Message ID | c28dc71f17133f6e4470fc0c1a552c743869b3ad.1667356805.git.steve@sakoman.com |
---|---|
State | New |
Headers | show |
Series | [langdale,01/20] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption | expand |
On Tue, Nov 01, 2022 at 04:41:51PM -1000, Steve Sakoman wrote: > From: Hitendra Prajapati <hprajapati@mvista.com> > > Upstream-Status: Backport from https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > Description: > CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption. > Affects "openssl < 3.0.6" > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> > (cherry picked from commit f98b2273c6f03f8f6029a7a409600ce290817e27) > Signed-off-by: Steve Sakoman <steve@sakoman.com> Instead of picking up this patch, wouldn't it make a lot more sense to go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity CVE fix as well as the one mentioned here, it seems like we should get that backported to both Langdale and Kirkstone quickly. 1. https://lore.kernel.org/openembedded-core/20221101170310.2740317-1-edtanous@google.com/
On Thu, Nov 3, 2022 at 5:54 AM Patrick Williams <patrick@stwcx.xyz> wrote: > > On Tue, Nov 01, 2022 at 04:41:51PM -1000, Steve Sakoman wrote: > > From: Hitendra Prajapati <hprajapati@mvista.com> > > > > Upstream-Status: Backport from https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] > > Description: > > CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption. > > Affects "openssl < 3.0.6" > > > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > > Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> > > (cherry picked from commit f98b2273c6f03f8f6029a7a409600ce290817e27) > > Signed-off-by: Steve Sakoman <steve@sakoman.com> > > Instead of picking up this patch, wouldn't it make a lot more sense to > go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity > CVE fix as well as the one mentioned here, it seems like we should get > that backported to both Langdale and Kirkstone quickly. This patchset was tested and sent out for review prior to the 3.0.7 upgrade hitting master. Note that I have the 3.0.7 upgrade in the patches currently under test for both langdale and kirkstone: https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/langdale-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut If the langdale test succeeds I will include the 3.0.7 upgrade patch in the pull request for the above series (hopefully later today) Steve > 1. https://lore.kernel.org/openembedded-core/20221101170310.2740317-1-edtanous@google.com/ > > -- > Patrick Williams
On Thu, Nov 03, 2022 at 06:28:04AM -1000, Steve Sakoman wrote: > On Thu, Nov 3, 2022 at 5:54 AM Patrick Williams <patrick@stwcx.xyz> wrote: > > Instead of picking up this patch, wouldn't it make a lot more sense to > > go to 3.0.7 like we did with [1]? Since 3.0.7 contains a HIGH severity > > CVE fix as well as the one mentioned here, it seems like we should get > > that backported to both Langdale and Kirkstone quickly. > > This patchset was tested and sent out for review prior to the 3.0.7 > upgrade hitting master. Understood. > Note that I have the 3.0.7 upgrade in the patches currently under test > for both langdale and kirkstone: > > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/langdale-nut > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut > > If the langdale test succeeds I will include the 3.0.7 upgrade patch > in the pull request for the above series (hopefully later today) Great. Thank you.
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch new file mode 100644 index 0000000000..18b2a5a6b2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch @@ -0,0 +1,55 @@ +From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 19 Oct 2022 11:08:23 +0530 +Subject: [PATCH] CVE-2022-3358 + +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] +CVE : CVE-2022-3358 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + crypto/evp/digest.c | 4 +++- + crypto/evp/evp_enc.c | 6 ++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index de9a1dc..e6e03ea 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, + || tmpimpl != NULL + #endif + || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 +- || type->origin == EVP_ORIG_METH) { ++ || (type != NULL && type->origin == EVP_ORIG_METH) ++ || (type == NULL && ctx->digest != NULL ++ && ctx->digest->origin == EVP_ORIG_METH)) { + if (ctx->digest == ctx->fetched_digest) + ctx->digest = NULL; + EVP_MD_free(ctx->fetched_digest); +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index 19a07de..5df08bd 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) + || tmpimpl != NULL + #endif +- || impl != NULL) { ++ || impl != NULL ++ || (cipher != NULL && cipher->origin == EVP_ORIG_METH) ++ || (cipher == NULL && ctx->cipher != NULL ++ && ctx->cipher->origin == EVP_ORIG_METH)) { + if (ctx->cipher == ctx->fetched_cipher) + ctx->cipher = NULL; + EVP_CIPHER_free(ctx->fetched_cipher); +@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + ctx->cipher_data = NULL; + } + +- + /* Start of non-legacy code below */ + + /* Ensure a context left lying around from last time is cleared */ +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.5.bb index 04aff04fab..175692436d 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.5.bb @@ -12,6 +12,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2022-3358.patch \ " SRC_URI:append:class-nativesdk = " \