Overview

File stunnel-CVE-2021-20230.patch of Package stunnel.18715

The fix for CVE-2021-20230 was later modified in the update to version 5.58:
https://github.com/mtrojnar/stunnel/commit/80f351bc063f0e6341bfe73f0dd5efeb90b0f4e8

Index: stunnel-5.57/src/verify.c
===================================================================
--- stunnel-5.57.orig/src/verify.c
+++ stunnel-5.57/src/verify.c
@@ -220,15 +220,15 @@ NOEXPORT int verify_callback(int preveri
         return 0; /* reject */
     if(c->opt->redirect_addr.names) {
         SSL_SESSION *sess=SSL_get1_session(c->ssl);
-        if(sess) {
-            int ok=SSL_SESSION_set_ex_data(sess,
-                index_session_authenticated, NULL);
+        if(!sess)
+            return 0; /* reject */
+        if(!SSL_SESSION_set_ex_data(sess,
+                index_session_authenticated, NULL)) {
+            sslerror("SSL_SESSION_set_ex_data");
             SSL_SESSION_free(sess);
-            if(!ok) {
-                sslerror("SSL_SESSION_set_ex_data");
-                return 0; /* reject */
-            }
+            return 0; /* reject */
         }
+        SSL_SESSION_free(sess);
         return 1; /* accept */
     }
     return 0; /* reject */
Index: stunnel-5.57/tests/recipes/028_redirect_chain
===================================================================
--- stunnel-5.57.orig/tests/recipes/028_redirect_chain
+++ stunnel-5.57/tests/recipes/028_redirect_chain
@@ -32,7 +32,7 @@ start() {
   accept = 127.0.0.1:${https1}
   exec = ${script_path}/execute
   execArgs = execute 028_redirect_chain_error
-  redirect = ${http2}
+  redirect = 127.0.0.1:${http2}
   cert = ${script_path}/certs/server_cert.pem
   verifyChain = yes
   CAfile = ${script_path}/certs/CACert.pem
openSUSE Build Service is sponsored by
Places