| Message ID | 20230725190947.660933-3-tgamblin@baylibre.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-python,1/7] python3-fastjsonschema: upgrade 2.16.3 -> 2.18.0 | expand |
Hi Trevor I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. https://errors.yoctoproject.org/Errors/Details/729506/ it seems rpmdeps is crashing with signal 9. I wonder if its something to do with rpm changes we might have got in core but, I can confirm that it was not an issue two weeks ago. It worked ok on Jul 17th but broke on Jul 27th CI builds. On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: > > Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: > > [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" > 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) > [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a > 0.39.0 > > Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): > > 0.39.0 - 2023-01-31 > ------------------- > > - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE > COMPLETELY REMOVED IN THE NEXT RELEASE. > - Remove dependency on parameterized and use unittest.subTest > instead. > - Upgrade embedded six.py module to 1.16.0 (really tiny > inconsequential changes). > - Make tests working on MacOS again (test_bio_membuf: Use fork) > - Use OpenSSL_version_num() instead of unrealiable parsing of .h > file. > - Mitigate the Bleichenbacher timing attacks in the RSA > decryption API (CVE-2020-25657) > - Add functionality to extract EC key from public key + Update > tests > - Worked around compatibility issues with OpenSSL 3.* > - Support for Twisted has been deprecated (they have their own > SSL support anyway). > - Generate TAP while testing. > - Stop using GitHub for testing. > - Accept a small deviation from time in the testsuite (for > systems with non-standard HZ kernel parameter). > - Use the default BIO.__del__ rather tha overriding in BIO.File > (avoid a memleak). > - Resolve "X509_Name.as_der() method from X509.py -> class > X509_Name caused segmentation fault" > > Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> > --- > .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ > ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- > 2 files changed, 1 insertion(+), 178 deletions(-) > delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) > > diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > deleted file mode 100644 > index 38ecd7a276..0000000000 > --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > +++ /dev/null > @@ -1,176 +0,0 @@ > -Backport patch to fix CVE-2020-25657. > - > -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] > - > -Signed-off-by: Kai Kang <kai.kang@windriver.com> > - > -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 > -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> > -Date: Tue, 28 Jun 2022 21:17:01 +0200 > -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA > - decryption API (CVE-2020-25657) > - > -Fixes #282 > ---- > - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- > - src/SWIG/_rsa.i | 20 ++++++++++++-------- > - tests/test_rsa.py | 15 +++++++-------- > - 3 files changed, 31 insertions(+), 24 deletions(-) > - > -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c > -index aba9eb6d..a9f30da9 100644 > ---- a/src/SWIG/_m2crypto_wrap.c > -+++ b/src/SWIG/_m2crypto_wrap.c > -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > - > -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i > -index bc714e01..1377b8be 100644 > ---- a/src/SWIG/_rsa.i > -+++ b/src/SWIG/_rsa.i > -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { > - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > -- m2_PyErr_Msg(_rsa_err); > -+ ERR_clear_error(); > -+ PyErr_Clear(); > - PyMem_Free(tbuf); > -- return NULL; > -+ Py_RETURN_NONE; > - } > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > - > -diff --git a/tests/test_rsa.py b/tests/test_rsa.py > -index 7bb3af75..5e75d681 100644 > ---- a/tests/test_rsa.py > -+++ b/tests/test_rsa.py > -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): > - # The other paddings. > - for padding in self.s_padding_nok: > - p = getattr(RSA, padding) > -- with self.assertRaises(RSA.RSAError): > -- priv.private_encrypt(self.data, p) > -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > -+ # with self.assertRaises(RSA.RSAError): > -+ priv.private_encrypt(self.data, p) > - # Type-check the data to be encrypted. > - with self.assertRaises(TypeError): > - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) > -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): > - self.assertEqual(ptxt, self.data) > - > - # no_padding > -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): > -- priv.public_encrypt(self.data, RSA.no_padding) > -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): > -+ priv.public_encrypt(self.data, RSA.no_padding) > - > - # Type-check the data to be encrypted. > -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > - with