Message ID | 20221101170310.2740317-1-edtanous@google.com |
---|---|
State | New |
Headers | show |
Series | Upgrade OpenSSL 3.0.5 -> 3.0.7 | expand |
The commit message should reference the two new CVEs as well: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ On Tue, Nov 1, 2022 at 10:03 AM edtanous via lists.openembedded.org <edtanous=google.com@lists.openembedded.org> wrote: > From: Ed Tanous <edtanous@google.com> > > OpenSSL 3.0.5 includes a HIGH level security vulnerability [1]. > > Upgrade the recipe to point to 3.0.7. > > CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as > well. > > [1] https://www.openssl.org/news/vulnerabilities.html > > Signed-off-by: Ed Tanous <edtanous@google.com> > --- > .../openssl/openssl/CVE-2022-3358.patch | 55 ------------------- > .../{openssl_3.0.5.bb => openssl_3.0.7.bb} | 3 +- > 2 files changed, 1 insertion(+), 57 deletions(-) > delete mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > rename meta/recipes-connectivity/openssl/{openssl_3.0.5.bb => > openssl_3.0.7.bb} (98%) > > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > deleted file mode 100644 > index 18b2a5a6b2..0000000000 > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch > +++ /dev/null > @@ -1,55 +0,0 @@ > -From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001 > -From: Hitendra Prajapati <hprajapati@mvista.com> > -Date: Wed, 19 Oct 2022 11:08:23 +0530 > -Subject: [PATCH] CVE-2022-3358 > - > -Upstream-Status: Backport [ > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b > ] > -CVE : CVE-2022-3358 > -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > ---- > - crypto/evp/digest.c | 4 +++- > - crypto/evp/evp_enc.c | 6 ++++-- > - 2 files changed, 7 insertions(+), 3 deletions(-) > - > -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c > -index de9a1dc..e6e03ea 100644 > ---- a/crypto/evp/digest.c > -+++ b/crypto/evp/digest.c > -@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, > const EVP_MD *type, > - || tmpimpl != NULL > - #endif > - || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 > -- || type->origin == EVP_ORIG_METH) { > -+ || (type != NULL && type->origin == EVP_ORIG_METH) > -+ || (type == NULL && ctx->digest != NULL > -+ && ctx->digest->origin == EVP_ORIG_METH)) { > - if (ctx->digest == ctx->fetched_digest) > - ctx->digest = NULL; > - EVP_MD_free(ctx->fetched_digest); > -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c > -index 19a07de..5df08bd 100644 > ---- a/crypto/evp/evp_enc.c > -+++ b/crypto/evp/evp_enc.c > -@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX > *ctx, > - #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) > - || tmpimpl != NULL > - #endif > -- || impl != NULL) { > -+ || impl != NULL > -+ || (cipher != NULL && cipher->origin == EVP_ORIG_METH) > -+ || (cipher == NULL && ctx->cipher != NULL > -+ && ctx->cipher->origin == EVP_ORIG_METH)) > { > - if (ctx->cipher == ctx->fetched_cipher) > - ctx->cipher = NULL; > - EVP_CIPHER_free(ctx->fetched_cipher); > -@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX > *ctx, > - ctx->cipher_data = NULL; > - } > - > -- > - /* Start of non-legacy code below */ > - > - /* Ensure a context left lying around from last time is cleared */ > --- > -2.25.1 > - > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb > b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb > similarity index 98% > rename from meta/recipes-connectivity/openssl/openssl_3.0.5.bb > rename to meta/recipes-connectivity/openssl/openssl_3.0.7.bb > index 175692436d..45fd1de2fd 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb > @@ -12,14 +12,13 @@ SRC_URI = " > http://www.openssl.org/source/openssl-${PV}.tar.gz \ > > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://afalg.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > - file://CVE-2022-3358.patch \ > " > > SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = > "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a" > +SRC_URI[sha256sum] = > "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" > > inherit lib_package multilib_header multilib_script ptest perlnative > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > -- > 2.38.1.273.g43a17bfeac-goog > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#172369): > https://lists.openembedded.org/g/openembedded-core/message/172369 > Mute This Topic: https://lists.openembedded.org/mt/94715257/924729 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > ticotimo@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch deleted file mode 100644 index 18b2a5a6b2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001 -From: Hitendra Prajapati <hprajapati@mvista.com> -Date: Wed, 19 Oct 2022 11:08:23 +0530 -Subject: [PATCH] CVE-2022-3358 - -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] -CVE : CVE-2022-3358 -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> ---- - crypto/evp/digest.c | 4 +++- - crypto/evp/evp_enc.c | 6 ++++-- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c -index de9a1dc..e6e03ea 100644 ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, - || tmpimpl != NULL - #endif - || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 -- || type->origin == EVP_ORIG_METH) { -+ || (type != NULL && type->origin == EVP_ORIG_METH) -+ || (type == NULL && ctx->digest != NULL -+ && ctx->digest->origin == EVP_ORIG_METH)) { - if (ctx->digest == ctx->fetched_digest) - ctx->digest = NULL; - EVP_MD_free(ctx->fetched_digest); -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index 19a07de..5df08bd 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, - #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) - || tmpimpl != NULL - #endif -- || impl != NULL) { -+ || impl != NULL -+ || (cipher != NULL && cipher->origin == EVP_ORIG_METH) -+ || (cipher == NULL && ctx->cipher != NULL -+ && ctx->cipher->origin == EVP_ORIG_METH)) { - if (ctx->cipher == ctx->fetched_cipher) - ctx->cipher = NULL; - EVP_CIPHER_free(ctx->fetched_cipher); -@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, - ctx->cipher_data = NULL; - } - -- - /* Start of non-legacy code below */ - - /* Ensure a context left lying around from last time is cleared */ --- -2.25.1 - diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_3.0.5.bb rename to meta/recipes-connectivity/openssl/openssl_3.0.7.bb index 175692436d..45fd1de2fd 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb @@ -12,14 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ - file://CVE-2022-3358.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a" +SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"