Hello Steve, - patch - I'm fine with explanation - Cert error - for example here: https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt
Regards, Andrej On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote: > On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej > <[email protected]> wrote: > > > > Hello again, > > > > Looks like that this patch showed some isses/open points: > > - CVE-2021-22897 is white-listed already, but in hardknott is fixed > > already > > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > - So do we have to ignore the patch, or apply and remove the > > whitelist, or remove patch from hardknott? > > Hardknott is no longer being maintained, so nothing needs to be done > there. > > Since this is a Windows only bug ("It can only trigger when Schannel > is used, which is the native TLS library in Microsoft Windows") I > think the existing whitelist is fine and we don't need this > additional > patch. > > > - Https certificate at yocto.io has been expired ;) > > Can you give me the url which is giving the expired certificate > error? > > Thanks! > > Steve > > > Regards, > > Andrej > > > > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote: > > > https://curl.se/docs/CVE-2021-22897.html > > > > > > Signed-off-by: Andrej Valek <[email protected]> > > > --- > > > .../curl/curl/CVE-2021-22897.patch | 73 > > > +++++++++++++++++++ > > > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > > > 2 files changed, 74 insertions(+) > > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021- > > > 22897.patch > > > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > new file mode 100644 > > > index 0000000000..cbd6c067ce > > > --- /dev/null > > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > @@ -0,0 +1,73 @@ > > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 > > > 00:00:00 > > > 2001 > > > +From: Daniel Stenberg <[email protected]> > > > +Date: Fri, 23 Apr 2021 10:54:10 +0200 > > > +Subject: [PATCH] schannel: don't use static to store selected > > > ciphers > > > + > > > +CVE-2021-22897 > > > + > > > +Bug: https://curl.se/docs/CVE-2021-22897.html > > > + > > > +Upstream-Status: Backport > > > +[ > > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3 > > > 2834511] > > > + > > > +CVE: CVE-2021-22897 > > > + > > > +Signed-off-by: Daniel Stenberg <[email protected]> > > > +Signed-off-by: Khairul Rohaizzat Jamaluddin > > > <[email protected]> > > > +Signed-off-by: Andrej Valek <[email protected]> > > > +--- > > > + lib/vtls/schannel.c | 9 +++++---- > > > + lib/vtls/schannel.h | 3 +++ > > > + 2 files changed, 8 insertions(+), 4 deletions(-) > > > + > > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > > > +index 8c25ac5dd5a5..dba7072273a9 100644 > > > +--- a/lib/vtls/schannel.c > > > ++++ b/lib/vtls/schannel.c > > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) > > > + } > > > + > > > + static CURLcode > > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) > > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, > > > ++ int *algIds) > > > + { > > > + char *startCur = ciphers; > > > + int algCount = 0; > > > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS > > > headers*/ > > > +- while(startCur && (0 != *startCur) && (algCount < 45)) { > > > ++ while(startCur && (0 != *startCur) && (algCount < > > > NUMOF_CIPHERS)) > > > { > > > + long alg = strtol(startCur, 0, 0); > > > + if(!alg) > > > + alg = get_alg_id_by_name(startCur); > > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat > > > + } > > > + > > > + if(SSL_CONN_CONFIG(cipher_list)) { > > > +- result = set_ssl_ciphers(&schannel_cred, > > > SSL_CONN_CONFIG(cipher_list)); > > > ++ result = set_ssl_ciphers(&schannel_cred, > > > SSL_CONN_CONFIG(cipher_list), > > > ++ BACKEND->algIds); > > > + if(CURLE_OK != result) { > > > + failf(data, "Unable to set ciphers to passed via > > > SSL_CONN_CONFIG"); > > > + return result; > > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h > > > +index 2952caa1a5a1..77853aa30f96 100644 > > > +--- a/lib/vtls/schannel.h > > > ++++ b/lib/vtls/schannel.h > > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct > > > + #endif > > > + #endif > > > + > > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS > > > headers > > > */ > > > ++ > > > + struct curl_schannel_cred { > > > + CredHandle cred_handle; > > > + TimeStamp time_stamp; > > > +@@ -101,6 +103,7 @@ struct ssl_backend_data { > > > + #ifdef HAS_MANUAL_VERIFY_API > > > + bool use_manual_cred_validation; /* true if manual cred > > > validation is used */ > > > + #endif > > > ++ ALG_ID algIds[NUMOF_CIPHERS]; > > > + }; > > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ > > > + > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > > > b/meta/recipes- > > > support/curl/curl_7.69.1.bb > > > index ea36c0bd3d..384719dd15 100644 > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > > @@ -19,6 +19,7 @@ SRC_URI = > > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > > > file://CVE-2020-8286.patch \ > > > file://CVE-2021-22876.patch \ > > > file://CVE-2021-22890.patch \ > > > + file://CVE-2021-22897.patch \ > > > file://CVE-2021-22898.patch \ > > > file://CVE-2021-22924.patch \ > > > file://CVE-2021-22925.patch \ > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178338): https://lists.openembedded.org/g/openembedded-core/message/178338 Mute This Topic: https://lists.openembedded.org/mt/97518402/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
