Fix CVE-2021-3712

0089-CVE-2021-3712.patch

@@ -0,0 +1,67 @@
+From 89d74f9b9c8c0b042e81aecb6c286253a51659d8 Mon Sep 17 00:00:00 2001
+From: benno <>
+Date: Fri, 20 Aug 2021 19:54:16 +0000
+Subject: [PATCH] In LibreSSL, printing a certificate can result in a crash in
+ X509_CERT_AUX_print().
+
+Commit in -current:
+
+CVSROOT:        /cvs
+Module name:    src
+Changes by:     schwarze@cvs.openbsd.org        2021/07/10 11:45:16
+
+Modified files:
+        lib/libcrypto/asn1: t_x509a.c
+
+Log message:
+Fix a read buffer overrun in X509_CERT_AUX_print(3),
+which by implication also affects X509_print(3).
+
+The ASN1_STRING_get0_data(3) manual explitely cautions the reader
+that the data is not necessarily NUL-terminated, and the function
+X509_alias_set1(3) does not sanitize the data passed into it in
+any way either, so we must assume the alias->data field is merely
+a byte array and not necessarily a string in the sense of the C
+language.
+
+I found this bug while writing manual pages for these functions.
+
+OK tb@
+
+As an aside, note that the function still produces incomplete and
+misleading results when the data contains a NUL byte in the middle
+and that error handling is consistently absent throughout, even
+though the function provides an "int" return value obviously intended
+to be 1 for success and 0 for failure, and even though this function
+is called by another function that also wants to return 1 for success
+and 0 for failure and even does so in many of its code paths, though
+not in others.  But let's stay focussed.  Many things would be nice
+to have in the wide wild world, but a buffer overflow must not be
+allowed to remain in our backyard.
+
+This is patches/6.8/common/029_x509.patch.sig
+---
+ src/lib/libcrypto/asn1/t_x509a.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c
+index fd68211b84..173465b295 100644
+--- a/src/lib/libcrypto/asn1/t_x509a.c
++++ b/src/lib/libcrypto/asn1/t_x509a.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */
++/* $OpenBSD: t_x509a.c,v 1.8.18.1 2021/08/20 19:54:16 benno Exp $ */
+ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+  * project 1999.
+  */
+@@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
+ 	} else
+ 		BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+ 	if (aux->alias)
+-		BIO_printf(out, "%*sAlias: %s\n", indent, "",
+-		    aux->alias->data);
++		BIO_printf(out, "%*sAlias: %.*s\n", indent, "",
++		    aux->alias->length, aux->alias->data);
+ 	if (aux->keyid) {
+ 		BIO_printf(out, "%*sKey Id: ", indent, "");
+ 		for (i = 0; i < aux->keyid->length; i++)

libressl.spec

@@ -76,7 +76,7 @@
 Summary:		LibreSSL utils and libs coexisting with OpenSSL
 Name:			libressl
 Version:		3.2.0
-Release:		7
+Release:		8
 # The code is distributed under ISC license except of original OpenSSL code
 License:		ISC and BSD-like
 Group:			System/Base
@@ -201,7 +201,17 @@ Patch0086: 0086-kdftree-add-support-for-TLSTREE-rekeying-algorithm.patch
 Patch0087: 0087-ssl-add-support-for-TLSTREE-rekeying.patch
 # https://www.opennet.ru/opennews/art.shtml?num=54233
 # https://github.com/libressl-portable/openbsd/commit/f22d7684aed13a9ae9ea6554b7a3e52fdfa4f193
+# From LibreSSL 3.2.3
 Patch0088: 0088-CVE-2020-1971.patch
+# https://www.opennet.ru/opennews/art.shtml?num=55683
+# https://github.com/libressl-portable/openbsd/commit/89d74f9b9c8c0b042e81aecb6c286253a51659d8
+# From LibreSSL 3.2.6
+Patch0089: 0089-CVE-2021-3712.patch
+
+# TODO:
+# https://www.opennet.ru/opennews/art.shtml?num=54774
+# https://github.com/libressl-portable/openbsd/commit/5f00b800749f246861e892a17d9012bd25fc06ba (LibreSSL 3.2.5)
+# Code is different in our version, investigation if backport is required is required.
 
 # Patches for portable, from lumag@
 # ( for i in *PORTABLE*.patch ; do echo Patch$(echo $i | awk -F '-' '{print $2}'): $i ; done ) | sed -e 's,^Patch0,Patch2,g' | sort -h