commit: 82e7edabadc776d7b123ee7bfd65a78a892eae47 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Thu Jun 30 19:31:38 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Jun 30 19:32:45 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e7edab
dev-libs/openssl: backport AVX512 overflow fix Bug: https://github.com/openssl/openssl/issues/18625 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/openssl-1.1.1p-fix-test-build.patch | 6 ++++ .../openssl-3.0.4-avx512-buffer-overflow.patch | 34 ++++++++++++++++++++++ ...ld.patch => openssl-3.0.4-fix-test-build.patch} | 0 ...penssl-3.0.4.ebuild => openssl-3.0.4-r1.ebuild} | 7 +++-- profiles/package.mask | 7 ----- 5 files changed, 45 insertions(+), 9 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch index f96e54f3127e..5dca6926dd8f 100644 --- a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch +++ b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch @@ -16,6 +16,12 @@ Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/18634) (cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe) +--- + test/v3ext.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/v3ext.c b/test/v3ext.c +index e96b6f79b58f..a2adb1a9f0ef 100644 --- a/test/v3ext.c +++ b/test/v3ext.c @@ -37,6 +37,7 @@ static int test_pathlen(void) diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch new file mode 100644 index 000000000000..c72e958ff535 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch @@ -0,0 +1,34 @@ +https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c +https://github.com/openssl/openssl/issues/18625 + +From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao <[email protected]> +Date: Wed, 22 Jun 2022 18:07:05 +0800 +Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for + rsaz_mod_exp_avx512_x2 + +bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size +is moduli bit size. + +Fixes #18625. + +Signed-off-by: Xi Ruoyao <[email protected]> + +Reviewed-by: Tomas Mraz <[email protected]> +Reviewed-by: Paul Dale <[email protected]> +(Merged from https://github.com/openssl/openssl/pull/18626) + +(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345) +--- a/crypto/bn/rsaz_exp_x2.c ++++ b/crypto/bn/rsaz_exp_x2.c +@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, + from_words52(res1, factor_size, rr1_red); + from_words52(res2, factor_size, rr2_red); + ++ /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */ ++ factor_size /= sizeof(BN_ULONG) * 8; ++ + bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); + bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); + + diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch similarity index 100% copy from dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch copy to dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch diff --git a/dev-libs/openssl/openssl-3.0.4.ebuild b/dev-libs/openssl/openssl-3.0.4-r1.ebuild similarity index 98% rename from dev-libs/openssl/openssl-3.0.4.ebuild rename to dev-libs/openssl/openssl-3.0.4-r1.ebuild index ede15424a910..f4951da01454 100644 --- a/dev-libs/openssl/openssl-3.0.4.ebuild +++ b/dev-libs/openssl/openssl-3.0.4-r1.ebuild @@ -46,12 +46,15 @@ DEPEND="${COMMON_DEPEND}" RDEPEND="${COMMON_DEPEND}" PDEPEND="app-misc/ca-certificates" -REQUIRED_USE="test? ( rfc3779 )" - MULTILIB_WRAPPED_HEADERS=( /usr/include/openssl/configuration.h ) +PATCHES=( + "${FILESDIR}"/${P}-avx512-buffer-overflow.patch + "${FILESDIR}"/${P}-fix-test-build.patch +) + pkg_setup() { if use ktls ; then if kernel_is -lt 4 18 ; then diff --git a/profiles/package.mask b/profiles/package.mask index e9663afb0ce2..4c5d63309305 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -44,13 +44,6 @@ # as deprecated since March 2022. Removal in 30 days (Bug #855299). gnome-extra/gtkhtml -# Sam James <[email protected]> (2022-06-29) -# Pre-emptively mask broken upstream versions. -# openssl 3.0.4 has a buffer overflow w/ AVX512 (https://github.com/openssl/openssl/issues/18625) -# Gentoo isn't vulnerable to the original CVE which caused these releases -# (CVE-2022-2068) as we have our own rehash script. -=dev-libs/openssl-3.0.4 - # Piotr Karbowski <[email protected]> (2022-06-26) # Abandoned upstream, depends on API that no longer exists. # Removal on 2022-07-26.