self.assertRaises(TypeError): > - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) > - > -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): > - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 > - with self.assertRaises(RSA.RSAError): > - setattr(rsa, 'e', '\000\000\000\003\001\000\001') > -- with self.assertRaises(RSA.RSAError): > -- rsa.private_encrypt(1) > -- with self.assertRaises(RSA.RSAError): > -- rsa.private_decrypt(1) > - assert rsa.check_key() > - > - def test_loadpub_bad(self): > --- > -GitLab > - > diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > similarity index 92% > rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb > rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > index 40e3bfb316..3a4a700bf7 100644 > --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb > +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ > file://cross-compile-platform.patch \ > file://avoid-host-contamination.patch \ > file://0001-setup.py-address-openssl-3.x-build-issue.patch \ > - file://CVE-2020-25657.patch \ > " > -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" > +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" > > PYPI_PACKAGE = "M2Crypto" > inherit pypi siteinfo setuptools3 > -- > 2.41.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#104020): https://lists.openembedded.org/g/openembedded-devel/message/104020 > Mute This Topic: https://lists.openembedded.org/mt/100356779/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 2023-07-30 21:03, Khem Raj wrote: > Hi Trevor > > I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. > > https://errors.yoctoproject.org/Errors/Details/729506/ > > it seems rpmdeps is crashing with signal 9. I wonder if its something > to do with rpm changes we might have > got in core but, I can confirm that it was not an issue two weeks ago. > It worked ok on Jul 17th but broke on > Jul 27th CI builds. Missed this until now. I see it's been merged; is this still an issue? > > On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: >> Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: >> >> [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" >> 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) >> [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a >> 0.39.0 >> >> Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): >> >> 0.39.0 - 2023-01-31 >> ------------------- >> >> - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE >> COMPLETELY REMOVED IN THE NEXT RELEASE. >> - Remove dependency on parameterized and use unittest.subTest >> instead. >> - Upgrade embedded six.py module to 1.16.0 (really tiny >> inconsequential changes). >> - Make tests working on MacOS again (test_bio_membuf: Use fork) >> - Use OpenSSL_version_num() instead of unrealiable parsing of .h >> file. >> - Mitigate the Bleichenbacher timing attacks in the RSA >> decryption API (CVE-2020-25657) >> - Add functionality to extract EC key from public key + Update >> tests >> - Worked around compatibility issues with OpenSSL 3.* >> - Support for Twisted has been deprecated (they have their own >> SSL support anyway). >> - Generate TAP while testing. >> - Stop using GitHub for testing. >> - Accept a small deviation from time in the testsuite (for >> systems with non-standard HZ kernel parameter). >> - Use the default BIO.__del__ rather tha overriding in BIO.File >> (avoid a memleak). >> - Resolve "X509_Name.as_der() method from X509.py -> class >> X509_Name caused segmentation fault" >> >> Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> >> --- >> .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ >> ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- >> 2 files changed, 1 insertion(+), 178 deletions(-) >> delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch >> rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) >> >> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch >> deleted file mode 100644 >> index 38ecd7a276..0000000000 >> --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch >> +++ /dev/null >> @@ -1,176 +0,0 @@ >> -Backport patch to fix CVE-2020-25657. >> - >> -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] >> - >> -Signed-off-by: Kai Kang <kai.kang@windriver.com> >> - >> -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 >> -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> >> -Date: Tue, 28 Jun 2022 21:17:01 +0200 >> -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA >> - decryption API (CVE-2020-25657) >> - >> -Fixes #282 >> ---- >> - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- >> - src/SWIG/_rsa.i | 20 ++++++++++++-------- >> - tests/test_rsa.py | 15 +++++++-------- >> - 3 files changed, 31 insertions(+), 24 deletions(-) >> - >> -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c >> -index aba9eb6d..a9f30da9 100644 >> ---- a/src/SWIG/_m2crypto_wrap.c >> -+++ b/src/SWIG/_m2crypto_wrap.c >> -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> - >> -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i >> -index bc714e01..1377b8be 100644 >> ---- a/src/SWIG/_rsa.i >> -+++ b/src/SWIG/_rsa.i >> -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { >> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, >> - (unsigned char *)tbuf, rsa, padding); >> - if (tlen == -1) { >> -- m2_PyErr_Msg(_rsa_err); >> -+ ERR_clear_error(); >> -+ PyErr_Clear(); >> - PyMem_Free(tbuf); >> -- return NULL; >> -+ Py_RETURN_NONE; >> - } >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >> - >> -diff --git a/tests/test_rsa.py b/tests/test_rsa.py >> -index 7bb3af75..5e75d681 100644 >> ---- a/tests/test_rsa.py >> -+++ b/tests/test_rsa.py >> -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): >> - # The other paddings. >> - for padding in self.s_padding_nok: >> - p = getattr(RSA, padding) >> -- with self.assertRaises(RSA.RSAError): >> -- priv.private_encrypt(self.data, p) >> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 >> -+ # with self.assertRaises(RSA.RSAError): >> -+ priv.private_encrypt(self.data, p) >> - # Type-check the data to be encrypted. >> - with self.assertRaises(TypeError): >> - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) >> -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): >> - self.assertEqual(ptxt, self.data) >> - >> - # no_padding >> -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): >> -- priv.public_encrypt(self.data, RSA.no_padding) >> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 >> -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): >> -+ priv.public_encrypt(self.data, RSA.no_padding) >> - >> - # Type-check the data to be encrypted. >> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 >> - with self.assertRaises(TypeError): >> - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) >> - >> -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): >> - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 >> - with self.assertRaises(RSA.RSAError): >> - setattr(rsa, 'e', '\000\000\000\003\001\000\001') >> -- with self.assertRaises(RSA.RSAError): >> -- rsa.private_encrypt(1) >> -- with self.assertRaises(RSA.RSAError): >> -- rsa.private_decrypt(1) >> - assert rsa.check_key() >> - >> - def test_loadpub_bad(self): >> --- >> -GitLab >> - >> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb >> similarity index 92% >> rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb >> rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb >> index 40e3bfb316..3a4a700bf7 100644 >> --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb >> +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb >> @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ >> file://cross-compile-platform.patch \ >> file://avoid-host-contamination.patch \ >> file://0001-setup.py-address-openssl-3.x-build-issue.patch \ >> - file://CVE-2020-25657.patch \ >> " >> -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" >> +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" >> >> PYPI_PACKAGE = "M2Crypto" >> inherit pypi siteinfo setuptools3 >> -- >> 2.41.0 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#104020): https://lists.openembedded.org/g/openembedded-devel/message/104020 >> Mute This Topic: https://lists.openembedded.org/mt/100356779/1997914 >> Group Owner: openembedded-devel+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
On Wed, Aug 2, 2023 at 12:23 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: > > > On 2023-07-30 21:03, Khem Raj wrote: > > Hi Trevor > > > > I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. > > > > https://errors.yoctoproject.org/Errors/Details/729506/ > > > > it seems rpmdeps is crashing with signal 9. I wonder if its something > > to do with rpm changes we might have > > got in core but, I can confirm that it was not an issue two weeks ago. > > It worked ok on Jul 17th but broke on > > Jul 27th CI builds. > Missed this until now. I see it's been merged; is this still an issue? yes it still is. > > > > On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: > >> Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: > >> > >> [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" > >> 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) > >> [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a > >> 0.39.0 > >> > >> Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): > >> > >> 0.39.0 - 2023-01-31 > >> ------------------- > >> > >> - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE > >> COMPLETELY REMOVED IN THE NEXT RELEASE. > >> - Remove dependency on parameterized and use unittest.subTest > >> instead. > >> - Upgrade embedded six.py module to 1.16.0 (really tiny > >> inconsequential changes). > >> - Make tests working on MacOS again (test_bio_membuf: Use fork) > >> - Use OpenSSL_version_num() instead of unrealiable parsing of .h > >> file. > >> - Mitigate the Bleichenbacher timing attacks in the RSA > >> decryption API (CVE-2020-25657) > >> - Add functionality to extract EC key from public key + Update > >> tests > >> - Worked around compatibility issues with OpenSSL 3.