On 05/13/2016 09:19 AM, Martin Jansa wrote: > On Fri, May 13, 2016 at 04:31:39PM +0200, Martin Jansa wrote: >> On Wed, May 11, 2016 at 03:37:59AM -0700, akuster808 wrote: >>> Robert, >>> >>> >>> On 05/10/2016 11:22 PM, Robert Yang wrote: >>>> >>>> >>>> On 05/04/2016 07:46 AM, Armin Kuster wrote: >>>>> From: Armin Kuster <[email protected]> >>>>> >>>>> CVE-2016-2105 >>>>> CVE-2016-2106 >>>>> CVE-2016-2109 >>>>> CVE-2016-2176 >>>>> >>>>> https://www.openssl.org/news/secadv/20160503.txt >>>>> >>>>> fixup openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch >>>>> >>>>> drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in latest. >>>> >>>> After I looked into the code, it seems that this patch is not in latest >>>> code ? >>> >>> hmm, my old eyes deceive me. >>> >>> thanks for checking. >>> >>> I will send a correcting. >> >> 1.0.2h is already in fido, jethro and master, can we quickly get it to >> krogoth >> which is still using older version 1.0.2g? >> >> It's always strange to see recipe version downgrades when upgrading to >> newer Yocto release. > > It also seems to break python-cryptography again: > http://errors.yoctoproject.org/Errors/Details/62854/
yeah. just hit this in krogoth-next after looking at the logs again. There is an upstream fix I am bac porting. There are a version 1.4 for this package we should update master if possible. I will send a patch later today. - armin > > You have fixed compatibility with 1.0.2g in: > http://git.openembedded.org/meta-openembedded/commit/?id=44f0e74954628d6a3d04fa5249dbe0c94f6dff59 > > Maybe it needs another update for 1.0.2h and the same fix should be > backported to fido and jethro, now when they all have newer openssl as > well? > >>> - armin >>>> It is a backported patch from gentoo. >>>> >>>> // Robert >>>> >>>>> >>>>> Signed-off-by: Armin Kuster <[email protected]> >>>>> --- >>>>> ...oid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch | 14 >>>>> +++++++------- >>>>> .../openssl/{openssl_1.0.2g.bb => openssl_1.0.2h.bb} | 6 ++---- >>>>> 2 files changed, 9 insertions(+), 11 deletions(-) >>>>> rename meta/recipes-connectivity/openssl/{openssl_1.0.2g.bb => >>>>> openssl_1.0.2h.bb} (91%) >>>>> >>>>> diff --git >>>>> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch >>>>> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch >>>>> >>>>> index cebc8cf..f736e5c 100644 >>>>> --- >>>>> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch >>>>> >>>>> +++ >>>>> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch >>>>> >>>>> @@ -8,16 +8,16 @@ >>>>> http://www.mail-archive.com/[email protected]/msg32860.html >>>>> >>>>> Signed-off-by: Xufeng Zhang <[email protected]> >>>>> --- >>>>> -Index: openssl-1.0.2/crypto/evp/digest.c >>>>> +Index: openssl-1.0.2h/crypto/evp/digest.c >>>>> =================================================================== >>>>> ---- openssl-1.0.2.orig/crypto/evp/digest.c >>>>> -+++ openssl-1.0.2/crypto/evp/digest.c >>>>> -@@ -208,7 +208,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c >>>>> - return 0; >>>>> +--- openssl-1.0.2h.orig/crypto/evp/digest.c >>>>> ++++ openssl-1.0.2h/crypto/evp/digest.c >>>>> +@@ -211,7 +211,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c >>>>> + type = ctx->digest; >>>>> } >>>>> #endif >>>>> - if (ctx->digest != type) { >>>>> + if (type && (ctx->digest != type)) { >>>>> - if (ctx->digest && ctx->digest->ctx_size) >>>>> + if (ctx->digest && ctx->digest->ctx_size) { >>>>> OPENSSL_free(ctx->md_data); >>>>> - ctx->digest = type; >>>>> + ctx->md_data = NULL; >>>>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb >>>>> b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb >>>>> similarity index 91% >>>>> rename from meta/recipes-connectivity/openssl/openssl_1.0.2g.bb >>>>> rename to meta/recipes-connectivity/openssl/openssl_1.0.2h.bb >>>>> index 290f129..ae65992 100644 >>>>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb >>>>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb >>>>> @@ -34,15 +34,13 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \ >>>>> file://openssl-fix-des.pod-error.patch \ >>>>> file://Makefiles-ptest.patch \ >>>>> file://ptest-deps.patch \ >>>>> - file://crypto_use_bigint_in_x86-64_perl.patch \ >>>>> file://openssl-1.0.2a-x32-asm.patch \ >>>>> file://ptest_makefile_deps.patch \ >>>>> file://configure-musl-target.patch \ >>>>> file://parallel.patch \ >>>>> " >>>>> - >>>>> -SRC_URI[md5sum] = "f3c710c045cdee5fd114feb69feba7aa" >>>>> -SRC_URI[sha256sum] = >>>>> "b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33" >>>>> +SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" >>>>> +SRC_URI[sha256sum] = >>>>> "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" >>>>> >>>>> PACKAGES =+ "${PN}-engines" >>>>> FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" >>>>> >>> -- >>> _______________________________________________ >>> Openembedded-core mailing list >>> [email protected] >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> >> -- >> Martin 'JaMa' Jansa jabber: [email protected] > > > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
