summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl
diff options
context:
space:
mode:
authorOmkar Patil <omkar.patil@kpit.com>2023-04-26 13:17:23 +0530
committerSteve Sakoman <steve@sakoman.com>2023-05-03 04:09:42 -1000
commit667eb766abe23489a3f72e6ff41d0f19743439be (patch)
tree77ddf05027877c6363d6313104739e4e36652d95 /meta/recipes-connectivity/openssl
parent56c03791cdbd22521733e12a0b6af7a1c04b3100 (diff)
downloadpoky-667eb766abe23489a3f72e6ff41d0f19743439be.tar.gz
openssl: Fix CVE-2023-0466
Add patch to fix CVE-2023-0466 Link: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (From OE-Core rev: a80d772593b3a38c062e546557d5f8d76eb71fe4) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch82
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.1.1t.bb1
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
new file mode 100644
index 0000000000..f042aa5da1
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
@@ -0,0 +1,82 @@
1From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001
2From: Tomas Mraz <tomas@openssl.org>
3Date: Tue, 21 Mar 2023 16:15:47 +0100
4Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
5
6The function was incorrectly documented as enabling policy checking.
7
8Fixes: CVE-2023-0466
9
10Reviewed-by: Matt Caswell <matt@openssl.org>
11Reviewed-by: Paul Dale <pauli@openssl.org>
12(Merged from https://github.com/openssl/openssl/pull/20564)
13
14CVE: CVE-2023-0466
15Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a]
16Comment: Refreshed first hunk from CHANGE and NEWS
17Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
18
19---
20 CHANGES | 5 +++++
21 NEWS | 1 +
22 doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
23 3 files changed, 13 insertions(+), 2 deletions(-)
24
25diff --git a/CHANGES b/CHANGES
26index efccf7838e..b19f1429bb 100644
27--- a/CHANGES
28+++ b/CHANGES
29@@ -9,6 +9,11 @@
30
31 Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
32
33+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
34+ that it does not enable policy checking. Thanks to
35+ David Benjamin for discovering this issue. (CVE-2023-0466)
36+ [Tomas Mraz]
37+
38 *) Fixed X.400 address type confusion in X.509 GeneralName.
39
40 There is a type confusion vulnerability relating to X.400 address processing
41diff --git a/NEWS b/NEWS
42index 36a9bb6890..62615693fa 100644
43--- a/NEWS
44+++ b/NEWS
45@@ -7,6 +7,7 @@
46
47 Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
48
49+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
50 o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
51 o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
52 o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
53diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
54index f6f304bf7b..aa292f9336 100644
55--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
56+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
57@@ -92,8 +92,9 @@ B<trust>.
58 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
59 B<t>. Normally the current time is used.
60
61-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
62-by default) and adds B<policy> to the acceptable policy set.
63+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
64+Contrary to preexisting documentation of this function it does not enable
65+policy checking.
66
67 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
68 by default) and sets the acceptable policy set to B<policies>. Any existing
69@@ -377,6 +378,10 @@ and has no effect.
70
71 The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
72
73+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
74+enabling policy checking however the implementation has never done this.
75+The documentation was changed to align with the implementation.
76+
77 =head1 COPYRIGHT
78
79 Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
80--
812.34.1
82
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
index 254cc9bc8d..46875b525c 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
20 file://reproducibility.patch \ 20 file://reproducibility.patch \
21 file://CVE-2023-0464.patch \ 21 file://CVE-2023-0464.patch \
22 file://CVE-2023-0465.patch \ 22 file://CVE-2023-0465.patch \
23 file://CVE-2023-0466.patch \
23 " 24 "
24 25
25SRC_URI_append_class-nativesdk = " \ 26SRC_URI_append_class-nativesdk = " \