Stop Delta CRL processing if a CRL number is misssing - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2026-04-07 12:48:37 +0000
committer	tb <>	2026-04-07 12:48:37 +0000
commit	e0240e9ee3c8649869db81bfb1767d8a225d80f7 (patch)
tree	03bee93d159ad217ca9517a4d45bd6a4eda7e9d4 /src/lib/libcrypto/objects
parent	3e568752a6bd0d3e75c6c74854bf08bff53c1b64 (diff)
download	openbsd-e0240e9ee3c8649869db81bfb1767d8a225d80f7.tar.gz openbsd-e0240e9ee3c8649869db81bfb1767d8a225d80f7.tar.bz2 openbsd-e0240e9ee3c8649869db81bfb1767d8a225d80f7.zip

Stop Delta CRL processing if a CRL number is misssing

A malformed Delta CRL could cause a crash. Funnily enough the deserializer recognizes this and marks such a CRL as invalid, but nothing ever checks the EXFLAG_INVALID for CRLs. For certificates this would usually result in verification failure due to x509v3_cache_extensions() failing. This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only a handful of ports do, plus openssl(1) does if you use the undocumented -use_deltas flag. Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8 and assigned CVE-2026-28388. ok jsing

Diffstat (limited to 'src/lib/libcrypto/objects')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: