Message ID | 20221020041808.8356-1-hprajapati@mvista.com |
---|---|
State | New, archived |
Headers | show |
Series | [master,langdale,kirkstone] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption | expand |
To make patches easier to understand in the future, please include in CVE-2022-3358.patch the full commit message from the commit. If, in a month, I want to see what this CVE patch does I need to follow links (but you did include them in the backport statement, which is appreciated!) If it was in the file then I wouldn’t have to. Ross > On 20 Oct 2022, at 05:18, Hitendra Prajapati via lists.openembedded.org <hprajapati=mvista.com@lists.openembedded.org> wrote: > > Upstream-Status: Backport from https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > Description: > CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption. > Affects "openssl < 3.0.6" > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../openssl/openssl/CVE-2022-3358.patch | 55 +++++++++++++++++++ > .../openssl/openssl_3.0.5.bb | 1 + > 2 files changed, 56 insertions(+) > create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > new file mode 100644 > index 0000000000..18b2a5a6b2 > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > @@ -0,0 +1,55 @@ > +From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <hprajapati@mvista.com> > +Date: Wed, 19 Oct 2022 11:08:23 +0530 > +Subject: [PATCH] CVE-2022-3358 > + > +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > +CVE : CVE-2022-3358 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + crypto/evp/digest.c | 4 +++- > + crypto/evp/evp_enc.c | 6 ++++-- > + 2 files changed, 7 insertions(+), 3 deletions(-) > + > +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c > +index de9a1dc..e6e03ea 100644 > +--- a/crypto/evp/digest.c > ++++ b/crypto/evp/digest.c > +@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, > + || tmpimpl != NULL > + #endif > + || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 > +- || type->origin == EVP_ORIG_METH) { > ++ || (type != NULL && type->origin == EVP_ORIG_METH) > ++ || (type == NULL && ctx->digest != NULL > ++ && ctx->digest->origin == EVP_ORIG_METH)) { > + if (ctx->digest == ctx->fetched_digest) > + ctx->digest = NULL; > + EVP_MD_free(ctx->fetched_digest); > +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c > +index 19a07de..5df08bd 100644 > +--- a/crypto/evp/evp_enc.c > ++++ b/crypto/evp/evp_enc.c > +@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, > + #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) > + || tmpimpl != NULL > + #endif > +- || impl != NULL) { > ++ || impl != NULL > ++ || (cipher != NULL && cipher->origin == EVP_ORIG_METH) > ++ || (cipher == NULL && ctx->cipher != NULL > ++ && ctx->cipher->origin == EVP_ORIG_METH)) { > + if (ctx->cipher == ctx->fetched_cipher) > + ctx->cipher = NULL; > + EVP_CIPHER_free(ctx->fetched_cipher); > +@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, > + ctx->cipher_data = NULL; > + } > + > +- > + /* Start of non-legacy code below */ > + > + /* Ensure a context left lying around from last time is cleared */ > +-- > +2.25.1 > + > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.5.bb > index e50ff7f8c5..ee051ee7d4 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.5.bb > @@ -12,6 +12,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://afalg.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > + file://CVE-2022-3358.patch \ > " > > SRC_URI:append:class-nativesdk = " \ > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#171988): https://lists.openembedded.org/g/openembedded-core/message/171988 > Mute This Topic: https://lists.openembedded.org/mt/94447529/6875888 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch new file mode 100644 index 0000000000..18b2a5a6b2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch @@ -0,0 +1,55 @@ +From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 19 Oct 2022 11:08:23 +0530 +Subject: [PATCH] CVE-2022-3358 + +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] +CVE : CVE-2022-3358 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + crypto/evp/digest.c | 4 +++- + crypto/evp/evp_enc.c | 6 ++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index de9a1dc..e6e03ea 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, + || tmpimpl != NULL + #endif + || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 +- || type->origin == EVP_ORIG_METH) { ++ || (type != NULL && type->origin == EVP_ORIG_METH) ++ || (type == NULL && ctx->digest != NULL ++ && ctx->digest->origin == EVP_ORIG_METH)) { + if (ctx->digest == ctx->fetched_digest) + ctx->digest = NULL; + EVP_MD_free(ctx->fetched_digest); +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index 19a07de..5df08bd 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) + || tmpimpl != NULL + #endif +- || impl != NULL) { ++ || impl != NULL ++ || (cipher != NULL && cipher->origin == EVP_ORIG_METH) ++ || (cipher == NULL && ctx->cipher != NULL ++ && ctx->cipher->origin == EVP_ORIG_METH)) { + if (ctx->cipher == ctx->fetched_cipher) + ctx->cipher = NULL; + EVP_CIPHER_free(ctx->fetched_cipher); +@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + ctx->cipher_data = NULL; + } + +- + /* Start of non-legacy code below */ + + /* Ensure a context left lying around from last time is cleared */ +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.5.bb index e50ff7f8c5..ee051ee7d4 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.5.bb @@ -12,6 +12,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2022-3358.patch \ " SRC_URI:append:class-nativesdk = " \
Upstream-Status: Backport from https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] Description: CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption. Affects "openssl < 3.0.6" Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../openssl/openssl/CVE-2022-3358.patch | 55 +++++++++++++++++++ .../openssl/openssl_3.0.5.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch