New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade OpenSSL for CVE-2017-3732, CVE-2017-3193 #31147
Conversation
- file = (char *)getenv(X509_get_default_cert_file_env()); | ||
+ file = (char *)getenv("NIX_SSL_CERT_FILE"); | ||
- file = getenv(X509_get_default_cert_file_env()); | ||
+ file = getenv("NIX_SSL_CERT_FILE"); | ||
+ if (!file) | ||
+ file = (char *)getenv(X509_get_default_cert_file_env()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should probably remove the (char *)
here as well to match the upstream code more closely and because the cast isn't actually safe AFAIK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops...
- file = (char *)getenv(X509_get_default_cert_file_env()); | ||
+ file = (char *)getenv("NIX_SSL_CERT_FILE"); | ||
- file = getenv(X509_get_default_cert_file_env()); | ||
+ file = getenv("NIX_SSL_CERT_FILE"); | ||
+ if (!file) | ||
+ file = (char *)getenv(X509_get_default_cert_file_env()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the first one removed the cast, I think we don't need the (char *)
in the second getenv
call anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops... :)
Building them now to verify... Edit: My laptop is sweating and says they both build fine :) |
For reference: openssl/openssl@a020f54#diff-c6d4516ecf80b8c5f05c60e476619d0d is the commit that breaks our patch. (thanks @manveru for digging it up) |
Motivation for this change
Closes #31144
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)