* > >> - Support for Twisted has been deprecated (they have their own > >> SSL support anyway). > >> - Generate TAP while testing. > >> - Stop using GitHub for testing. > >> - Accept a small deviation from time in the testsuite (for > >> systems with non-standard HZ kernel parameter). > >> - Use the default BIO.__del__ rather tha overriding in BIO.File > >> (avoid a memleak). > >> - Resolve "X509_Name.as_der() method from X509.py -> class > >> X509_Name caused segmentation fault" > >> > >> Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> > >> --- > >> .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ > >> ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- > >> 2 files changed, 1 insertion(+), 178 deletions(-) > >> delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) > >> > >> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> deleted file mode 100644 > >> index 38ecd7a276..0000000000 > >> --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> +++ /dev/null > >> @@ -1,176 +0,0 @@ > >> -Backport patch to fix CVE-2020-25657. > >> - > >> -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] > >> - > >> -Signed-off-by: Kai Kang <kai.kang@windriver.com> > >> - > >> -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 > >> -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> > >> -Date: Tue, 28 Jun 2022 21:17:01 +0200 > >> -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA > >> - decryption API (CVE-2020-25657) > >> - > >> -Fixes #282 > >> ---- > >> - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- > >> - src/SWIG/_rsa.i | 20 ++++++++++++-------- > >> - tests/test_rsa.py | 15 +++++++-------- > >> - 3 files changed, 31 insertions(+), 24 deletions(-) > >> - > >> -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c > >> -index aba9eb6d..a9f30da9 100644 > >> ---- a/src/SWIG/_m2crypto_wrap.c > >> -+++ b/src/SWIG/_m2crypto_wrap.c > >> -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> - > >> -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i > >> -index bc714e01..1377b8be 100644 > >> ---- a/src/SWIG/_rsa.i > >> -+++ b/src/SWIG/_rsa.i > >> -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { > >> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> -- m2_PyErr_Msg(_rsa_err); > >> -+ ERR_clear_error(); > >> -+ PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> -- return NULL; > >> -+ Py_RETURN_NONE; > >> - } > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> - > >> -diff --git a/tests/test_rsa.py b/tests/test_rsa.py > >> -index 7bb3af75..5e75d681 100644 > >> ---- a/tests/test_rsa.py > >> -+++ b/tests/test_rsa.py > >> -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): > >> - # The other paddings. > >> - for padding in self.s_padding_nok: > >> - p = getattr(RSA, padding) > >> -- with self.assertRaises(RSA.RSAError): > >> -- priv.private_encrypt(self.data, p) > >> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > >> -+ # with self.assertRaises(RSA.RSAError): > >> -+ priv.private_encrypt(self.data, p) > >> - # Type-check the data to be encrypted. > >> - with self.assertRaises(TypeError): > >> - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) > >> -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): > >> - self.assertEqual(ptxt, self.data) > >> - > >> - # no_padding > >> -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): > >> -- priv.public_encrypt(self.data, RSA.no_padding) > >> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > >> -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): > >> -+ priv.public_encrypt(self.data, RSA.no_padding) > >> - > >> - # Type-check the data to be encrypted. > >> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > >> - with self.assertRaises(TypeError): > >> - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) > >> - > >> -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): > >> - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 > >> - with self.assertRaises(RSA.RSAError): > >> - setattr(rsa, 'e', '\000\000\000\003\001\000\001') > >> -- with self.assertRaises(RSA.RSAError): > >> -- rsa.private_encrypt(1) > >> -- with self.assertRaises(RSA.RSAError): > >> -- rsa.private_decrypt(1) > >> - assert rsa.check_key() > >> - > >> - def test_loadpub_bad(self): > >> --- > >> -GitLab > >> - > >> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > >> similarity index 92% > >> rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb > >> rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > >> index 40e3bfb316..3a4a700bf7 100644 > >> --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb > >> +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > >> @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ > >> file://cross-compile-platform.patch \ > >> file://avoid-host-contamination.patch \ > >> file://0001-setup.py-address-openssl-3.x-build-issue.patch \ > >> - file://CVE-2020-25657.patch \ > >> " > >> -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" > >> +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" > >> > >> PYPI_PACKAGE = "M2Crypto" > >> inherit pypi siteinfo setuptools3 > >> -- > >> 2.41.0 > >> > >> > >> -=-=-=-=-=-=-=-=-=-=-=- > >> Links: You receive all messages sent to this group. > >> View/Reply Online (#104020): https://lists.openembedded.org/g/openembedded-devel/message/104020 > >> Mute This Topic: https://lists.openembedded.org/mt/100356779/1997914 > >> Group Owner: openembedded-devel+owner@lists.openembedded.org > >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > >> -=-=-=-=-=-=-=-=-=-=-=- > >>
