CVE-2022-48437: 
NixOS vulnerability analysis and mitigation

An issue was discovered in x509/x509verify.c in LibreSSL before 3.6.1, and in OpenBSD before 7.2 errata 001. The vulnerability relates to how x509verifyctxaddchain handles custom verification callbacks, which could cause the X.509 verifier to fail to store errors resulting from leaf certificate verification (LibreSSL Release, [OpenBSD Patch](https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/001x509.patch.sig)).

The vulnerability occurs when a verification callback is installed that tells the verifier to continue when a certificate is invalid (e.g., expired). In such cases, any error resulting from the leaf certificate verification is not stored and made available post verification, resulting in an incorrect error being returned. The issue was discovered in the x509verify.c file, specifically in the x509verifyctxadd_chain function (OpenBSD Commit).

When exploited, this vulnerability could lead to incorrect error reporting during certificate verification processes. This could potentially result in invalid certificates being accepted or valid certificates being rejected, depending on how the verification callback is implemented (OpenBSD Patch).

The issue has been fixed in LibreSSL 3.6.1 and OpenBSD 7.2 errata 001. The fix involves performing leaf certificate verification prior to adding the chain and properly storing any resulting errors. Users should upgrade to LibreSSL 3.6.1 or apply the OpenBSD 7.2 errata 001 patch (LibreSSL Release).