It seems that this update fails for aarch64: https://gist.github.com/OldManYellsAtCloud/3e80a812b4342a990f76c42bb17a6ba4
On 3/9/26 11:06, Andrej Kozemcak via lists.openembedded.org wrote: > License-Update: copyright years refreshed > > Removed patch included in this release > > Changelog: > https://github.com/jedisct1/libsodium/releases/tag/1.0.21-RELEASE > > Changes: > > Version 1.0.21 > - security fix for the crypto_core_ed25519_is_valid_point() function > - new crypto_ipcrypt_* functions > - sodium_bin2ip and sodium_ip2bin helper functions > - XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions > > Version 1.0.20-stable > - XCFramework: cross-compilation is now forced on Apple Silicon to avoid > Rosetta-related build issues > - The Fil-C compiler is supported out of the box > - The CompCert compiler is supported out of the box > - MSVC 2026 (Visual Studio 2026) is now supported > - Zig builds now support FreeBSD targets > - Performance of AES256-GCM and AEGIS on ARM has been improved with some > compilers > - Android binaries have been added to the NuGet package > - Windows ARM binaries have been added to the NuGet package > - The Android build script has been improved. The base SDK is now 27c, and > the default platform is 21, supporting 16 KB page sizes. > - The library can now be compiled with Zig 0.15 and Zig 0.16 > - Zig builds now generate position-independent static libraries by default on > targets that support PIC > - arm64e builds have been added to the XCFramework packages > - XCFramework packages are now full builds instead of minimal builds > - MSVC builds have been enabled for ARM64 > - iOS 32-bit (armv7/armv7s) support has been removed from the XCFramework > build script > - Security: optblockers have been introduced in critical code paths to > prevent compilers from introducing unwanted side channels via conditional > jumps. This was observed on RISC-V targets with specific compilers and > options. > - Security: crypto_core_ed25519_is_valid_point() now properly rejects > small-order points that are not in the main subgroup > - ((nonnull)) attributes have been relaxed on some crypto_stream* functions > to allow NULL output buffers when the output length is zero > - A cross-compilation issue with old clang versions has been fixed > - JavaScript: support for Cloudflare Workers has been added > - JavaScript: WASM_BIGINT is forcibly disabled to retain compatibility with > older runtimes > - A compilation issue with old toolchains on Solaris has been fixed > - crypto_aead_aes256gcm_is_available is exported to JavaScript > - libsodium is now compatible with Emscripten 4.x > - Security: memory fences have been added after MAC verification in AEAD to > prevent speculative access to plaintext before authentication is complete > - Assembly files now include .gnu.property notes for proper IBT and Shadow > Stack support when building with CET instrumentation. > > Signed-off-by: Andrej Kozemcak <[email protected]> > --- > .../libsodium/libsodium/CVE-2025-69277.patch | 61 ------------------- > ...ibsodium_1.0.20.bb => libsodium_1.0.21.bb} | 5 +- > 2 files changed, 2 insertions(+), 64 deletions(-) > delete mode 100644 > meta-oe/recipes-crypto/libsodium/libsodium/CVE-2025-69277.patch > rename meta-oe/recipes-crypto/libsodium/{libsodium_1.0.20.bb => > libsodium_1.0.21.bb} (58%) > > diff --git a/meta-oe/recipes-crypto/libsodium/libsodium/CVE-2025-69277.patch > b/meta-oe/recipes-crypto/libsodium/libsodium/CVE-2025-69277.patch > deleted file mode 100644 > index a2ced62760..0000000000 > --- a/meta-oe/recipes-crypto/libsodium/libsodium/CVE-2025-69277.patch > +++ /dev/null > @@ -1,61 +0,0 @@ > -From ad3004ec8731730e93fcfbbc824e67eadc1c1bae Mon Sep 17 00:00:00 2001 > -From: Frank Denis <[email protected]> > -Date: Mon, 29 Dec 2025 23:22:15 +0100 > -Subject: [PATCH] core_ed25519_is_valid_point: check Y==Z in addition to X==0 > - > -CVE: CVE-2025-69277 > -Upstream-Status: Backport > [https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae] > -Signed-off-by: Peter Marko <[email protected]> > ---- > - src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c | 5 ++++- > - test/default/core_ed25519.c | 7 ++++++- > - 2 files changed, 10 insertions(+), 2 deletions(-) > - > -diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c > b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c > -index d3020132..4b824f6d 100644 > ---- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c > -+++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c > -@@ -1141,10 +1141,13 @@ int > - ge25519_is_on_main_subgroup(const ge25519_p3 *p) > - { > - ge25519_p3 pl; > -+ fe25519 t; > - > - ge25519_mul_l(&pl, p); > - > -- return fe25519_iszero(pl.X); > -+ fe25519_sub(t, pl.Y, pl.Z); > -+ > -+ return fe25519_iszero(pl.X) & fe25519_iszero(t); > - } > - > - int > -diff --git a/test/default/core_ed25519.c b/test/default/core_ed25519.c > -index bc457493..02f72bd6 100644 > ---- a/test/default/core_ed25519.c > -+++ b/test/default/core_ed25519.c > -@@ -13,6 +13,10 @@ static const unsigned char max_canonical_p[32] = { > - 0xe4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > 0xff, 0xff, 0xff, 0xff, > - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, > 0xff, 0xff, 0xff, 0x7f > - }; > -+static const unsigned char not_main_subgroup_p[32] = { > -+ 0x95, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, > 0x99, 0x99, 0x99, 0x99, > -+ 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, > 0x99, 0x99, 0x99, 0x99 > -+}; > - static const unsigned char L_p1[32] = { > - 0xee, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, > 0xde, 0xf9, 0xde, 0x14, > - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x10 > -@@ -133,11 +137,12 @@ main(void) > - assert(crypto_core_ed25519_is_valid_point(p) == 0); > - > - p[0] = 9; > -- assert(crypto_core_ed25519_is_valid_point(p) == 1); > -+ assert(crypto_core_ed25519_is_valid_point(p) == 0); > - > - assert(crypto_core_ed25519_is_valid_point(max_canonical_p) == 1); > - assert(crypto_core_ed25519_is_valid_point(non_canonical_invalid_p) == > 0); > - assert(crypto_core_ed25519_is_valid_point(non_canonical_p) == 0); > -+ assert(crypto_core_ed25519_is_valid_point(not_main_subgroup_p) == 0); > - > - memcpy(p2, p, crypto_core_ed25519_BYTES); > - add_P(p2); > diff --git a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.20.bb > b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb > similarity index 58% > rename from meta-oe/recipes-crypto/libsodium/libsodium_1.0.20.bb > rename to meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb > index 972b8b8694..5616dbc55e 100644 > --- a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.20.bb > +++ b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb > @@ -2,12 +2,11 @@ SUMMARY = "The Sodium crypto library" > HOMEPAGE = "http://libsodium.org/"; > BUGTRACKER = "https://github.com/jedisct1/libsodium/issues"; > LICENSE = "ISC" > -LIC_FILES_CHKSUM = "file://LICENSE;md5=c59be7bb29f8e431b5f2d690b6734185" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=4942a8ebbbc7f2212bd68a47df264a4f" > > SRC_URI = > "https://download.libsodium.org/libsodium/releases/${BPN}-${PV}.tar.gz"; > -SRC_URI[sha256sum] = > "ebb65ef6ca439333c2bb41a0c1990587288da07f6c7fd07cb3a18cc18d30ce19" > +SRC_URI[sha256sum] = > "9e4285c7a419e82dedb0be63a72eea357d6943bc3e28e6735bf600dd4883feaf" > > -SRC_URI += "file://CVE-2025-69277.patch" > > inherit autotools > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125213): https://lists.openembedded.org/g/openembedded-devel/message/125213 Mute This Topic: https://lists.openembedded.org/mt/118218630/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
