On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej <[email protected]> wrote:
>
> Hello again,
>
> Looks like that this patch showed some isses/open points:
> - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> already
> https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> - So do we have to ignore the patch, or apply and remove the
> whitelist, or remove patch from hardknott?
Hardknott is no longer being maintained, so nothing needs to be done there.
Since this is a Windows only bug ("It can only trigger when Schannel
is used, which is the native TLS library in Microsoft Windows") I
think the existing whitelist is fine and we don't need this additional
patch.
> - Https certificate at yocto.io has been expired ;)
Can you give me the url which is giving the expired certificate error?
Thanks!
Steve
> Regards,
> Andrej
>
> On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > https://curl.se/docs/CVE-2021-22897.html
> >
> > Signed-off-by: Andrej Valek <[email protected]>
> > ---
> > .../curl/curl/CVE-2021-22897.patch | 73
> > +++++++++++++++++++
> > meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> > 2 files changed, 74 insertions(+)
> > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > 22897.patch
> >
> > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > new file mode 100644
> > index 0000000000..cbd6c067ce
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > @@ -0,0 +1,73 @@
> > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00
> > 2001
> > +From: Daniel Stenberg <[email protected]>
> > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > +Subject: [PATCH] schannel: don't use static to store selected
> > ciphers
> > +
> > +CVE-2021-22897
> > +
> > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > +
> > +Upstream-Status: Backport
> > +[
> > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > 2834511]
> > +
> > +CVE: CVE-2021-22897
> > +
> > +Signed-off-by: Daniel Stenberg <[email protected]>
> > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > <[email protected]>
> > +Signed-off-by: Andrej Valek <[email protected]>
> > +---
> > + lib/vtls/schannel.c | 9 +++++----
> > + lib/vtls/schannel.h | 3 +++
> > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > +index 8c25ac5dd5a5..dba7072273a9 100644
> > +--- a/lib/vtls/schannel.c
> > ++++ b/lib/vtls/schannel.c
> > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > + }
> > +
> > + static CURLcode
> > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > ++ int *algIds)
> > + {
> > + char *startCur = ciphers;
> > + int algCount = 0;
> > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > headers*/
> > +- while(startCur && (0 != *startCur) && (algCount < 45)) {
> > ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS))
> > {
> > + long alg = strtol(startCur, 0, 0);
> > + if(!alg)
> > + alg = get_alg_id_by_name(startCur);
> > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > + }
> > +
> > + if(SSL_CONN_CONFIG(cipher_list)) {
> > +- result = set_ssl_ciphers(&schannel_cred,
> > SSL_CONN_CONFIG(cipher_list));
> > ++ result = set_ssl_ciphers(&schannel_cred,
> > SSL_CONN_CONFIG(cipher_list),
> > ++ BACKEND->algIds);
> > + if(CURLE_OK != result) {
> > + failf(data, "Unable to set ciphers to passed via
> > SSL_CONN_CONFIG");
> > + return result;
> > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > +index 2952caa1a5a1..77853aa30f96 100644
> > +--- a/lib/vtls/schannel.h
> > ++++ b/lib/vtls/schannel.h
> > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > + #endif
> > + #endif
> > +
> > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers
> > */
> > ++
> > + struct curl_schannel_cred {
> > + CredHandle cred_handle;
> > + TimeStamp time_stamp;
> > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > + #ifdef HAS_MANUAL_VERIFY_API
> > + bool use_manual_cred_validation; /* true if manual cred
> > validation is used */
> > + #endif
> > ++ ALG_ID algIds[NUMOF_CIPHERS];
> > + };
> > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > +
> > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> > support/curl/curl_7.69.1.bb
> > index ea36c0bd3d..384719dd15 100644
> > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > @@ -19,6 +19,7 @@ SRC_URI =
> > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> > file://CVE-2020-8286.patch \
> > file://CVE-2021-22876.patch \
> > file://CVE-2021-22890.patch \
> > + file://CVE-2021-22897.patch \
> > file://CVE-2021-22898.patch \
> > file://CVE-2021-22924.patch \
> > file://CVE-2021-22925.patch \
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178337):
https://lists.openembedded.org/g/openembedded-core/message/178337
Mute This Topic: https://lists.openembedded.org/mt/97518402/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
