diff mbox series

[kirkstone] curl: backport openssl fix CN check error code

Message ID 20220701161205.112341-1-jose.quaresma@foundries.io
State Accepted, archived
Commit 7a8d374a3d4bbef336be2b273afc00c93c637ae6
Headers show
Series [kirkstone] curl: backport openssl fix CN check error code | expand

Commit Message

Jose Quaresma July 1, 2022, 4:12 p.m. UTC 
Fix out of memory [1]

OpenSSL host verification + hostname in certificate CN only seems broken in 7.82.0

[1] https://github.com/curl/curl/issues/8559

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 ...0001-openssl-fix-CN-check-error-code.patch | 38 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch

Comments

Steve Sakoman July 1, 2022, 6:27 p.m. UTC | #1 
On Fri, Jul 1, 2022 at 6:12 AM Jose Quaresma <quaresma.jose@gmail.com> wrote:
>
> Fix out of memory [1]
>
> OpenSSL host verification + hostname in certificate CN only seems broken in 7.82.0
>
> [1] https://github.com/curl/curl/issues/8559
>
> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
> ---
>  ...0001-openssl-fix-CN-check-error-code.patch | 38 +++++++++++++++++++
>  meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
>  2 files changed, 39 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch
>
> diff --git a/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch
> new file mode 100644
> index 0000000000..c5aa8f2d60
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch
> @@ -0,0 +1,38 @@
> +From 0677924c6ec7e0d68964553fb760f6d407242c54 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Tue, 8 Mar 2022 13:38:13 +0100
> +Subject: [PATCH] openssl: fix CN check error code
> +
> +Due to a missing 'else' this returns error too easily.
> +
> +Regressed in: d15692ebb
> +
> +Reported-by: Kristoffer Gleditsch
> +Fixes #8559
> +Closes #8560
> +
> +Upstream-Status: Backported [https://github.com/curl/curl/commit/911714d617c106ed5d553bf003e34ec94ab6a136]

Should be Backport, not Backported!  The latter will get you an error:

ERROR: curl-7.82.0-r0 do_patch: Malformed Upstream-Status in patch

No need to re-submit, I've fixed it!

Steve

> +
> +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
> +
> +---
> + lib/vtls/openssl.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
> +index 616a510..1bafe96 100644
> +--- a/lib/vtls/openssl.c
> ++++ b/lib/vtls/openssl.c
> +@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
> +               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
> +               peer_CN[peerlen] = '\0';
> +             }
> +-            result = CURLE_OUT_OF_MEMORY;
> ++            else
> ++              result = CURLE_OUT_OF_MEMORY;
> +           }
> +         }
> +         else /* not a UTF8 name */
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index ba3fd11820..d5dfe62a39 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -23,6 +23,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
>             file://CVE-2022-27779.patch \
>             file://CVE-2022-27782-1.patch \
>             file://CVE-2022-27782-2.patch \
> +           file://0001-openssl-fix-CN-check-error-code.patch \
>             "
>  SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>
> --
> 2.37.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#167535): https://lists.openembedded.org/g/openembedded-core/message/167535
> Mute This Topic: https://lists.openembedded.org/mt/92113235/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Mikko Rapeli July 4, 2022, 6:43 a.m. UTC | #2 
Hi,

On Fri, Jul 01, 2022 at 08:27:20AM -1000, Steve Sakoman wrote:
> Should be Backport, not Backported!  The latter will get you an error:
> 
> ERROR: curl-7.82.0-r0 do_patch: Malformed Upstream-Status in patch
> 
> No need to re-submit, I've fixed it!

How is poky/scripts/contrib/patchreview.py setup to run so that this would
fail automatically?

I'd like to have this on my CI builds too.

Cheers,

-Mikko
Richard Purdie July 4, 2022, 7:43 a.m. UTC | #3 
On Mon, 2022-07-04 at 06:43 +0000, Mikko Rapeli wrote:
> Hi,
> 
> On Fri, Jul 01, 2022 at 08:27:20AM -1000, Steve Sakoman wrote:
> > Should be Backport, not Backported!  The latter will get you an error:
> > 
> > ERROR: curl-7.82.0-r0 do_patch: Malformed Upstream-Status in patch
> > 
> > No need to re-submit, I've fixed it!
> 
> How is poky/scripts/contrib/patchreview.py setup to run so that this would
> fail automatically?
> 
> I'd like to have this on my CI builds too.

See insane.bbclass, do_qa_patch. The issue will be:

       # skip patches not in oe-core
       if '/meta/' not in fullpath:
           continue

since we limited this to OE-Core originally. We probably need to make
that configurable.

Cheers,

Richard
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch
new file mode 100644
index 0000000000..c5aa8f2d60
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-openssl-fix-CN-check-error-code.patch
@@ -0,0 +1,38 @@ 
+From 0677924c6ec7e0d68964553fb760f6d407242c54 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Mar 2022 13:38:13 +0100
+Subject: [PATCH] openssl: fix CN check error code
+
+Due to a missing 'else' this returns error too easily.
+
+Regressed in: d15692ebb
+
+Reported-by: Kristoffer Gleditsch
+Fixes #8559
+Closes #8560
+
+Upstream-Status: Backported [https://github.com/curl/curl/commit/911714d617c106ed5d553bf003e34ec94ab6a136]
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+
+---
+ lib/vtls/openssl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 616a510..1bafe96 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
+               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
+               peer_CN[peerlen] = '\0';
+             }
+-            result = CURLE_OUT_OF_MEMORY;
++            else
++              result = CURLE_OUT_OF_MEMORY;
+           }
+         }
+         else /* not a UTF8 name */
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index ba3fd11820..d5dfe62a39 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -23,6 +23,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2022-27779.patch \
            file://CVE-2022-27782-1.patch \
            file://CVE-2022-27782-2.patch \
+           file://0001-openssl-fix-CN-check-error-code.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"