File openssl-CVE-2023-0466.patch of Package openssl-1_1.29173
From bccf26f7c3b921be8946bfdd1b2de48fea96f90d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 21 Mar 2023 16:15:47 +0100
Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking.
Fixes: CVE-2023-0466
---
CHANGES | 5 +++++
NEWS | 1 +
doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
3 files changed, 13 insertions(+), 2 deletions(-)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,11 @@
Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+ that it does not enable policy checking. Thanks to
+ David Benjamin for discovering this issue. (CVE-2023-0466)
+ [Tomas Mraz]
+
*) Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018]
+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -92,8 +92,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used.
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -372,6 +373,10 @@ OpenSSL 1.1.0, and has no effect.
X509_VERIFY_PARAM_get_hostflags() was added in OpenSSL 1.1.0i.
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
=head1 COPYRIGHT
Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved.