diff options
Diffstat (limited to 'security/openssl35/files/patch-CVE-2025-4575')
| -rw-r--r-- | security/openssl35/files/patch-CVE-2025-4575 | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/security/openssl35/files/patch-CVE-2025-4575 b/security/openssl35/files/patch-CVE-2025-4575 new file mode 100644 index 000000000000..1bcec34bcb96 --- /dev/null +++ b/security/openssl35/files/patch-CVE-2025-4575 @@ -0,0 +1,61 @@ +From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <tomas@openssl.org> +Date: Tue, 20 May 2025 16:34:10 +0200 +Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead + of rejection + +Fixes CVE-2025-4575 + +Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> +Reviewed-by: Paul Dale <ppzgs1@gmail.com> +(Merged from https://github.com/openssl/openssl/pull/27672) + +(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac) +--- + apps/x509.c | 2 +- + test/recipes/25-test_x509.t | 12 +++++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/apps/x509.c b/apps/x509.c +index fdae8f383a667..0c340c15b321a 100644 +--- apps/x509.c.orig ++++ apps/x509.c +@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv) + prog, opt_arg()); + goto opthelp; + } +- if (!sk_ASN1_OBJECT_push(trust, objtmp)) ++ if (!sk_ASN1_OBJECT_push(reject, objtmp)) + goto end; + trustout = 1; + break; +diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t +index 09b61708ff8a5..dfa0a428f5f0c 100644 +--- test/recipes/25-test_x509.t.orig ++++ test/recipes/25-test_x509.t +@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; + + setup("test_x509"); + +-plan tests => 134; ++plan tests => 138; + + # Prevent MSys2 filename munging for arguments that look like file paths but + # aren't +@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE", + && run(app(["openssl", "verify", "-no_check_time", + "-trusted", $ca, "-partial_chain", $caout]))); + ++# test trust decoration ++ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection", ++ "-out", "ca-trusted.pem"]))); ++cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection", ++ 1, 'trusted use - E-mail Protection'); ++ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection", ++ "-out", "ca-rejected.pem"]))); ++cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection", ++ 1, 'rejected use - E-mail Protection'); ++ + subtest 'x509 -- x.509 v1 certificate' => sub { + tconversion( -type => 'x509', -prefix => 'x509v1', + -in => srctop_file("test", "testx509.pem") ); |