diff options
author | Kai Kang <kai.kang@windriver.com> | 2022-11-25 10:38:44 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2022-11-25 18:11:10 -0800 |
commit | 71fc24398981e68d50c94cbaf294e38a81b8db36 (patch) | |
tree | 2ea8ac1335cec978b31863574a706352e8d5de7e /meta-python | |
parent | ea94889e88d6389337f8b53d69d4129095cc3b77 (diff) | |
download | meta-openembedded-71fc24398981e68d50c94cbaf294e38a81b8db36.tar.gz |
python3-m2crypto: fix CVE-2020-25657 and buildpaths qa issue
Backport patch to fix CVE-2020-25657 for python3-m2crypto. Adjust indent
as well.
Remove duplicate 'Upstream-Status:' from avoid-host-contamination.patch.
Add swig option '-DOPENSSL_FILE' to fix buildpaths qa issues.
WARNING: python3-m2crypto-0.38.0-r0 do_package_qa: QA Issue: File
/usr/lib/python3.11/site-packages/M2Crypto/_m2crypto.cpython-311-x86_64-linux-gnu.so
in package python3-m2crypto contains reference to TMPDIR [buildpaths]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-python')
3 files changed, 183 insertions, 6 deletions
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch new file mode 100644 index 000000000..38ecd7a27 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch | |||
@@ -0,0 +1,176 @@ | |||
1 | Backport patch to fix CVE-2020-25657. | ||
2 | |||
3 | Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] | ||
4 | |||
5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
6 | |||
7 | From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 | ||
8 | From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> | ||
9 | Date: Tue, 28 Jun 2022 21:17:01 +0200 | ||
10 | Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA | ||
11 | decryption API (CVE-2020-25657) | ||
12 | |||
13 | Fixes #282 | ||
14 | --- | ||
15 | src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- | ||
16 | src/SWIG/_rsa.i | 20 ++++++++++++-------- | ||
17 | tests/test_rsa.py | 15 +++++++-------- | ||
18 | 3 files changed, 31 insertions(+), 24 deletions(-) | ||
19 | |||
20 | diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c | ||
21 | index aba9eb6d..a9f30da9 100644 | ||
22 | --- a/src/SWIG/_m2crypto_wrap.c | ||
23 | +++ b/src/SWIG/_m2crypto_wrap.c | ||
24 | @@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { | ||
25 | tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, | ||
26 | (unsigned char *)tbuf, rsa, padding); | ||
27 | if (tlen == -1) { | ||
28 | - m2_PyErr_Msg(_rsa_err); | ||
29 | + ERR_clear_error(); | ||
30 | + PyErr_Clear(); | ||
31 | PyMem_Free(tbuf); | ||
32 | - return NULL; | ||
33 | + Py_RETURN_NONE; | ||
34 | } | ||
35 | |||
36 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
37 | @@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { | ||
38 | tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, | ||
39 | (unsigned char *)tbuf, rsa, padding); | ||
40 | if (tlen == -1) { | ||
41 | - m2_PyErr_Msg(_rsa_err); | ||
42 | + ERR_clear_error(); | ||
43 | + PyErr_Clear(); | ||
44 | PyMem_Free(tbuf); | ||
45 | - return NULL; | ||
46 | + Py_RETURN_NONE; | ||
47 | } | ||
48 | |||
49 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
50 | @@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { | ||
51 | tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, | ||
52 | (unsigned char *)tbuf, rsa, padding); | ||
53 | if (tlen == -1) { | ||
54 | - m2_PyErr_Msg(_rsa_err); | ||
55 | + ERR_clear_error(); | ||
56 | + PyErr_Clear(); | ||
57 | PyMem_Free(tbuf); | ||
58 | - return NULL; | ||
59 | + Py_RETURN_NONE; | ||
60 | } | ||
61 | |||
62 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
63 | @@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { | ||
