Hello again, Looks like that this patch showed some isses/open points: - CVE-2021-22897 is white-listed already, but in hardknott is fixed already https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch - So do we have to ignore the patch, or apply and remove the whitelist, or remove patch from hardknott? - Https certificate at yocto.io has been expired ;)
Regards, Andrej On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote: > https://curl.se/docs/CVE-2021-22897.html > > Signed-off-by: Andrej Valek <[email protected]> > --- > .../curl/curl/CVE-2021-22897.patch | 73 > +++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 2 files changed, 74 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2021- > 22897.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > new file mode 100644 > index 0000000000..cbd6c067ce > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > @@ -0,0 +1,73 @@ > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 > 2001 > +From: Daniel Stenberg <[email protected]> > +Date: Fri, 23 Apr 2021 10:54:10 +0200 > +Subject: [PATCH] schannel: don't use static to store selected > ciphers > + > +CVE-2021-22897 > + > +Bug: https://curl.se/docs/CVE-2021-22897.html > + > +Upstream-Status: Backport > +[ > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3 > 2834511] > + > +CVE: CVE-2021-22897 > + > +Signed-off-by: Daniel Stenberg <[email protected]> > +Signed-off-by: Khairul Rohaizzat Jamaluddin > <[email protected]> > +Signed-off-by: Andrej Valek <[email protected]> > +--- > + lib/vtls/schannel.c | 9 +++++---- > + lib/vtls/schannel.h | 3 +++ > + 2 files changed, 8 insertions(+), 4 deletions(-) > + > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > +index 8c25ac5dd5a5..dba7072273a9 100644 > +--- a/lib/vtls/schannel.c > ++++ b/lib/vtls/schannel.c > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) > + } > + > + static CURLcode > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, > ++ int *algIds) > + { > + char *startCur = ciphers; > + int algCount = 0; > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS > headers*/ > +- while(startCur && (0 != *startCur) && (algCount < 45)) { > ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) > { > + long alg = strtol(startCur, 0, 0); > + if(!alg) > + alg = get_alg_id_by_name(startCur); > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat > + } > + > + if(SSL_CONN_CONFIG(cipher_list)) { > +- result = set_ssl_ciphers(&schannel_cred, > SSL_CONN_CONFIG(cipher_list)); > ++ result = set_ssl_ciphers(&schannel_cred, > SSL_CONN_CONFIG(cipher_list), > ++ BACKEND->algIds); > + if(CURLE_OK != result) { > + failf(data, "Unable to set ciphers to passed via > SSL_CONN_CONFIG"); > + return result; > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h > +index 2952caa1a5a1..77853aa30f96 100644 > +--- a/lib/vtls/schannel.h > ++++ b/lib/vtls/schannel.h > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct > + #endif > + #endif > + > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers > */ > ++ > + struct curl_schannel_cred { > + CredHandle cred_handle; > + TimeStamp time_stamp; > +@@ -101,6 +103,7 @@ struct ssl_backend_data { > + #ifdef HAS_MANUAL_VERIFY_API > + bool use_manual_cred_validation; /* true if manual cred > validation is used */ > + #endif > ++ ALG_ID algIds[NUMOF_CIPHERS]; > + }; > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes- > support/curl/curl_7.69.1.bb > index ea36c0bd3d..384719dd15 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -19,6 +19,7 @@ SRC_URI = > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2020-8286.patch \ > file://CVE-2021-22876.patch \ > file://CVE-2021-22890.patch \ > + file://CVE-2021-22897.patch \ > file://CVE-2021-22898.patch \ > file://CVE-2021-22924.patch \ > file://CVE-2021-22925.patch \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178333): https://lists.openembedded.org/g/openembedded-core/message/178333 Mute This Topic: https://lists.openembedded.org/mt/97518402/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
