openssl: Fix CVE-2023-0466

Add patch to fix CVE-2023-0466 Link: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (From OE-Core rev: a80d772593b3a38c062e546557d5f8d76eb71fe4) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Omkar Patil <omkar.patil@kpit.com> 2023-04-26 13:17:23 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-03 04:09:42 -1000
commit: 667eb766abe23489a3f72e6ff41d0f19743439be (patch)
tree: 77ddf05027877c6363d6313104739e4e36652d95 /meta/recipes-connectivity/openssl
parent: 56c03791cdbd22521733e12a0b6af7a1c04b3100 (diff)
download: poky-667eb766abe23489a3f72e6ff41d0f19743439be.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
new file mode 100644
index 0000000000..f042aa5da1
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
@@ -0,0 +1,82 @@
+From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 21 Mar 2023 16:15:47 +0100
+Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
+The function was incorrectly documented as enabling policy checking.
+Fixes: CVE-2023-0466
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20564)
+CVE: CVE-2023-0466
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a]
+Comment: Refreshed first hunk from CHANGE and NEWS
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+---
+ CHANGES                                  | 5 +++++
+ NEWS                                     | 1 +
+ doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index efccf7838e..b19f1429bb 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -9,6 +9,11 @@
+ 
+  Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
+ 
+  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+     that it does not enable policy checking. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0466)
+     [Tomas Mraz]
+
+   *) Fixed X.400 address type confusion in X.509 GeneralName.
+ 
+      There is a type confusion vulnerability relating to X.400 address processing
+diff --git a/NEWS b/NEWS
+index 36a9bb6890..62615693fa 100644
+--- a/NEWS
+++ b/NEWS
+@@ -7,6 +7,7 @@
+ 
+   Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
+ 
+      o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
+       o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
+       o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
+       o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index f6f304bf7b..aa292f9336 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -92,8 +92,9 @@ B<trust>.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
+ B<t>. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B<policies>. Any existing
+@@ -377,6 +378,10 @@ and has no effect.
+ 
+ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ 
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
index 254cc9bc8d..46875b525c 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://reproducibility.patch \
           file://CVE-2023-0464.patch \
           file://CVE-2023-0465.patch \
+           file://CVE-2023-0466.patch \
           "
 SRC_URI_append_class-nativesdk = " \
author	Omkar Patil <omkar.patil@kpit.com>	2023-04-26 13:17:23 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-03 04:09:42 -1000
commit	667eb766abe23489a3f72e6ff41d0f19743439be (patch)
tree	77ddf05027877c6363d6313104739e4e36652d95 /meta/recipes-connectivity/openssl
parent	56c03791cdbd22521733e12a0b6af7a1c04b3100 (diff)
download	poky-667eb766abe23489a3f72e6ff41d0f19743439be.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch new file mode 100644 index 0000000000..f042aa5da1 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
@@ -0,0 +1,82 @@
		1	From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001
		2	From: Tomas Mraz <tomas@openssl.org>
		3	Date: Tue, 21 Mar 2023 16:15:47 +0100
		4	Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
		5
		6	The function was incorrectly documented as enabling policy checking.
		7
		8	Fixes: CVE-2023-0466
		9
		10	Reviewed-by: Matt Caswell <matt@openssl.org>
		11	Reviewed-by: Paul Dale <pauli@openssl.org>
		12	(Merged from https://github.com/openssl/openssl/pull/20564)
		13
		14	CVE: CVE-2023-0466
		15	Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a]
		16	Comment: Refreshed first hunk from CHANGE and NEWS
		17	Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
		18
		19	---
		20	CHANGES \| 5 +++++
		21	NEWS \| 1 +
		22	doc/man3/X509_VERIFY_PARAM_set_flags.pod \| 9 +++++++--
		23	3 files changed, 13 insertions(+), 2 deletions(-)
		24
		25	diff --git a/CHANGES b/CHANGES
		26	index efccf7838e..b19f1429bb 100644
		27	--- a/CHANGES
		28	+++ b/CHANGES
		29	@@ -9,6 +9,11 @@
		30
		31	Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
		32
		33	+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
		34	+ that it does not enable policy checking. Thanks to
		35	+ David Benjamin for discovering this issue. (CVE-2023-0466)
		36	+ [Tomas Mraz]
		37	+
		38	*) Fixed X.400 address type confusion in X.509 GeneralName.
		39
		40	There is a type confusion vulnerability relating to X.400 address processing
		41	diff --git a/NEWS b/NEWS
		42	index 36a9bb6890..62615693fa 100644
		43	--- a/NEWS
		44	+++ b/NEWS
		45	@@ -7,6 +7,7 @@
		46
		47	Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
		48
		49	+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
		50	o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
		51	o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
		52	o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
		53	diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
		54	index f6f304bf7b..aa292f9336 100644
		55	--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
		56	+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
		57	@@ -92,8 +92,9 @@ B<trust>.
		58	X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
		59	B<t>. Normally the current time is used.
		60
		61	-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
		62	-by default) and adds B<policy> to the acceptable policy set.
		63	+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
		64	+Contrary to preexisting documentation of this function it does not enable
		65	+policy checking.
		66
		67	X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
		68	by default) and sets the acceptable policy set to B<policies>. Any existing
		69	@@ -377,6 +378,10 @@ and has no effect.
		70
		71	The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
		72
		73	+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
		74	+enabling policy checking however the implementation has never done this.
		75	+The documentation was changed to align with the implementation.
		76	+
		77	=head1 COPYRIGHT
		78
		79	Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
		80	--
		81	2.34.1
		82


diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb index 254cc9bc8d..46875b525c 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
20	file://reproducibility.patch \	20	file://reproducibility.patch \
21	file://CVE-2023-0464.patch \	21	file://CVE-2023-0464.patch \
22	file://CVE-2023-0465.patch \	22	file://CVE-2023-0465.patch \
		23	file://CVE-2023-0466.patch \
23	"	24	"
24		25
25	SRC_URI_append_class-nativesdk = " \	26	SRC_URI_append_class-nativesdk = " \