64 | tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, | ||
65 | (unsigned char *)tbuf, rsa, padding); | ||
66 | if (tlen == -1) { | ||
67 | - m2_PyErr_Msg(_rsa_err); | ||
68 | + ERR_clear_error(); | ||
69 | + PyErr_Clear(); | ||
70 | PyMem_Free(tbuf); | ||
71 | - return NULL; | ||
72 | + Py_RETURN_NONE; | ||
73 | } | ||
74 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
75 | |||
76 | diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i | ||
77 | index bc714e01..1377b8be 100644 | ||
78 | --- a/src/SWIG/_rsa.i | ||
79 | +++ b/src/SWIG/_rsa.i | ||
80 | @@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { | ||
81 | tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, | ||
82 | (unsigned char *)tbuf, rsa, padding); | ||
83 | if (tlen == -1) { | ||
84 | - m2_PyErr_Msg(_rsa_err); | ||
85 | + ERR_clear_error(); | ||
86 | + PyErr_Clear(); | ||
87 | PyMem_Free(tbuf); | ||
88 | - return NULL; | ||
89 | + Py_RETURN_NONE; | ||
90 | } | ||
91 | |||
92 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
93 | @@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { | ||
94 | tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, | ||
95 | (unsigned char *)tbuf, rsa, padding); | ||
96 | if (tlen == -1) { | ||
97 | - m2_PyErr_Msg(_rsa_err); | ||
98 | + ERR_clear_error(); | ||
99 | + PyErr_Clear(); | ||
100 | PyMem_Free(tbuf); | ||
101 | - return NULL; | ||
102 | + Py_RETURN_NONE; | ||
103 | } | ||
104 | |||
105 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
106 | @@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { | ||
107 | tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, | ||
108 | (unsigned char *)tbuf, rsa, padding); | ||
109 | if (tlen == -1) { | ||
110 | - m2_PyErr_Msg(_rsa_err); | ||
111 | + ERR_clear_error(); | ||
112 | + PyErr_Clear(); | ||
113 | PyMem_Free(tbuf); | ||
114 | - return NULL; | ||
115 | + Py_RETURN_NONE; | ||
116 | } | ||
117 | |||
118 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
119 | @@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { | ||
120 | tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, | ||
121 | (unsigned char *)tbuf, rsa, padding); | ||
122 | if (tlen == -1) { | ||
123 | - m2_PyErr_Msg(_rsa_err); | ||
124 | + ERR_clear_error(); | ||
125 | + PyErr_Clear(); | ||
126 | PyMem_Free(tbuf); | ||
127 | - return NULL; | ||
128 | + Py_RETURN_NONE; | ||
129 | } | ||
130 | ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); | ||
131 | |||
132 | diff --git a/tests/test_rsa.py b/tests/test_rsa.py | ||
133 | index 7bb3af75..5e75d681 100644 | ||
134 | --- a/tests/test_rsa.py | ||
135 | +++ b/tests/test_rsa.py | ||
136 | @@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): | ||
137 | # The other paddings. | ||
138 | for padding in self.s_padding_nok: | ||
139 | p = getattr(RSA, padding) | ||
140 | - with self.assertRaises(RSA.RSAError): | ||
141 | - priv.private_encrypt(self.data, p) | ||
142 | + # Exception disabled as a part of mitigation against CVE-2020-25657 | ||
143 | + # with self.assertRaises(RSA.RSAError): | ||
144 | + priv.private_encrypt(self.data, p) | ||
145 | # Type-check the data to be encrypted. | ||
146 | with self.assertRaises(TypeError): | ||
147 | priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) | ||
148 | @@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): | ||
149 | self.assertEqual(ptxt, self.data) | ||
150 | |||
151 | # no_padding | ||
152 | - with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): | ||
153 | - priv.public_encrypt(self.data, RSA.no_padding) | ||
154 | + # Exception disabled as a part of mitigation against CVE-2020-25657 | ||
