Index: PKGBUILD =================================================================== --- PKGBUILD (revision 295029) +++ PKGBUILD (working copy) @@ -18,14 +18,17 @@ 'etc/syslog-ng/syslog-ng.conf' 'etc/logrotate.d/syslog-ng') source=(https://github.com/balabit/syslog-ng/releases/download/syslog-ng-$pkgver/$pkgname-$pkgver.tar.gz - syslog-ng.conf syslog-ng.logrotate) + syslog-ng.conf syslog-ng.logrotate fix-tls-client-cert-validation.patch) sha1sums=('1ca437393d8895654452bef8ac0b996fe73284f8' '273990d01e1f044dc090bba8098161dc12dd24ea' - '949128fe3d7f77a7aab99048061f885bc758000c') + '949128fe3d7f77a7aab99048061f885bc758000c' + '0959825af29e21e60c11ef21823dd166353c7491') prepare() { cd $pkgname-$pkgver sed -i -e 's,/bin/,/usr/bin/,' -e 's,/sbin/,/bin/,' contrib/systemd/syslog-ng.service + + patch -p1 -i "$srcdir/fix-tls-client-cert-validation.patch" } build() { Index: fix-tls-client-cert-validation.patch =================================================================== --- fix-tls-client-cert-validation.patch (nonexistent) +++ fix-tls-client-cert-validation.patch (working copy) @@ -0,0 +1,64 @@ +From 2251fa7a2239abeb6c5087fcee71a5d8869d9f6f Mon Sep 17 00:00:00 2001 +From: Balazs Scheidler +Date: Mon, 6 Feb 2017 19:50:18 +0100 +Subject: [PATCH] tlscontext: fix segfault in X509_STORE_CTX_get_app_data(ctx) + +This patch fixes a potential segfault during X.509 certificate validation. +What happens is that X509_STORE_CTX contains "application data", e.g. +the application is able to associate a series of pointers with the validation. + +This uses an "id" to identify the user of the specific pointer. + +This mechanism is used by the SSL library (still in openssl) to store the +pointer to the SSL session. The ID for this data is normally 0, however +if libssl.so is unloaded while libcrypto.so is not, it might happen +that this ID gets remapped to a non-zero value. + +Then what leads to the crash is that libssl starts to use ID 1 +to manage its SSL* pointer, while we in the validation code still +use ID 0, causing a NULL deref. + +The exact reasons why this ID change happens is unclear, some apache +related information can be found here: + +https://bz.apache.org/bugzilla/show_bug.cgi?id=32529 + +You can also find more information in github issue #1310. + +Signed-off-by: Peter Gervai +Signed-off-by: Balazs Scheidler +--- + lib/tlscontext.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/tlscontext.c b/lib/tlscontext.c +index ff8e8df..95331f2 100644 +--- a/lib/tlscontext.c ++++ b/lib/tlscontext.c +@@ -54,7 +54,7 @@ tls_get_x509_digest(X509 *x, GString *hash_string) + int + tls_session_verify_fingerprint(X509_STORE_CTX *ctx) + { +- SSL *ssl = X509_STORE_CTX_get_app_data(ctx); ++ SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + TLSSession *self = SSL_get_app_data(ssl); + GList *current_fingerprint = self->ctx->trusted_fingerpint_list; + GString *hash; +@@ -106,7 +106,7 @@ tls_x509_format_dn(X509_NAME *name, GString *dn) + int + tls_session_verify_dn(X509_STORE_CTX *ctx) + { +- SSL *ssl = X509_STORE_CTX_get_app_data(ctx); ++ SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + TLSSession *self = SSL_get_app_data(ssl); + gboolean match = FALSE; + GList *current_dn = self->ctx->trusted_dn_list; +@@ -179,7 +179,7 @@ tls_session_verify(TLSSession *self, int ok, X509_STORE_CTX *ctx) + int + tls_session_verify_callback(int ok, X509_STORE_CTX *ctx) + { +- SSL *ssl = X509_STORE_CTX_get_app_data(ctx); ++ SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + TLSSession *self = SSL_get_app_data(ssl); + /* NOTE: Sometimes libssl calls this function + with no current_cert. This happens when