[[kirkstone] openssl : Upgrade OpenSSL 3.0.7 -> 3.0.8] openssl: Upgrade 3.0.7 -> 3.0.8

From: Siddharth Doshi <sdoshi@mvista.com>

OpenSSL 3.0.8 fixes 1 HIGH level security vulnerability and 7 MODERATE level security vulnerability [1].

Upgrade the recipe to point to 3.0.8.

CVE-2022-3996 is reported fixed in 3.0.8, so drop the patch for that as
well.

[1] https://www.openssl.org/news/vulnerabilities.html

CVEs Fixed:
https://www.openssl.org/news/secadv/20230207.txt

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 .../openssl/openssl/CVE-2022-3996.patch       | 43 -------------------
 .../{openssl_3.0.7.bb => openssl_3.0.8.bb}    |  2 +-
 2 files changed, 1 insertion(+), 44 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.7.bb => openssl_3.0.8.bb} (99%)

Hello Steve, Siddharth,

are you waiting for PATCHv3 with commit summary update requested in
corresponding langdale review:
https://patchwork.yoctoproject.org/project/oe-core/patch/20230209143708.20705-1-sdoshi@mvista.com/
?

or is something else blocking this upgrade?

I'm a bit surprised that this high security issue wasn't yet merged even in
oe-core/master-next and I don't see it in
oe-core-contrib/stable/kirkstone-nut nor
oe-core-contrib/stable/langdale-nut.

Siddharth are you going to send v3 of all 3 (or should I send them)?
https://patchwork.yoctoproject.org/project/oe-core/list/?series=&submitter=&state=&q=3.0.8&archive=&delegate=
if that's all what is needed to get this merged?

Regards,

On Thu, Feb 9, 2023 at 9:00 AM mv <sdoshi@mvista.com> wrote:

> From: Siddharth Doshi <sdoshi@mvista.com>
>
> OpenSSL 3.0.8 fixes 1 HIGH level security vulnerability and 7 MODERATE
> level security vulnerability [1].
>
> Upgrade the recipe to point to 3.0.8.
>
> CVE-2022-3996 is reported fixed in 3.0.8, so drop the patch for that as
> well.
>
> [1] https://www.openssl.org/news/vulnerabilities.html
>
> CVEs Fixed:
> https://www.openssl.org/news/secadv/20230207.txt
>
> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> ---
>  .../openssl/openssl/CVE-2022-3996.patch       | 43 -------------------
>  .../{openssl_3.0.7.bb => openssl_3.0.8.bb}    |  2 +-
>  2 files changed, 1 insertion(+), 44 deletions(-)
>  delete mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
>  rename meta/recipes-connectivity/openssl/{openssl_3.0.7.bb =>
> openssl_3.0.8.bb} (99%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
> b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
> deleted file mode 100644
> index 6d70b323d1..0000000000
> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
> +++ /dev/null
> @@ -1,43 +0,0 @@
> -From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
> -From: Pauli <pauli@openssl.org>
> -Date: Fri, 11 Nov 2022 09:40:19 +1100
> -Subject: [PATCH] x509: fix double locking problem
> -
> -This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed
> the
> -redundant flag setting.
> -
> -Fixes #19643
> -
> -Fixes LOW CVE-2022-3996
> -
> -Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
> -Reviewed-by: Tomas Mraz <tomas@openssl.org>
> -(Merged from https://github.com/openssl/openssl/pull/19652)
> -
> -(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
> -
> -Upstream-Status: Backport [
> https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
> ]
> -CVE: CVE-2022-3996
> -Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> ----
> - crypto/x509/pcy_map.c | 4 ----
> - 1 file changed, 4 deletions(-)
> -
> -diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
> -index 05406c6493..60dfd1e320 100644
> ---- a/crypto/x509/pcy_map.c
> -+++ b/crypto/x509/pcy_map.c
> -@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x,
> POLICY_MAPPINGS *maps)
> -
> -     ret = 1;
> -  bad_mapping:
> --    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
> --        x->ex_flags |= EXFLAG_INVALID_POLICY;
> --        CRYPTO_THREAD_unlock(x->lock);
> --    }
> -     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
> -     return ret;
> -
> ---
> -2.30.2
> -
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
> b/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.7.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.8.bb
> index 1842148592..c80df7b2ae 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
> @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>
> -SRC_URI[sha256sum] =
> "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
> +SRC_URI[sha256sum] =
> "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#176918):
> https://lists.openembedded.org/g/openembedded-core/message/176918
> Mute This Topic: https://lists.openembedded.org/mt/96849077/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

On Sun, Feb 19, 2023 at 2:36 AM Martin Jansa <martin.jansa@gmail.com> wrote:
>
> Hello Steve, Siddharth,
>
> are you waiting for PATCHv3 with commit summary update requested in corresponding langdale review:
> https://patchwork.yoctoproject.org/project/oe-core/patch/20230209143708.20705-1-sdoshi@mvista.com/?
>
> or is something else blocking this upgrade?
>
> I'm a bit surprised that this high security issue wasn't yet merged even in oe-core/master-next and I don't see it in oe-core-contrib/stable/kirkstone-nut nor oe-core-contrib/stable/langdale-nut.

If a patch is intended for multiple branches I typically wait until
master has merged the patch before taking it into the other branches.

So that is why it isn't yet in langdale/kirkstone.

Steve

> Siddharth are you going to send v3 of all 3 (or should I send them)?
> https://patchwork.yoctoproject.org/project/oe-core/list/?series=&submitter=&state=&q=3.0.8&archive=&delegate=
> if that's all what is needed to get this merged?
>
> Regards,
>
> On Thu, Feb 9, 2023 at 9:00 AM mv <sdoshi@mvista.com> wrote:
>>
>> From: Siddharth Doshi <sdoshi@mvista.com>
>>
>> OpenSSL 3.0.8 fixes 1 HIGH level security vulnerability and 7 MODERATE level security vulnerability [1].
>>
>> Upgrade the recipe to point to 3.0.8.
>>
>> CVE-2022-3996 is reported fixed in 3.0.8, so drop the patch for that as
>> well.
>>
>> [1] https://www.openssl.org/news/vulnerabilities.html
>>
>> CVEs Fixed:
>> https://www.openssl.org/news/secadv/20230207.txt
>>
>> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
>> ---
>>  .../openssl/openssl/CVE-2022-3996.patch       | 43 -------------------
>>  .../{openssl_3.0.7.bb => openssl_3.0.8.bb}    |  2 +-
>>  2 files changed, 1 insertion(+), 44 deletions(-)
>>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
>>  rename meta/recipes-connectivity/openssl/{openssl_3.0.7.bb => openssl_3.0.8.bb} (99%)
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
>> deleted file mode 100644
>> index 6d70b323d1..0000000000
>> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch
>> +++ /dev/null
>> @@ -1,43 +0,0 @@
>> -From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
>> -From: Pauli <pauli@openssl.org>
>> -Date: Fri, 11 Nov 2022 09:40:19 +1100
>> -Subject: [PATCH] x509: fix double locking problem
>> -
>> -This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
>> -redundant flag setting.
>> -
>> -Fixes #19643
>> -
>> -Fixes LOW CVE-2022-3996
>> -
>> -Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
>> -Reviewed-by: Tomas Mraz <tomas@openssl.org>
>> -(Merged from https://github.com/openssl/openssl/pull/19652)
>> -
>> -(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
>> -
>> -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7]
>> -CVE: CVE-2022-3996
>> -Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
>> ----
>> - crypto/x509/pcy_map.c | 4 ----
>> - 1 file changed, 4 deletions(-)
>> -
>> -diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
>> -index 05406c6493..60dfd1e320 100644
>> ---- a/crypto/x509/pcy_map.c
>> -+++ b/crypto/x509/pcy_map.c
>> -@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
>> -
>> -     ret = 1;
>> -  bad_mapping:
>> --    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
>> --        x->ex_flags |= EXFLAG_INVALID_POLICY;
>> --        CRYPTO_THREAD_unlock(x->lock);
>> --    }
>> -     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
>> -     return ret;
>> -
>> ---
>> -2.30.2
>> -
>> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.7.bb b/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
>> similarity index 99%
>> rename from meta/recipes-connectivity/openssl/openssl_3.0.7.bb
>> rename to meta/recipes-connectivity/openssl/openssl_3.0.8.bb
>> index 1842148592..c80df7b2ae 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
>> @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
>>             file://environment.d-openssl.sh \
>>             "
>>
>> -SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
>> +SRC_URI[sha256sum] = "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e"
>>
>>  inherit lib_package multilib_header multilib_script ptest perlnative
>>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#176918): https://lists.openembedded.org/g/openembedded-core/message/176918
>> Mute This Topic: https://lists.openembedded.org/mt/96849077/3617156
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Martin.Jansa@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>

