JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: Update to 1.0.1m

Browse Source 
Fixes various "Moderate" / "Low" CVEs:
http://openssl.org/news/secadv_20150319.txt
This commit is contained in:
Eelco Dolstra 2015-03-19 15:57:17 +01:00
parent e73933da9c
commit 2fe351c7e3
2 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkgs/development/libraries/openssl/cert-file.patch
View File

@ -1,6 +1,6 @@
diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c diff -ru openssl-1.0.1m-orig/crypto/x509/x509_def.c openssl-1.0.1m/crypto/x509/x509_def.c
--- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000 +0200 --- openssl-1.0.1m-orig/crypto/x509/x509_def.c 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609 +0200 +++ openssl-1.0.1m/crypto/x509/x509_def.c 2015-03-19 15:50:44.676683616 +0100
@@ -57,6 +57,10 @@ @@ -57,6 +57,10 @@
*/ */
@ -12,30 +12,28 @@ diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypt
#include "cryptlib.h" #include "cryptlib.h"
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/x509.h> #include <openssl/x509.h>
@@ -71,7 +75,25 @@ @@ -78,7 +82,23 @@
{ return(X509_CERT_DIR); }
const char *X509_get_default_cert_file(void) const char *X509_get_default_cert_file(void)
- { return(X509_CERT_FILE); } {
+ { - return (X509_CERT_FILE);
+ static char buf[PATH_MAX] = X509_CERT_FILE; + static char buf[PATH_MAX] = X509_CERT_FILE;
+ static int init = 0; + static int init = 0;
+ if (!init) { + if (!init) {
+ init = 1; + init = 1;
+ char * s = getenv("OPENSSL_X509_CERT_FILE"); + char * s = getenv("OPENSSL_X509_CERT_FILE");
+ if (s) { + if (s) {
+#ifndef OPENSSL_SYS_WINDOWS +#ifndef OPENSSL_SYS_WINDOWS
+ if (getuid() == geteuid()) { + if (getuid() == geteuid()) {
+#endif +#endif
+ strncpy(buf, s, sizeof(buf)); + strncpy(buf, s, sizeof(buf));
+ buf[sizeof(buf) - 1] = 0; + buf[sizeof(buf) - 1] = 0;
+#ifndef OPENSSL_SYS_WINDOWS +#ifndef OPENSSL_SYS_WINDOWS
+ } + }
+#endif +#endif
+ } + }
+ } + }
+ return buf; + return buf;
+ } }
const char *X509_get_default_cert_dir_env(void) const char *X509_get_default_cert_dir_env(void)
{ return(X509_CERT_DIR_EVP); }

6
pkgs/development/libraries/openssl/default.nix
View File

@ -2,7 +2,7 @@
, withCryptodev ? false, cryptodevHeaders }: , withCryptodev ? false, cryptodevHeaders }:
let let
name = "openssl-1.0.1l"; name = "openssl-1.0.1m";
opensslCrossSystem = stdenv.lib.attrByPath [ "openssl" "system" ] opensslCrossSystem = stdenv.lib.attrByPath [ "openssl" "system" ]
(throw "openssl needs its platform name cross building" null) (throw "openssl needs its platform name cross building" null)
@ -18,6 +18,8 @@ let
# hardcoding something like /etc/ssl/cert.pem is impure and # hardcoding something like /etc/ssl/cert.pem is impure and
# cannot be overriden per-process. For security, the # cannot be overriden per-process. For security, the
# environment variable is ignored for setuid binaries. # environment variable is ignored for setuid binaries.
# FIXME: drop this patch; it really isn't necessary, because
# OpenSSL already supports a SSL_CERT_FILE variable.
./cert-file.patch ./cert-file.patch
] ]
@ -43,7 +45,7 @@ stdenv.mkDerivation {
"http://www.openssl.org/source/${name}.tar.gz" "http://www.openssl.org/source/${name}.tar.gz"
"http://openssl.linux-mirror.org/source/${name}.tar.gz" "http://openssl.linux-mirror.org/source/${name}.tar.gz"
]; ];
sha256 = "1m6i80y9c9g7h4303bqbxnsk5wm6jd0n57hwqr0g4jaxzr44vkxj"; sha256 = "0x7gvyybmqm4lv62mlhlm80f1rn7il2qh8224rahqv0i15xhnpq9";
}; };
patches = patchesCross false; patches = patchesCross false;