diff mbox series

[nanbield,2/7] openssl: upgrade to 3.1.5

Message ID 20240311083954.418271-2-chee.yang.lee@intel.com
State Superseded
Delegated to: Steve Sakoman
Headers show
Series [nanbield,1/7] libxml2: upgrade to 2.11.7 | expand

Commit Message

Lee, Chee Yang March 11, 2024, 8:39 a.m. UTC 
From: Lee Chee Yang <chee.yang.lee@intel.com>

Changes between 3.1.4 and 3.1.5 [30 Jan 2024]
 * A file in PKCS12 format can contain certificates and keys and may
come from
   an untrusted source. The PKCS12 specification allows certain fields
to be
   NULL, but OpenSSL did not correctly check for this case. A fix has
been
   applied to prevent a NULL pointer dereference that results in OpenSSL
   crashing. If an application processes PKCS12 files from an untrusted
source
   using the OpenSSL APIs then that application will be vulnerable to
this
   issue prior to this fix.

   OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
   PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes()
   and PKCS12_newpass().

   We have also fixed a similar issue in SMIME_write_PKCS7(). However
since this
   function is related to writing data we do not consider it security
   significant.

   ([CVE-2024-0727])
https://www.openssl.org/news/cl31.txt

drop fix_random_labels.patch as fixed in
https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
 .../openssl/openssl/fix_random_labels.patch   | 22 -------------------
 .../{openssl_3.1.4.bb => openssl_3.1.5.bb}    |  3 +--
 2 files changed, 1 insertion(+), 24 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.1.4.bb => openssl_3.1.5.bb} (98%)

Comments

Steve Sakoman March 12, 2024, 4:24 p.m. UTC | #1 
I'm getting ptest failures with this patch, both on qemux86-64-pteset
and qemuarm64-ptest.

Links to logs below:

https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemux86-64-ptest/core-image-ptest-openssl/log.do_testimage.831625.20240311232818
https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemuarm64-ptest/core-image-ptest-openssl/log.do_testimage.152067.20240312011738

Steve

On Sun, Mar 10, 2024 at 10:40 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
>
> From: Lee Chee Yang <chee.yang.lee@intel.com>
>
> Changes between 3.1.4 and 3.1.5 [30 Jan 2024]
>  * A file in PKCS12 format can contain certificates and keys and may
> come from
>    an untrusted source. The PKCS12 specification allows certain fields
> to be
>    NULL, but OpenSSL did not correctly check for this case. A fix has
> been
>    applied to prevent a NULL pointer dereference that results in OpenSSL
>    crashing. If an application processes PKCS12 files from an untrusted
> source
>    using the OpenSSL APIs then that application will be vulnerable to
> this
>    issue prior to this fix.
>
>    OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
>    PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
> PKCS12_unpack_authsafes()
>    and PKCS12_newpass().
>
>    We have also fixed a similar issue in SMIME_write_PKCS7(). However
> since this
>    function is related to writing data we do not consider it security
>    significant.
>
>    ([CVE-2024-0727])
> https://www.openssl.org/news/cl31.txt
>
> drop fix_random_labels.patch as fixed in
> https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867
>
> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> ---
>  .../openssl/openssl/fix_random_labels.patch   | 22 -------------------
>  .../{openssl_3.1.4.bb => openssl_3.1.5.bb}    |  3 +--
>  2 files changed, 1 insertion(+), 24 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
>  rename meta/recipes-connectivity/openssl/{openssl_3.1.4.bb => openssl_3.1.5.bb} (98%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
> deleted file mode 100644
> index 78dcd81685..0000000000
> --- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -The perl script adds random suffixes to the local function names to ensure
> -it doesn't clash with other parts of openssl. Set the random number seed
> -to something predictable so the assembler files are generated consistently
> -and our own reproducible builds tests pass.
> -
> -Upstream-Status: Pending
> -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> -
> -Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
> -===================================================================
> ---- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl
> -+++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
> -@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable    = (16 * 6);
> - # ;;; Helper functions
> - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> -
> -+# Ensure the local labels are reproduicble
> -+srand(10000);
> -+
> - # ; Generates "random" local labels
> - sub random_string() {
> -   my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> similarity index 98%
> rename from meta/recipes-connectivity/openssl/openssl_3.1.4.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> index 0fe4e76808..9c1d4e31be 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> @@ -11,7 +11,6 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>             file://run-ptest \
>             file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
>             file://0001-Configure-do-not-tweak-mips-cflags.patch \
> -           file://fix_random_labels.patch \
>             file://0001-Added-handshake-history-reporting-when-test-fails.patch \
>             "
>
> @@ -19,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>
> -SRC_URI[sha256sum] = "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
> +SRC_URI[sha256sum] = "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative manpages
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> --
> 2.37.3
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196921): https://lists.openembedded.org/g/openembedded-core/message/196921
> Mute This Topic: https://lists.openembedded.org/mt/104859411/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
deleted file mode 100644
index 78dcd81685..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
+++ /dev/null
@@ -1,22 +0,0 @@ 
-The perl script adds random suffixes to the local function names to ensure
-it doesn't clash with other parts of openssl. Set the random number seed
-to something predictable so the assembler files are generated consistently
-and our own reproducible builds tests pass.
-
-Upstream-Status: Pending
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-
-Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
-===================================================================
---- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl
-+++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
-@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable    = (16 * 6);
- # ;;; Helper functions
- # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- 
-+# Ensure the local labels are reproduicble
-+srand(10000);
-+
- # ; Generates "random" local labels
- sub random_string() {
-   my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_3.1.4.bb
rename to meta/recipes-connectivity/openssl/openssl_3.1.5.bb
index 0fe4e76808..9c1d4e31be 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
@@ -11,7 +11,6 @@  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://fix_random_labels.patch \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
            "
 
@@ -19,7 +18,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
+SRC_URI[sha256sum] = "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"