The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=17e941a0c88cac2d8cd28d6614448adbd65d4b72
commit 17e941a0c88cac2d8cd28d6614448adbd65d4b72 Author: Cy Schubert <[email protected]> AuthorDate: 2024-01-18 08:22:20 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2024-01-22 15:49:05 +0000 kerberos5: Mitigate the possibility of using an old libcrypto By using the full library name (libcrypto.so.30) we avoid the exposure of using an old, possibly vulnerable, library. Reported by: jrtc27 Fixes: 476d63e091c2 (cherry picked from commit 0990136ed1753ac7837206f9c5f4b83ccff6c405) --- kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c index 497b32124f96..2328041bc166 100644 --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c @@ -5,6 +5,7 @@ #include <openssl/provider.h> #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30" static void fbsd_ossl_provider_unload(void); static void print_dlerror(char *); static OSSL_PROVIDER *legacy; @@ -46,7 +47,7 @@ fbsd_ossl_provider_load(void) { #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) if (crypto_lib_handle == NULL) { - if (!(crypto_lib_handle = dlopen("/usr/lib/libcrypto.so", + if (!(crypto_lib_handle = dlopen(CRYPTO_LIBRARY, RTLD_LAZY|RTLD_GLOBAL))) { print_dlerror("Unable to load libcrypto.so"); return (EINVAL);