On Sun, Feb 19, 2023 at 3:13 PM Steve Sakoman <steve@sakoman.com> wrote:

> On Sun, Feb 19, 2023 at 2:36 AM Martin Jansa <martin.jansa@gmail.com>
> wrote:
> >
> > Hello Steve, Siddharth,
> >
> > are you waiting for PATCHv3 with commit summary update requested in
> corresponding langdale review:
> >
> https://patchwork.yoctoproject.org/project/oe-core/patch/20230209143708.20705-1-sdoshi@mvista.com/
> ?
> >
> > or is something else blocking this upgrade?
> >
> > I'm a bit surprised that this high security issue wasn't yet merged even
> in oe-core/master-next and I don't see it in
> oe-core-contrib/stable/kirkstone-nut nor
> oe-core-contrib/stable/langdale-nut.
>
> If a patch is intended for multiple branches I typically wait until
> master has merged the patch before taking it into the other branches.
>
> So that is why it isn't yet in langdale/kirkstone.
>

Thanks Steve!

So I guess it's now question for Alexandre or RP as it isn't in:
https://git.openembedded.org/openembedded-core-contrib/log/?h=abelloni/master-next
https://git.openembedded.org/openembedded-core/log/?h=master-next

FWIW: I've this commit included with the updated commit message my builds
for master, langdale, kirkstone since it was sent to ML (e.g.
https://git.openembedded.org/openembedded-core-contrib/commit/?h=jansa/kirkstone&id=e761db1cdef7fe62503b899a7762a8eb030e566f
) and haven't seen any issues related to it.

Cheers,

On 19/02/2023 16:05:11+0100, Martin Jansa wrote:
> On Sun, Feb 19, 2023 at 3:13 PM Steve Sakoman <steve@sakoman.com> wrote:
> 
> > On Sun, Feb 19, 2023 at 2:36 AM Martin Jansa <martin.jansa@gmail.com>
> > wrote:
> > >
> > > Hello Steve, Siddharth,
> > >
> > > are you waiting for PATCHv3 with commit summary update requested in
> > corresponding langdale review:
> > >
> > https://patchwork.yoctoproject.org/project/oe-core/patch/20230209143708.20705-1-sdoshi@mvista.com/
> > ?
> > >
> > > or is something else blocking this upgrade?
> > >
> > > I'm a bit surprised that this high security issue wasn't yet merged even
> > in oe-core/master-next and I don't see it in
> > oe-core-contrib/stable/kirkstone-nut nor
> > oe-core-contrib/stable/langdale-nut.
> >
> > If a patch is intended for multiple branches I typically wait until
> > master has merged the patch before taking it into the other branches.
> >
> > So that is why it isn't yet in langdale/kirkstone.
> >
> 
> Thanks Steve!
> 
> So I guess it's now question for Alexandre or RP as it isn't in:
> https://git.openembedded.org/openembedded-core-contrib/log/?h=abelloni/master-next
> https://git.openembedded.org/openembedded-core/log/?h=master-next

Changes were requested on all the versions of the patches that were sent
so I guess we are waiting for v3