On 2023-08-02 16:44, Khem Raj wrote: > On Wed, Aug 2, 2023 at 12:23 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: >> >> On 2023-07-30 21:03, Khem Raj wrote: >>> Hi Trevor >>> >>> I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. >>> >>> https://errors.yoctoproject.org/Errors/Details/729506/ >>> >>> it seems rpmdeps is crashing with signal 9. I wonder if its something >>> to do with rpm changes we might have >>> got in core but, I can confirm that it was not an issue two weeks ago. >>> It worked ok on Jul 17th but broke on >>> Jul 27th CI builds. >> Missed this until now. I see it's been merged; is this still an issue? > yes it still is. Hmm, I can't seem to reproduce it yet. Do you want to revert the patch for now? >>> On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: >>>> Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: >>>> >>>> [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" >>>> 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) >>>> [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a >>>> 0.39.0 >>>> >>>> Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): >>>> >>>> 0.39.0 - 2023-01-31 >>>> ------------------- >>>> >>>> - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE >>>> COMPLETELY REMOVED IN THE NEXT RELEASE. >>>> - Remove dependency on parameterized and use unittest.subTest >>>> instead. >>>> - Upgrade embedded six.py module to 1.16.0 (really tiny >>>> inconsequential changes). >>>> - Make tests working on MacOS again (test_bio_membuf: Use fork) >>>> - Use OpenSSL_version_num() instead of unrealiable parsing of .h >>>> file. >>>> - Mitigate the Bleichenbacher timing attacks in the RSA >>>> decryption API (CVE-2020-25657) >>>> - Add functionality to extract EC key from public key + Update >>>> tests >>>> - Worked around compatibility issues with OpenSSL 3.* >>>> - Support for Twisted has been deprecated (they have their own >>>> SSL support anyway). >>>> - Generate TAP while testing. >>>> - Stop using GitHub for testing. >>>> - Accept a small deviation from time in the testsuite (for >>>> systems with non-standard HZ kernel parameter). >>>> - Use the default BIO.__del__ rather tha overriding in BIO.File >>>> (avoid a memleak). >>>> - Resolve "X509_Name.as_der() method from X509.py -> class >>>> X509_Name caused segmentation fault" >>>> >>>> Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> >>>> --- >>>> .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ >>>> ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- >>>> 2 files changed, 1 insertion(+), 178 deletions(-) >>>> delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch >>>> rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) >>>> >>>> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch >>>> deleted file mode 100644 >>>> index 38ecd7a276..0000000000 >>>> --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch >>>> +++ /dev/null >>>> @@ -1,176 +0,0 @@ >>>> -Backport patch to fix CVE-2020-25657. >>>> - >>>> -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] >>>> - >>>> -Signed-off-by: Kai Kang <kai.kang@windriver.com> >>>> - >>>> -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 >>>> -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> >>>> -Date: Tue, 28 Jun 2022 21:17:01 +0200 >>>> -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA >>>> - decryption API (CVE-2020-25657) >>>> - >>>> -Fixes #282 >>>> ---- >>>> - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- >>>> - src/SWIG/_rsa.i | 20 ++++++++++++-------- >>>> - tests/test_rsa.py | 15 +++++++-------- >>>> - 3 files changed, 31 insertions(+), 24 deletions(-) >>>> - >>>> -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c >>>> -index aba9eb6d..a9f30da9 100644 >>>> ---- a/src/SWIG/_m2crypto_wrap.c >>>> -+++ b/src/SWIG/_m2crypto_wrap.c >>>> -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> - >>>> -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i >>>> -index bc714e01..1377b8be 100644 >>>> ---- a/src/SWIG/_rsa.i >>>> -+++ b/src/SWIG/_rsa.i >>>> -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { >>>> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, >>>> - (unsigned char *)tbuf, rsa, padding); >>>> - if (tlen == -1) { >>>> -- m2_PyErr_Msg(_rsa_err); >>>> -+ ERR_clear_error(); >>>> -+ PyErr_Clear(); >>>> - PyMem_Free(tbuf); >>>> -- return NULL; >>>> -+ Py_RETURN_NONE; >>>> - } >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); >>>> - >>>> -diff --git a/tests/test_rsa.py b/tests/test_rsa.py >>>> -index 7bb3af75..5e75d681 100644 >>>> ---- a/tests/test_rsa.py >>>> -+++ b/tests/test_rsa.py >>>> -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): >>>> - # The other paddings. >>>> - for padding in self.s_padding_nok: >>>> - p = getattr(RSA, padding) >>>> -- with self.assertRaises(RSA.RSAError): >>>> -- priv.private_encrypt(self.data, p) >>>> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 >>>> -+ # with self.assertRaises(RSA.RSAError): >>>> -+ priv.private_encrypt(self.data, p) >>>> - # Type-check the data to be encrypted. >>>> - with self.assertRaises(TypeError): >>>> - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) >>>> -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): >>>> - self.assertEqual(ptxt, self.data) >>>> - >>>> - # no_padding >>>> -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): >>>> -- priv.public_encrypt(self.data, RSA.no_padding) >>>> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 >>>> -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): >>>> -+ priv.public_encrypt(self.data, RSA.no_padding) >>>> - >>>> - # Type-check the data to be encrypted. >>>> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 >>>> - with self.assertRaises(TypeError): >>>> - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) >>>> - >>>> -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): >>>> - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 >>>> - with self.assertRaises(RSA.RSAError): >>>> - setattr(rsa, 'e', '\000\000\000\003\001\000\001') >>>> -- with self.assertRaises(RSA.RSAError): >>>> -- rsa.private_encrypt(1) >>>> -- with self.assertRaises(RSA.RSAError): >>>> -- rsa.private_decrypt(1) >>>> - assert rsa.check_key() >>>> - >>>> - def test_loadpub_bad(self): >>>> --- >>>> -GitLab >>>> - >>>> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb >>>> similarity index 92% >>>> rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb >>>> rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb >>>> index 40e3bfb316..3a4a700bf7 100644 >>>> --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb >>>> +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb >>>> @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ >>>> file://cross-compile-platform.patch \ >>>> file://avoid-host-contamination.patch \ >>>> file://0001-setup.py-address-openssl-3.x-build-issue.patch \ >>>> - file://CVE-2020-25657.patch \ >>>> " >>>> -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" >>>> +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" >>>> >>>> PYPI_PACKAGE = "M2Crypto" >>>> inherit pypi siteinfo setuptools3 >>>> -- >>>> 2.41.0 >>>> >>>> >>>> -=-=-=-=-=-=-=-=-=-=-=- >>>> Links: You receive all messages sent to this group. >>>> View/Reply Online (#104020): https://lists.openembedded.org/g/openembedded-devel/message/104020 >>>> Mute This Topic: https://lists.openembedded.org/mt/100356779/1997914 >>>> Group Owner: openembedded-devel+owner@lists.openembedded.org >>>> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] >>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>
On Thu, Aug 3, 2023 at 7:07 AM Trevor Gamblin <tgamblin@baylibre.com> wrote: > > > On 2023-08-02 16:44, Khem Raj wrote: > > On Wed, Aug 2, 2023 at 12:23 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: > >> > >> On 2023-07-30 21:03, Khem Raj wrote: > >>> Hi Trevor > >>> > >>> I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. > >>> > >>> https://errors.yoctoproject.org/Errors/Details/729506/ > >>> > >>> it seems rpmdeps is crashing with signal 9. I wonder if its something > >>> to do with rpm changes we might have > >>> got in core but, I can confirm that it was not an issue two weeks ago. > >>> It worked ok on Jul 17th but broke on > >>> Jul 27th CI builds. > >> Missed this until now. I see it's been merged; is this still an issue? > > yes it still is. > Hmm, I can't seem to reproduce it yet. Do you want to revert the patch > for now? A reboot of the builder has fixed this issue. I am bemused. > >>> On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin <tgamblin@baylibre.com> wrote: > >>>> Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: > >>>> > >>>> [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" > >>>> 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) > >>>> [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a > >>>> 0.39.0 > >>>> > >>>> Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): > >>>> > >>>> 0.39.0 - 2023-01-31 > >>>> ------------------- > >>>> > >>>> - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE > >>>> COMPLETELY REMOVED IN THE NEXT RELEASE. > >>>> - Remove dependency on parameterized and use unittest.subTest > >>>> instead. > >>>> - Upgrade embedded six.py module to 1.16.0 (really tiny > >>>> inconsequential changes). > >>>> - Make tests working on MacOS again (test_bio_membuf: Use fork) > >>>> - Use OpenSSL_version_num() instead of unrealiable parsing of .h > >>>> file. > >>>> - Mitigate the Bleichenbacher timing attacks in the RSA > >>>> decryption API (CVE-2020-25657) > >>>> - Add functionality to extract EC key from public key + Update > >>>> tests > >>>> - Worked around compatibility issues with OpenSSL 3.* > >>>> - Support for Twisted has been deprecated (they have their own > >>>> SSL support anyway). > >>>> - Generate TAP while testing. > >>>> - Stop using GitHub for testing. > >>>> - Accept a small deviation from time in the testsuite (for > >>>> systems with non-standard HZ kernel parameter). > >>>> - Use the default BIO.__del__ rather tha overriding in BIO.File > >>>> (avoid a memleak). > >>>> - Resolve "X509_Name.as_der() method from X509.py -> class > >>>> X509_Name caused segmentation fault" > >>>> > >>>> Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> > >>>> --- > >>>> .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ > >>>> ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- > >>>> 2 files changed, 1 insertion(+), 178 deletions(-) > >>>> delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >>>> rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) > >>>> > >>>> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >>>> deleted file mode 100644 > >>>> index 38ecd7a276..0000000000 > >>>> --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >>>> +++ /dev/null > >>>> @@ -1,176 +0,0 @@ > >>>> -Backport patch to fix CVE-2020-25657. > >>>> - > >>>> -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] > >>>> - > >>>> -Signed-off-by: Kai Kang <kai.kang@windriver.com> > >>>> - > >>>> -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 > >>>> -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> > >>>> -Date: Tue, 28 Jun 2022 21:17:01 +0200 > >>>> -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA > >>>> - decryption API (CVE-2020-25657) > >>>> - > >>>> -Fixes #282 > >>>> ---- > >>>> - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- > >>>> - src/SWIG/_rsa.i | 20 ++++++++++++-------- > >>>> - tests/test_rsa.py | 15 +++++++-------- > >>>> - 3 files changed, 31 insertions(+), 24 deletions(-) > >>>> - > >>>> -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c > >>>> -index aba9eb6d..a9f30da9 100644 > >>>> ---- a/src/SWIG/_m2crypto_wrap.c > >>>> -+++ b/src/SWIG/_m2crypto_wrap.c > >>>> -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> - > >>>> -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i > >>>> -index bc714e01..1377b8be 100644 > >>>> ---- a/src/SWIG/_rsa.i > >>>> -+++ b/src/SWIG/_rsa.i > >>>> -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { > >>>> - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, > >>>> - (unsigned char *)tbuf, rsa, padding); > >>>> - if (tlen == -1) { > >>>> -- m2_PyErr_Msg(_rsa_err); > >>>> -+ ERR_clear_error(); > >>>> -+ PyErr_Clear(); > >>>> - PyMem_Free(tbuf); > >>>> -- return NULL; > >>>> -+ Py_RETURN_NONE; > >>>> - } > >>>> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >>>> - > >>>> -diff --git a/tests/test_rsa.py b/tests/test_rsa.py > >>>> -index 7bb3af75..5e75d681 100644 > >>>> ---- a/tests/test_rsa.py > >>>> -+++ b/tests/test_rsa.py > >>>> -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): > >>>> - # The other paddings. > >>>> - for padding in self.s_padding_nok: > >>>> - p = getattr(RSA, padding) > >>>> -- with self.assertRaises(RSA.RSAError): > >>>> -- priv.private_encrypt(self.data, p) > >>>> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > >>>> -+ # with self.assertRaises(RSA.RSAError): > >>>> -+ priv.private_encrypt(self.data, p) > >>>> - # Type-check the data to be encrypted. > >>>> - with self.assertRaises(TypeError): > >>>> - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) > >>>> -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): > >>>> - self.assertEqual(ptxt, self.data) > >>>> - > >>>> - # no_padding > >>>> -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): > >>>> -- priv.public_encrypt(self.data, RSA.no_padding) > >>>> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > >>>> -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): > >>>> -+ priv.public_encrypt(self.data, RSA.no_padding) > >>>> - > >>>> - # Type-check the data to be encrypted. > >>>> -+ # Exception disabled as a part of mitigation against CVE-2020-25657 > >>>> - with self.assertRaises(TypeError): > >>>> - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) > >>>> - > >>>> -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): > >>>> - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 > >>>> - with self.assertRaises(RSA.RSAError): > >>>> - setattr(rsa, 'e', '\000\000\000\003\001\000\001') > >>>> -- with self.assertRaises(RSA.RSAError): > >>>> -- rsa.private_encrypt(1) > >>>> -- with