7071d9e15adcde6b1 -with paths switched to apply to libressl-portable and CVS header -hunk removed. - ---- a/crypto/x509/x509_constraints.c -+++ b/crypto/x509/x509_constraints.c -@@ -339,16 +339,16 @@ - if (c == '.') - goto bad; - } -- if (wi > DOMAIN_PART_MAX_LEN) -- goto bad; - if (accept) { -+ if (wi >= DOMAIN_PART_MAX_LEN) -+ goto bad; - working[wi++] = c; - accept = 0; - continue; - } - if (candidate_local != NULL) { - /* We are looking for the domain part */ -- if (wi > DOMAIN_PART_MAX_LEN) -+ if (wi >= DOMAIN_PART_MAX_LEN) - goto bad; - working[wi++] = c; - if (i == len - 1) { -@@ -363,7 +363,7 @@ - continue; - } - /* We are looking for the local part */ -- if (wi > LOCAL_PART_MAX_LEN) -+ if (wi >= LOCAL_PART_MAX_LEN) - break; - - if (quoted) { -@@ -383,6 +383,8 @@ - */ - if (c == 9) - goto bad; -+ if (wi >= LOCAL_PART_MAX_LEN) -+ goto bad; - working[wi++] = c; - continue; /* all's good inside our quoted string */ - } -@@ -412,6 +414,8 @@ - } - if (!local_part_ok(c)) - goto bad; -+ if (wi >= LOCAL_PART_MAX_LEN) -+ goto bad; - working[wi++] = c; - } - if (candidate_local == NULL || candidate_domain == NULL) diff --git a/nixpkgs/pkgs/development/libraries/libressl/default.nix b/nixpkgs/pkgs/development/libraries/libressl/default.nix index d70672f63ac3..0d01eeb81f1a 100644 --- a/nixpkgs/pkgs/development/libraries/libressl/default.nix +++ b/nixpkgs/pkgs/development/libraries/libressl/default.nix @@ -40,14 +40,20 @@ let # removing ./configure pre-config. preConfigure = '' rm configure + substituteInPlace CMakeLists.txt \ + --replace 'exec_prefix \''${prefix}' "exec_prefix ${placeholder "bin"}" \ + --replace 'libdir \''${exec_prefix}' 'libdir \''${prefix}' ''; inherit patches; # Since 2.9.x the default location can't be configured from the build using # DEFAULT_CA_FILE anymore, instead we have to patch the default value. - postPatch = lib.optionalString (lib.versionAtLeast version "2.9.2") '' - substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"' + postPatch = '' + patchShebangs tests/ + ${lib.optionalString (lib.versionAtLeast version "2.9.2") '' + substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"' + ''} ''; doCheck = true; @@ -81,17 +87,11 @@ let in { libressl_3_2 = generic { - version = "3.2.5"; - sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr"; - patches = [ - ./CVE-2021-41581.patch - ]; + version = "3.2.7"; + sha256 = "112bjfrwwqlk0lak7fmfhcls18ydf62cp7gxghf4gklpfl1zyckw"; }; libressl_3_4 = generic { - version = "3.4.0"; - sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5"; - patches = [ - ./CVE-2021-41581.patch - ]; + version = "3.4.1"; + sha256 = "0766yxb599lx7qmlmsddiw9wgminz9mc311mav5q23l0rbkflz0h"; }; } |