Re: [OE-core] [PATCH] Upgrade OpenSSL 3.0.5 -> 3.0.7

Tim Orling Tue, 01 Nov 2022 11:38:38 -0700

The commit message should reference the two new CVEs as well:

CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/



On Tue, Nov 1, 2022 at 10:03 AM edtanous via lists.openembedded.org
<[email protected]> wrote:

> From: Ed Tanous <[email protected]>
>
> OpenSSL 3.0.5 includes a HIGH level security vulnerability [1].
>
> Upgrade the recipe to point to 3.0.7.
>
> CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as
> well.
>
> [1] https://www.openssl.org/news/vulnerabilities.html
>
> Signed-off-by: Ed Tanous <[email protected]>
> ---
>  .../openssl/openssl/CVE-2022-3358.patch       | 55 -------------------
>  .../{openssl_3.0.5.bb => openssl_3.0.7.bb}    |  3 +-
>  2 files changed, 1 insertion(+), 57 deletions(-)
>  delete mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
>  rename meta/recipes-connectivity/openssl/{openssl_3.0.5.bb =>
> openssl_3.0.7.bb} (98%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
> b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
> deleted file mode 100644
> index 18b2a5a6b2..0000000000
> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
> +++ /dev/null
> @@ -1,55 +0,0 @@
> -From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001
> -From: Hitendra Prajapati <[email protected]>
> -Date: Wed, 19 Oct 2022 11:08:23 +0530
> -Subject: [PATCH] CVE-2022-3358
> -
> -Upstream-Status: Backport [
> https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b
> ]
> -CVE : CVE-2022-3358
> -Signed-off-by: Hitendra Prajapati <[email protected]>
> ----
> - crypto/evp/digest.c  | 4 +++-
> - crypto/evp/evp_enc.c | 6 ++++--
> - 2 files changed, 7 insertions(+), 3 deletions(-)
> -
> -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
> -index de9a1dc..e6e03ea 100644
> ---- a/crypto/evp/digest.c
> -+++ b/crypto/evp/digest.c
> -@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx,
> const EVP_MD *type,
> -             || tmpimpl != NULL
> - #endif
> -             || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0
> --            || type->origin == EVP_ORIG_METH) {
> -+            || (type != NULL && type->origin == EVP_ORIG_METH)
> -+            || (type == NULL && ctx->digest != NULL
> -+                             && ctx->digest->origin == EVP_ORIG_METH)) {
> -         if (ctx->digest == ctx->fetched_digest)
> -             ctx->digest = NULL;
> -         EVP_MD_free(ctx->fetched_digest);
> -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
> -index 19a07de..5df08bd 100644
> ---- a/crypto/evp/evp_enc.c
> -+++ b/crypto/evp/evp_enc.c
> -@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX
> *ctx,
> - #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
> -             || tmpimpl != NULL
> - #endif
> --            || impl != NULL) {
> -+            || impl != NULL
> -+            || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
> -+            || (cipher == NULL && ctx->cipher != NULL
> -+                               && ctx->cipher->origin == EVP_ORIG_METH))
> {
> -         if (ctx->cipher == ctx->fetched_cipher)
> -             ctx->cipher = NULL;
> -         EVP_CIPHER_free(ctx->fetched_cipher);
> -@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX
> *ctx,
> -         ctx->cipher_data = NULL;
> -     }
> -
> --
> -     /* Start of non-legacy code below */
> -
> -     /* Ensure a context left lying around from last time is cleared */
> ---
> -2.25.1
> -
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb
> b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
> similarity index 98%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.5.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.7.bb
> index 175692436d..45fd1de2fd 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
> @@ -12,14 +12,13 @@ SRC_URI = "
> http://www.openssl.org/source/openssl-${PV}.tar.gz \
>
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
>             file://afalg.patch \
>             file://0001-Configure-do-not-tweak-mips-cflags.patch \
> -           file://CVE-2022-3358.patch \
>             "
>
>  SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>
> -SRC_URI[sha256sum] =
> "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a"
> +SRC_URI[sha256sum] =
> "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> --
> 2.38.1.273.g43a17bfeac-goog
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#172381): 
https://lists.openembedded.org/g/openembedded-core/message/172381
Mute This Topic: https://lists.openembedded.org/mt/94715257/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] Upgrade OpenSSL 3.0.5 -> 3.0.7

Reply via email to