self.assertRaises(RSA.RSAError): > >>>> -- rsa.private_decrypt(1) > >>>> - assert rsa.check_key() > >>>> - > >>>> - def test_loadpub_bad(self): > >>>> --- > >>>> -GitLab > >>>> - > >>>> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > >>>> similarity index 92% > >>>> rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb > >>>> rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > >>>> index 40e3bfb316..3a4a700bf7 100644 > >>>> --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb > >>>> +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb > >>>> @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ > >>>> file://cross-compile-platform.patch \ > >>>> file://avoid-host-contamination.patch \ > >>>> file://0001-setup.py-address-openssl-3.x-build-issue.patch \ > >>>> - file://CVE-2020-25657.patch \ > >>>> " > >>>> -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" > >>>> +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" > >>>> > >>>> PYPI_PACKAGE = "M2Crypto" > >>>> inherit pypi siteinfo setuptools3 > >>>> -- > >>>> 2.41.0 > >>>> > >>>> > >>>> -=-=-=-=-=-=-=-=-=-=-=- > >>>> Links: You receive all messages sent to this group. > >>>> View/Reply Online (#104020): https://lists.openembedded.org/g/openembedded-devel/message/104020 > >>>> Mute This Topic: https://lists.openembedded.org/mt/100356779/1997914 > >>>> Group Owner: openembedded-devel+owner@lists.openembedded.org > >>>> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > >>>> -=-=-=-=-=-=-=-=-=-=-=- > >>>>
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch deleted file mode 100644 index 38ecd7a276..0000000000 --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch +++ /dev/null @@ -1,176 +0,0 @@ -Backport patch to fix CVE-2020-25657. - -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] - -Signed-off-by: Kai Kang <kai.kang@windriver.com> - -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> -Date: Tue, 28 Jun 2022 21:17:01 +0200 -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA - decryption API (CVE-2020-25657) - -Fixes #282 ---- - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- - src/SWIG/_rsa.i | 20 ++++++++++++-------- - tests/test_rsa.py | 15 +++++++-------- - 3 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c -index aba9eb6d..a9f30da9 100644 ---- a/src/SWIG/_m2crypto_wrap.c -+++ b/src/SWIG/_m2crypto_wrap.c -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i -index bc714e01..1377b8be 100644 ---- a/src/SWIG/_rsa.i -+++ b/src/SWIG/_rsa.i -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/tests/test_rsa.py b/tests/test_rsa.py -index 7bb3af75..5e75d681 100644 ---- a/tests/test_rsa.py -+++ b/tests/test_rsa.py -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): - # The other paddings. - for padding in self.s_padding_nok: - p = getattr(RSA, padding) -- with self.assertRaises(RSA.RSAError): -- priv.private_encrypt(self.data, p) -+ # Exception disabled as a part of mitigation against CVE-2020-25657 -+ # with self.assertRaises(RSA.RSAError): -+ priv.private_encrypt(self.data, p) - # Type-check the data to be encrypted. - with self.assertRaises(TypeError): - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): - self.assertEqual(ptxt, self.data) - - # no_padding -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): -- priv.public_encrypt(self.data, RSA.no_padding) -+ # Exception disabled as a part of mitigation against CVE-2020-25657 -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): -+ priv.public_encrypt(self.data, RSA.no_padding) - - # Type-check the data to be encrypted. -+ # Exception disabled as a part of mitigation against CVE-2020-25657 - with self.assertRaises(TypeError): - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) - -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 - with self.assertRaises(RSA.RSAError): - setattr(rsa, 'e', '\000\000\000\003\001\000\001') -- with self.assertRaises(RSA.RSAError): -- rsa.private_encrypt(1) -- with self.assertRaises(RSA.RSAError): -- rsa.private_decrypt(1) - assert rsa.check_key() - - def test_loadpub_bad(self): --- -GitLab - diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb similarity index 92% rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb index 40e3bfb316..3a4a700bf7 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ file://cross-compile-platform.patch \ file://avoid-host-contamination.patch \ file://0001-setup.py-address-openssl-3.x-build-issue.patch \ - file://CVE-2020-25657.patch \ " -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" PYPI_PACKAGE = "M2Crypto" inherit pypi siteinfo setuptools3
Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a 0.39.0 Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): 0.39.0 - 2023-01-31 ------------------- - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> --- .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- 2 files changed, 1 insertion(+), 178 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%)