155 | + # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): | ||
156 | + priv.public_encrypt(self.data, RSA.no_padding) | ||
157 | |||
158 | # Type-check the data to be encrypted. | ||
159 | + # Exception disabled as a part of mitigation against CVE-2020-25657 | ||
160 | with self.assertRaises(TypeError): | ||
161 | priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) | ||
162 | |||
163 | @@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): | ||
164 | b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 | ||
165 | with self.assertRaises(RSA.RSAError): | ||
166 | setattr(rsa, 'e', '\000\000\000\003\001\000\001') | ||
167 | - with self.assertRaises(RSA.RSAError): | ||
168 | - rsa.private_encrypt(1) | ||
169 | - with self.assertRaises(RSA.RSAError): | ||
170 | - rsa.private_decrypt(1) | ||
171 | assert rsa.check_key() | ||
172 | |||
173 | def test_loadpub_bad(self): | ||
174 | -- | ||
175 | GitLab | ||
176 | |||
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch b/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch index 9d9b8449b..3cd6f7c27 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch +++ b/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch | |||
@@ -1,6 +1,6 @@ | |||
1 | Filter out '/usr/include' for swig to avoid host contamination issue. | 1 | Filter out '/usr/include' for swig to avoid host contamination issue. |
2 | 2 | ||
3 | Upstream-Status: Upstream-Status: Inappropriate [cross compile specific] | 3 | Upstream-Status: Inappropriate [cross compile specific] |
4 | 4 | ||
5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | 5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
6 | --- | 6 | --- |
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb index 51a0dd676..40e3bfb31 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb | |||
@@ -7,10 +7,11 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b0e1f0b7d0ce8a62c18b1287b991800e" | |||
7 | FILESEXTRAPATHS:prepend := "${THISDIR}/python-m2crypto:" | 7 | FILESEXTRAPATHS:prepend := "${THISDIR}/python-m2crypto:" |
8 | 8 | ||
9 | SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ | 9 | SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ |
10 | file://cross-compile-platform.patch \ | 10 | file://cross-compile-platform.patch \ |
11 | file://avoid-host-contamination.patch \ | 11 | file://avoid-host-contamination.patch \ |
12 | file://0001-setup.py-address-openssl-3.x-build-issue.patch \ | 12 | file://0001-setup.py-address-openssl-3.x-build-issue.patch \ |
13 | " | 13 | file://CVE-2020-25657.patch \ |
14 | " | ||
14 | SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" | 15 | SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" |
15 | 16 | ||
16 | PYPI_PACKAGE = "M2Crypto" | 17 | PYPI_PACKAGE = "M2Crypto" |
@@ -34,7 +35,7 @@ DISTUTILS_INSTALL_ARGS += "build_ext --openssl=${STAGING_EXECPREFIXDIR}" | |||
34 | SWIG_FEATURES:x86 = "-D__i386__" | 35 | SWIG_FEATURES:x86 = "-D__i386__" |
35 | SWIG_FEATURES:x32 = "-D__ILP32__" | 36 | SWIG_FEATURES:x32 = "-D__ILP32__" |
36 | 37 | ||
37 | SWIG_FEATURES ?= "-D__${HOST_ARCH}__ ${@['-D__ILP32__','-D__LP64__'][d.getVar('SITEINFO_BITS') != '32']}" | 38 | SWIG_FEATURES ?= "-D__${HOST_ARCH}__ ${@['-D__ILP32__','-D__LP64__'][d.getVar('SITEINFO_BITS') != '32']} -DOPENSSL_FILE='openssl/macros.h'" |
38 | 39 | ||
39 | SWIG_FEATURES:append:riscv64 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}" | 40 | SWIG_FEATURES:append:riscv64 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}" |
40 | SWIG_FEATURES:append:riscv32 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}" | 41 | SWIG_FEATURES:append:riscv32 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}" |