Message ID | 20220701161205.112341-1-jose.quaresma@foundries.io |
---|---|
State | Accepted, archived |
Commit | 7a8d374a3d4bbef336be2b273afc00c93c637ae6 |
Headers | show |
Series | [kirkstone] curl: backport openssl fix CN check error code | expand |
On Fri, Jul 1, 2022 at 6:12 AM Jose Quaresma <quaresma.jose@gmail.com> wrote: > > Fix out of memory [1] > > OpenSSL host verification + hostname in certificate CN only seems broken in 7.82.0 > > [1] https://github.com/curl/curl/issues/8559 > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > ...0001-openssl-fix-CN-check-error-code.patch | 38 +++++++++++++++++++ > meta/recipes-support/curl/curl_7.82.0.bb | 1 + > 2 files changed, 39 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch > > diff --git a/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch > new file mode 100644 > index 0000000000..c5aa8f2d60 > --- /dev/null > +++ b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch > @@ -0,0 +1,38 @@ > +From 0677924c6ec7e0d68964553fb760f6d407242c54 Mon Sep 17 00:00:00 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Tue, 8 Mar 2022 13:38:13 +0100 > +Subject: [PATCH] openssl: fix CN check error code > + > +Due to a missing 'else' this returns error too easily. > + > +Regressed in: d15692ebb > + > +Reported-by: Kristoffer Gleditsch > +Fixes #8559 > +Closes #8560 > + > +Upstream-Status: Backported [https://github.com/curl/curl/commit/911714d617c106ed5d553bf003e34ec94ab6a136] Should be Backport, not Backported! The latter will get you an error: ERROR: curl-7.82.0-r0 do_patch: Malformed Upstream-Status in patch No need to re-submit, I've fixed it! Steve > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > + > +--- > + lib/vtls/openssl.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c > +index 616a510..1bafe96 100644 > +--- a/lib/vtls/openssl.c > ++++ b/lib/vtls/openssl.c > +@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, > + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); > + peer_CN[peerlen] = '\0'; > + } > +- result = CURLE_OUT_OF_MEMORY; > ++ else > ++ result = CURLE_OUT_OF_MEMORY; > + } > + } > + else /* not a UTF8 name */ > +-- > +2.34.1 > + > diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb > index ba3fd11820..d5dfe62a39 100644 > --- a/meta/recipes-support/curl/curl_7.82.0.bb > +++ b/meta/recipes-support/curl/curl_7.82.0.bb > @@ -23,6 +23,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ > file://CVE-2022-27779.patch \ > file://CVE-2022-27782-1.patch \ > file://CVE-2022-27782-2.patch \ > + file://0001-openssl-fix-CN-check-error-code.patch \ > " > SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" > > -- > 2.37.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#167535): https://lists.openembedded.org/g/openembedded-core/message/167535 > Mute This Topic: https://lists.openembedded.org/mt/92113235/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi, On Fri, Jul 01, 2022 at 08:27:20AM -1000, Steve Sakoman wrote: > Should be Backport, not Backported! The latter will get you an error: > > ERROR: curl-7.82.0-r0 do_patch: Malformed Upstream-Status in patch > > No need to re-submit, I've fixed it! How is poky/scripts/contrib/patchreview.py setup to run so that this would fail automatically? I'd like to have this on my CI builds too. Cheers, -Mikko
On Mon, 2022-07-04 at 06:43 +0000, Mikko Rapeli wrote: > Hi, > > On Fri, Jul 01, 2022 at 08:27:20AM -1000, Steve Sakoman wrote: > > Should be Backport, not Backported! The latter will get you an error: > > > > ERROR: curl-7.82.0-r0 do_patch: Malformed Upstream-Status in patch > > > > No need to re-submit, I've fixed it! > > How is poky/scripts/contrib/patchreview.py setup to run so that this would > fail automatically? > > I'd like to have this on my CI builds too. See insane.bbclass, do_qa_patch. The issue will be: # skip patches not in oe-core if '/meta/' not in fullpath: continue since we limited this to OE-Core originally. We probably need to make that configurable. Cheers, Richard
diff --git a/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch new file mode 100644 index 0000000000..c5aa8f2d60 --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch @@ -0,0 +1,38 @@ +From 0677924c6ec7e0d68964553fb760f6d407242c54 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 8 Mar 2022 13:38:13 +0100 +Subject: [PATCH] openssl: fix CN check error code + +Due to a missing 'else' this returns error too easily. + +Regressed in: d15692ebb + +Reported-by: Kristoffer Gleditsch +Fixes #8559 +Closes #8560 + +Upstream-Status: Backported [https://github.com/curl/curl/commit/911714d617c106ed5d553bf003e34ec94ab6a136] + +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> + +--- + lib/vtls/openssl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 616a510..1bafe96 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); + peer_CN[peerlen] = '\0'; + } +- result = CURLE_OUT_OF_MEMORY; ++ else ++ result = CURLE_OUT_OF_MEMORY; + } + } + else /* not a UTF8 name */ +-- +2.34.1 + diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index ba3fd11820..d5dfe62a39 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -23,6 +23,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2022-27779.patch \ file://CVE-2022-27782-1.patch \ file://CVE-2022-27782-2.patch \ + file://0001-openssl-fix-CN-check-error-code.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
Fix out of memory [1] OpenSSL host verification + hostname in certificate CN only seems broken in 7.82.0 [1] https://github.com/curl/curl/issues/8559 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- ...0001-openssl-fix-CN-check-error-code.patch | 38 +++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch