Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory
checked in at 2022-07-08 14:01:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old)
and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_0_0"
Fri Jul 8 14:01:32 2022 rev:27 rq:987303 version:1.0.2u
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes
2022-05-17 17:23:49.051137408 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.1523/openssl-1_0_0.changes
2022-07-08 14:01:34.838425413 +0200
@@ -1,0 +2,25 @@
+Tue Jun 28 14:26:53 UTC 2022 - Andreas Schwab <sch...@suse.de>
+
+- openssl-riscv64-config.patch: backport of riscv64 config support
+
+-------------------------------------------------------------------
+Fri Jun 23 11:38:39 UTC 2022 - Jason Sikes <jsi...@suse.com>
+
+- Added openssl-1_0_0-Fix-file-operations-in-c_rehash.patch
+ * bsc#1200550
+ * CVE-2022-2068
+ * Fixed more shell code injection issues in c_rehash
+
+-------------------------------------------------------------------
+Tue Jun 21 13:29:56 UTC 2022 - Jan Engelhardt <jeng...@inai.de>
+
+- Adjust rpmlintrc to apply to all arches.
+
+-------------------------------------------------------------------
+Mon May 30 09:16:49 UTC 2022 - Jason Sikes <jsi...@suse.com>
+
+- Security fix: [bsc#1199166, CVE-2022-1292]
+ * Added: openssl-CVE-2022-1292.patch
+ * properly sanitise shell metacharacters in c_rehash script.
+
+-------------------------------------------------------------------
New:
----
openssl-1_0_0-Fix-file-operations-in-c_rehash.patch
openssl-CVE-2022-1292.patch
openssl-riscv64-config.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-1_0_0.spec ++++++
--- /var/tmp/diff_new_pack.IjAGmd/_old 2022-07-08 14:01:35.942426594 +0200
+++ /var/tmp/diff_new_pack.IjAGmd/_new 2022-07-08 14:01:35.950426603 +0200
@@ -57,6 +57,7 @@
Patch9: openssl-1.0.2a-default-paths.patch
Patch10: openssl-pkgconfig.patch
Patch13: openssl-1.0.2a-ipv6-apps.patch
+Patch14: openssl-riscv64-config.patch
# FIPS patches:
Patch15: openssl-1.0.2i-fips.patch
Patch16: openssl-1.0.2a-fips-ec.patch
@@ -100,6 +101,9 @@
Patch85: openssl-add_rfc3526_rfc7919.patch
# OpenSSL Security Advisory [17 August 2021] bsc#1189521 CVE-2021-3712
Patch86: CVE-2021-3712-ASN1_STRING-issues.patch
+# OpenSSL Security Advisory bsc#1199166 CVE-2022-1292
+Patch87: openssl-CVE-2022-1292.patch
+Patch88: openssl-1_0_0-Fix-file-operations-in-c_rehash.patch
# steam patches
Patch100: openssl-fix-cpuid_setup.patch
# compat patches to build with soversion 10 (bsc#1175429)
@@ -223,6 +227,7 @@
%patch9 -p1
%patch10 -p1
%patch13 -p1
+%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
@@ -263,6 +268,8 @@
%patch84 -p1
%patch85 -p1
%patch86 -p1
+%patch87 -p1
+%patch88 -p1
# clean up patching leftovers
find . -name '*.orig' -delete
++++++ openssl-1_0_0-Fix-file-operations-in-c_rehash.patch ++++++
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index 34e3ecb..f516f9c 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -90,52 +90,62 @@ foreach (@dirlist) {
}
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if(-l $_) {
- unlink $_;
- print "unlink $_" if $verbose;
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if(!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a
certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if($cert);
- link_hash_cert_old($fname) if($cert);
- link_hash_crl($fname) if($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or
CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_cert_old($fname) if($cert); # WHY IS THIS HERE?
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if(/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if($is_crl);
- } elsif($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -163,39 +173,7 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my $hashopt = $_[1] || '-subject_hash';
- my ($hash, $fprint) = compute_hash($openssl, "x509", $hashopt,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate
cert
- if($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate
certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- symlink $fname, $hash;
- print "link $fname -> $hash\n" if $verbose;
- } else {
- open IN,"<$fname" or die "can't open $fname for read";
- open OUT,">$hash" or die "can't open $hash for write";
- print OUT <IN>; # does the job for small text files
- close OUT;
- close IN;
- print "copy $fname -> $hash\n" if $verbose;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
sub link_hash_cert_old {
@@ -205,33 +183,58 @@ sub link_hash_cert_old {
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate
cert
- if($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL
$fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- symlink $fname, $hash;
- print "link $fname -> $hash\n" if $verbose;
- } else {
- system ("cp", $fname, $hash);
- print "cp $fname -> $hash\n" if $verbose;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
}
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
+}
++++++ openssl-1_0_0-rpmlintrc ++++++
--- /var/tmp/diff_new_pack.IjAGmd/_old 2022-07-08 14:01:36.078426740 +0200
+++ /var/tmp/diff_new_pack.IjAGmd/_new 2022-07-08 14:01:36.082426744 +0200
@@ -1,3 +1,3 @@
# shlib policy does not cover the multibuild case
-addFilter("libopenssl1_0_0-steam.x86_64: E: shlib-policy-name-error SONAME.*")
+addFilter("libopenssl1_0_0-steam.\w+: E: shlib-policy-name-error SONAME.*")
++++++ openssl-CVE-2022-1292.patch ++++++
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index f4be8d9..d1a34aa 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -138,6 +138,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -148,10 +165,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
my $hashopt = $_[1] || '-subject_hash';
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint
-noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $hashopt,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -187,10 +206,12 @@ sub link_hash_cert_old {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint
-noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
++++++ openssl-riscv64-config.patch ++++++
Index: openssl-1.0.2u/config
===================================================================
--- openssl-1.0.2u.orig/config
+++ openssl-1.0.2u/config
@@ -708,6 +708,7 @@ case "$GUESSOS" in
options="$options -march=k6"
fi
fi ;;
+ riscv64-*-linux?) OUT="linux-generic64" ;;
*-*-linux1) OUT="linux-aout" ;;
*-*-linux2) OUT="linux-generic32" ;;
sun4[uv]*-*-solaris2)
