On Wed, Mar 2, 2016 at 11:14 AM, akuster <[email protected]> wrote: > > On 03/02/2016 10:06 AM, Andre McCurdy wrote: >> On Tue, Mar 1, 2016 at 11:38 PM, Armin Kuster <[email protected]> wrote: >>> From: Armin Kuster <[email protected]> >>> >>> CVE-2016-0800 >>> CVE-2016-0705 >>> CVE-2016-0798 >>> CVE-2016-0797 >>> CVE-2016-0799 >>> CVE-2016-0702 >>> CVE-2016-0703 >>> CVE-2016-0704 >>> >>> https://www.openssl.org/news/secadv/20160301.txt >>> >>> Updated 2 debian patches to match changes in 1.0.1g >> >> Could you give some details on why the linker version script is now >> required > > it has been part of openssl for over a year. > > See commit ( Better call Saul ) > > http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/openssl?id=10b689033551c37d6cafa284d82bdccd43f6113e > >>> and how it was generated? > > This is just an update from debian to support 1.0.2g. Have no idea how > they create that file.
OK, yes, I see it now in the Debian openssl 1.0.2g patches: http://http.debian.net/debian/pool/main/o/openssl/openssl_1.0.2g-1.debian.tar.xz It seems that Debian have been versioning openssl symbols for quite some time and we've inherited that via the Debian patches. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333349 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=180725 ... Perhaps some comments in the openssl recipe would be useful to make it a little clearer that we are providing Debian openssl and not the vanilla upstream version. Maybe even use Debian version numbers (ie 1.0.2g-1 in this case) and apply the complete set of Debian patches for each new release instead of keeping our own local copies? > If you don't have it this package wont build. > > It was there when you updated to 1.0.2f, which I suspect you did not > realize. > > Sorry I don't have a better answer. > > - Armin > >> >>> Signed-off-by: Armin Kuster <[email protected]> >>> --- >>> .../openssl/debian1.0.2/block_diginotar.patch | 17 +- >>> .../openssl/debian1.0.2/version-script.patch | 4656 >>> ++++++++++++++++++++ >>> .../{openssl_1.0.2f.bb => openssl_1.0.2g.bb} | 6 +- >>> 3 files changed, 4668 insertions(+), 11 deletions(-) >>> create mode 100644 >>> meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>> rename meta/recipes-connectivity/openssl/{openssl_1.0.2f.bb => >>> openssl_1.0.2g.bb} (91%) >>> >>> diff --git >>> a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>> >>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>> index 0c1a0b6..d81e22c 100644 >>> --- >>> a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>> +++ >>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch >>> @@ -9,14 +9,15 @@ Reviewed-by: Kurt Roeckx <[email protected]> >>> Reviewed-by: Dr Stephen N Henson <[email protected]> >>> >>> This is not meant as final patch. >>> - >>> + >>> Upstream-Status: Backport [debian] >>> >>> +Signed-off-by: Armin Kuster <[email protected]> >>> >>> -Index: openssl-1.0.2/crypto/x509/x509_vfy.c >>> +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c >>> =================================================================== >>> ---- openssl-1.0.2.orig/crypto/x509/x509_vfy.c >>> -+++ openssl-1.0.2/crypto/x509/x509_vfy.c >>> +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c >>> ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c >>> @@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c >>> static int check_revocation(X509_STORE_CTX *ctx); >>> static int check_cert(X509_STORE_CTX *ctx); >>> @@ -25,17 +26,17 @@ Index: openssl-1.0.2/crypto/x509/x509_vfy.c >>> >>> static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, >>> unsigned int *preasons, X509_CRL *crl, X509 *x); >>> -@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx >>> +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx >>> if (!ok) >>> - goto end; >>> + goto err; >>> >>> + ok = check_ca_blacklist(ctx); >>> -+ if(!ok) goto end; >>> ++ if(!ok) goto err; >>> + >>> #ifndef OPENSSL_NO_RFC3779 >>> /* RFC 3779 path validation, now that CRL check has been done */ >>> ok = v3_asid_validate_path(ctx); >>> -@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX >>> +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX >>> return 1; >>> } >>> >>> diff --git >>> a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>> >>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>> new file mode 100644 >>> index 0000000..29f11a2 >>> --- /dev/null >>> +++ >>> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch >>> @@ -0,0 +1,4656 @@ >>> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure >>> +=================================================================== >>> +--- openssl-1.0.2~beta1.obsolete.0.0498436515490575.orig/Configure >>> 2014-02-24 21:02:30.000000000 +0100 >>> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure 2014-02-24 >>> 21:02:30.000000000 +0100 >>> +@@ -1651,6 +1651,8 @@ >>> + } >>> + } >>> + >>> ++$shared_ldflag .= " -Wl,--version-script=openssl.ld"; >>> ++ >>> + open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n"; >>> + unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" >>> if -e "$Makefile.new"; >>> + open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n"; >>> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld >>> +=================================================================== >>> +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 >>> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 >>> 22:19:08.601827266 +0100 >>> +@@ -0,0 +1,4608 @@ >>> ++OPENSSL_1.0.2d { >>> ++ global: >>> ++ BIO_f_ssl; >>> ++ BIO_new_buffer_ssl_connect; >>> ++ BIO_new_ssl; >>> ++ BIO_new_ssl_connect; >>> ++ BIO_proxy_ssl_copy_session_id; >>> ++ BIO_ssl_copy_session_id; >>> ++ BIO_ssl_shutdown; >>> ++ d2i_SSL_SESSION; >>> ++ ... >>> ++ ... -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
