diff options
| author | Lee Chee Yang <chee.yang.lee@intel.com> | 2024-03-14 10:26:27 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-03-20 06:02:50 -1000 |
| commit | 6d2b73edc960222d586029b3099f451cc2d0eb48 (patch) | |
| tree | e5b7677c39f95926942e7f45f3caac17f436095c | |
| parent | 521775dcd52bbb2fa29e2fd6e4e18223341e41a5 (diff) | |
| download | poky-6d2b73edc960222d586029b3099f451cc2d0eb48.tar.gz | |
openssl: upgrade to 3.1.5
Changes between 3.1.4 and 3.1.5 [30 Jan 2024]
* A file in PKCS12 format can contain certificates and keys and may
come from
an untrusted source. The PKCS12 specification allows certain fields
to be
NULL, but OpenSSL did not correctly check for this case. A fix has
been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted
source
using the OpenSSL APIs then that application will be vulnerable to
this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However
since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
https://www.openssl.org/news/cl31.txt
drop fix_random_labels.patch as fixed in
https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867
(From OE-Core rev: aeac11fa743567e185179b27b4700bbf8fcf06e1)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch | 22 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.1.5.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.1.4.bb) | 4 |
2 files changed, 2 insertions, 24 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch deleted file mode 100644 index 78dcd81685..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch +++ /dev/null | |||
| @@ -1,22 +0,0 @@ | |||
| 1 | The perl script adds random suffixes to the local function names to ensure | ||
| 2 | it doesn't clash with other parts of openssl. Set the random number seed | ||
| 3 | to something predictable so the assembler files are generated consistently | ||
| 4 | and our own reproducible builds tests pass. | ||
| 5 | |||
| 6 | Upstream-Status: Pending | ||
| 7 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
| 8 | |||
| 9 | Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl | ||
| 10 | =================================================================== | ||
| 11 | --- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl | ||
| 12 | +++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl | ||
| 13 | @@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable = (16 * 6); | ||
| 14 | # ;;; Helper functions | ||
| 15 | # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | ||
| 16 | |||
| 17 | +# Ensure the local labels are reproduicble | ||
| 18 | +srand(10000); | ||
| 19 | + | ||
| 20 | # ; Generates "random" local labels | ||
| 21 | sub random_string() { | ||
| 22 | my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb index 0fe4e76808..05bfeac45e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb | |||
| @@ -11,7 +11,6 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
| 11 | file://run-ptest \ | 11 | file://run-ptest \ |
| 12 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ | 12 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ |
| 13 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 13 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ |
| 14 | file://fix_random_labels.patch \ | ||
| 15 | file://0001-Added-handshake-history-reporting-when-test-fails.patch \ | 14 | file://0001-Added-handshake-history-reporting-when-test-fails.patch \ |
| 16 | " | 15 | " |
| 17 | 16 | ||
| @@ -19,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ | |||
| 19 | file://environment.d-openssl.sh \ | 18 | file://environment.d-openssl.sh \ |
| 20 | " | 19 | " |
| 21 | 20 | ||
| 22 | SRC_URI[sha256sum] = "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3" | 21 | SRC_URI[sha256sum] = "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262" |
| 23 | 22 | ||
| 24 | inherit lib_package multilib_header multilib_script ptest perlnative manpages | 23 | inherit lib_package multilib_header multilib_script ptest perlnative manpages |
| 25 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 24 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |
| @@ -187,6 +186,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version =" | |||
| 187 | do_install_ptest () { | 186 | do_install_ptest () { |
| 188 | install -d ${D}${PTEST_PATH}/test | 187 | install -d ${D}${PTEST_PATH}/test |
| 189 | install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test | 188 | install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test |
| 189 | install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test | ||
| 190 | install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test | 190 | install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test |
| 191 | 191 | ||
| 192 | # Prune the build tree | 192 | # Prune the build tree |