[kirkstone,04/31] openssl: Upgrade 3.0.5 -> 3.0.7

Message ID	4d18efb1dc0b0c959383028827a1cb14c6355ed1.1667530733.git.steve@sakoman.com
State	Accepted, archived
Commit	78220bd59d98c1713336baf06b4babc6390a07c4
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.169, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/31] openssl: Upgrade 3.0.5 -> 3.0.7 Date: Thu, 3 Nov 2022 17:00:39 -1000 Message-Id: <4d18efb1dc0b0c959383028827a1cb14c6355ed1.1667530733.git.steve@sakoman.com> In-Reply-To: <cover.1667530733.git.steve@sakoman.com> References: <cover.1667530733.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/31] openssl: export necessary env vars in SDK \| expand [kirkstone,01/31] openssl: export necessary env vars in SDK [kirkstone,02/31] openssl: Fix SSL_CERT_FILE to match ca-certs location [kirkstone,03/31] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encr… [kirkstone,04/31] openssl: Upgrade 3.0.5 -> 3.0.7 [kirkstone,05/31] lighttpd: fix CVE-2022-41556 [kirkstone,06/31] tiff: fix CVE-2022-2953 [kirkstone,07/31] expat: backport the fix for CVE-2022-43680 [kirkstone,08/31] wayland: fix CVE-2021-3782 [kirkstone,09/31] cve-update-db-native: add timeout to urlopen() calls [kirkstone,10/31] vim: Upgrade 9.0.0598 -> 9.0.0614 [kirkstone,11/31] vim: upgrade 9.0.0614 -> 9.0.0820 [kirkstone,12/31] ifupdown: upgrade 0.8.37 -> 0.8.39 [kirkstone,13/31] scripts/oe-check-sstate: cleanup [kirkstone,14/31] scripts/oe-check-sstate: force build to run for all targets, specifically populat… [kirkstone,15/31] psplash: add psplash-default in rdepends [kirkstone,16/31] opkg-utils: use a git clone, not a dynamic snapshot [kirkstone,17/31] insane.bbclass: Allow hashlib version that only accepts on parameter [kirkstone,18/31] oe/packagemanager/rpm: don't leak file objects [kirkstone,19/31] u-boot: Remove duplicate inherit of cml1 [kirkstone,20/31] bluez5: add dbus to RDEPENDS [kirkstone,21/31] glib-2.0: fix rare GFileInfo test case failure [kirkstone,22/31] gnutls: Unified package names to lower-case [kirkstone,23/31] meson: make wrapper options sub-command specific [kirkstone,24/31] buildtools-tarball: export certificates to python and curl [kirkstone,25/31] qemu-native: Add PACKAGECONFIG option for jack [kirkstone,26/31] runqemu: Do not perturb script environment [kirkstone,27/31] runqemu: Fix gl-es argument from causing other arguments to be ignored [kirkstone,28/31] overlayfs: Allow not used mount points [kirkstone,29/31] cmake-native: Fix host tool contamination (Bug: 14951) [kirkstone,30/31] ltp: backport clock_gettime04 fix from upstream [kirkstone,31/31] perf: Depend on native setuptools3

Message ID

4d18efb1dc0b0c959383028827a1cb14c6355ed1.1667530733.git.steve@sakoman.com

State

Accepted, archived

Commit

78220bd59d98c1713336baf06b4babc6390a07c4

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 04/31] openssl: Upgrade 3.0.5 -> 3.0.7
Date: Thu,  3 Nov 2022 17:00:39 -1000
Message-Id: 
 <4d18efb1dc0b0c959383028827a1cb14c6355ed1.1667530733.git.steve@sakoman.com>
In-Reply-To: <cover.1667530733.git.steve@sakoman.com>
References: <cover.1667530733.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/31] openssl: export necessary env vars in SDK | expand

Commit Message

Steve Sakoman Nov. 4, 2022, 3 a.m. UTC

From: Ed Tanous <edtanous@google.com>

OpenSSL 3.0.5 includes a HIGH level security vulnerability [1].

Upgrade the recipe to point to 3.0.7.

CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as
well.

[1] https://www.openssl.org/news/vulnerabilities.html

Fixes CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Signed-off-by: Ed Tanous <edtanous@google.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a69ea1f7db96ec8b853573bd581438edd42ad6e0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/CVE-2022-3358.patch       | 55 -------------------
 .../{openssl_3.0.5.bb => openssl_3.0.7.bb}    |  3 +-
 2 files changed, 1 insertion(+), 57 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.5.bb => openssl_3.0.7.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
deleted file mode 100644
index 18b2a5a6b2..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
+++ /dev/null
@@ -1,55 +0,0 @@ 
-From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001
-From: Hitendra Prajapati <hprajapati@mvista.com>
-Date: Wed, 19 Oct 2022 11:08:23 +0530
-Subject: [PATCH] CVE-2022-3358
-
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b]
-CVE : CVE-2022-3358
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- crypto/evp/digest.c  | 4 +++-
- crypto/evp/evp_enc.c | 6 ++++--
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
-index de9a1dc..e6e03ea 100644
---- a/crypto/evp/digest.c
-+++ b/crypto/evp/digest.c
-@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
-             || tmpimpl != NULL
- #endif
-             || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0
--            || type->origin == EVP_ORIG_METH) {
-+            || (type != NULL && type->origin == EVP_ORIG_METH)
-+            || (type == NULL && ctx->digest != NULL
-+                             && ctx->digest->origin == EVP_ORIG_METH)) {
-         if (ctx->digest == ctx->fetched_digest)
-             ctx->digest = NULL;
-         EVP_MD_free(ctx->fetched_digest);
-diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
-index 19a07de..5df08bd 100644
---- a/crypto/evp/evp_enc.c
-+++ b/crypto/evp/evp_enc.c
-@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
- #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
-             || tmpimpl != NULL
- #endif
--            || impl != NULL) {
-+            || impl != NULL
-+            || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
-+            || (cipher == NULL && ctx->cipher != NULL
-+                               && ctx->cipher->origin == EVP_ORIG_METH)) {
-         if (ctx->cipher == ctx->fetched_cipher)
-             ctx->cipher = NULL;
-         EVP_CIPHER_free(ctx->fetched_cipher);
-@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
-         ctx->cipher_data = NULL;
-     }
- 
--
-     /* Start of non-legacy code below */
- 
-     /* Ensure a context left lying around from last time is cleared */
--- 
-2.25.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_3.0.5.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.7.bb
index ee051ee7d4..9ed5f11df0 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
@@ -12,14 +12,13 @@  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2022-3358.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a"
+SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

[kirkstone,04/31] openssl: Upgrade 3.0.5 -> 3.0.7

Commit Message

Patch