I'm getting ptest failures with this patch, both on qemux86-64-pteset and qemuarm64-ptest.
Links to logs below: https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemux86-64-ptest/core-image-ptest-openssl/log.do_testimage.831625.20240311232818 https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemuarm64-ptest/core-image-ptest-openssl/log.do_testimage.152067.20240312011738 Steve On Sun, Mar 10, 2024 at 10:40 PM Lee Chee Yang <chee.yang....@intel.com> wrote: > > From: Lee Chee Yang <chee.yang....@intel.com> > > Changes between 3.1.4 and 3.1.5 [30 Jan 2024] > * A file in PKCS12 format can contain certificates and keys and may > come from > an untrusted source. The PKCS12 specification allows certain fields > to be > NULL, but OpenSSL did not correctly check for this case. A fix has > been > applied to prevent a NULL pointer dereference that results in OpenSSL > crashing. If an application processes PKCS12 files from an untrusted > source > using the OpenSSL APIs then that application will be vulnerable to > this > issue prior to this fix. > > OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), > PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), > PKCS12_unpack_authsafes() > and PKCS12_newpass(). > > We have also fixed a similar issue in SMIME_write_PKCS7(). However > since this > function is related to writing data we do not consider it security > significant. > > ([CVE-2024-0727]) > https://www.openssl.org/news/cl31.txt > > drop fix_random_labels.patch as fixed in > https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867 > > Signed-off-by: Lee Chee Yang <chee.yang....@intel.com> > --- > .../openssl/openssl/fix_random_labels.patch | 22 ------------------- > .../{openssl_3.1.4.bb => openssl_3.1.5.bb} | 3 +-- > 2 files changed, 1 insertion(+), 24 deletions(-) > delete mode 100644 > meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch > rename meta/recipes-connectivity/openssl/{openssl_3.1.4.bb => > openssl_3.1.5.bb} (98%) > > diff --git > a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch > b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch > deleted file mode 100644 > index 78dcd81685..0000000000 > --- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch > +++ /dev/null > @@ -1,22 +0,0 @@ > -The perl script adds random suffixes to the local function names to ensure > -it doesn't clash with other parts of openssl. Set the random number seed > -to something predictable so the assembler files are generated consistently > -and our own reproducible builds tests pass. > - > -Upstream-Status: Pending > -Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> > - > -Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl > -=================================================================== > ---- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl > -+++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl > -@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable = (16 * 6); > - # ;;; Helper functions > - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > - > -+# Ensure the local labels are reproduicble > -+srand(10000); > -+ > - # ; Generates "random" local labels > - sub random_string() { > - my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); > diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb > b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb > similarity index 98% > rename from meta/recipes-connectivity/openssl/openssl_3.1.4.bb > rename to meta/recipes-connectivity/openssl/openssl_3.1.5.bb > index 0fe4e76808..9c1d4e31be 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb > @@ -11,7 +11,6 @@ SRC_URI = > "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > file://run-ptest \ > > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > - file://fix_random_labels.patch \ > > file://0001-Added-handshake-history-reporting-when-test-fails.patch \ > " > > @@ -19,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = > "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3" > +SRC_URI[sha256sum] = > "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262" > > inherit lib_package multilib_header multilib_script ptest perlnative manpages > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > -- > 2.37.3 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196997): https://lists.openembedded.org/g/openembedded-core/message/196997 Mute This Topic: https://lists.openembedded.org/mt/104859411/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-