summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorEd Tanous <edtanous@google.com>2022-11-01 10:03:10 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-11-02 09:21:28 +0000
commita2a6fb25e634409ae35c40a64b6721c1ccb0b5f0 (patch)
tree536410e16ccc60d03c09fb934b4dabd12a958642 /meta/recipes-connectivity
parenta501f13c500ffe0f5f6a7a971dfeb56f80f09955 (diff)
downloadpoky-a2a6fb25e634409ae35c40a64b6721c1ccb0b5f0.tar.gz
openssl: Upgrade 3.0.5 -> 3.0.7
OpenSSL 3.0.5 includes a HIGH level security vulnerability [1]. Upgrade the recipe to point to 3.0.7. CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as well. [1] https://www.openssl.org/news/vulnerabilities.html Fixes CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ (From OE-Core rev: a69ea1f7db96ec8b853573bd581438edd42ad6e0) Signed-off-by: Ed Tanous <edtanous@google.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch55
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.0.7.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.0.5.bb)3
2 files changed, 1 insertions, 57 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
deleted file mode 100644
index 18b2a5a6b2..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 19 Oct 2022 11:08:23 +0530
4Subject: [PATCH] CVE-2022-3358
5
6Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b]
7CVE : CVE-2022-3358
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 crypto/evp/digest.c | 4 +++-
11 crypto/evp/evp_enc.c | 6 ++++--
12 2 files changed, 7 insertions(+), 3 deletions(-)
13
14diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
15index de9a1dc..e6e03ea 100644
16--- a/crypto/evp/digest.c
17+++ b/crypto/evp/digest.c
18@@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
19 || tmpimpl != NULL
20 #endif
21 || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0
22- || type->origin == EVP_ORIG_METH) {
23+ || (type != NULL && type->origin == EVP_ORIG_METH)
24+ || (type == NULL && ctx->digest != NULL
25+ && ctx->digest->origin == EVP_ORIG_METH)) {
26 if (ctx->digest == ctx->fetched_digest)
27 ctx->digest = NULL;
28 EVP_MD_free(ctx->fetched_digest);
29diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
30index 19a07de..5df08bd 100644
31--- a/crypto/evp/evp_enc.c
32+++ b/crypto/evp/evp_enc.c
33@@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
34 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
35 || tmpimpl != NULL
36 #endif
37- || impl != NULL) {
38+ || impl != NULL
39+ || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
40+ || (cipher == NULL && ctx->cipher != NULL
41+ && ctx->cipher->origin == EVP_ORIG_METH)) {
42 if (ctx->cipher == ctx->fetched_cipher)
43 ctx->cipher = NULL;
44 EVP_CIPHER_free(ctx->fetched_cipher);
45@@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
46 ctx->cipher_data = NULL;
47 }
48
49-
50 /* Start of non-legacy code below */
51
52 /* Ensure a context left lying around from last time is cleared */
53--
542.25.1
55
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
index 175692436d..45fd1de2fd 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb
@@ -12,14 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13 file://afalg.patch \ 13 file://afalg.patch \
14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 14 file://0001-Configure-do-not-tweak-mips-cflags.patch \
15 file://CVE-2022-3358.patch \
16 " 15 "
17 16
18SRC_URI:append:class-nativesdk = " \ 17SRC_URI:append:class-nativesdk = " \
19 file://environment.d-openssl.sh \ 18 file://environment.d-openssl.sh \
20 " 19 "
21 20
22SRC_URI[sha256sum] = "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a" 21SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
23 22
24inherit lib_package multilib_header multilib_script ptest perlnative 23inherit lib_package multilib_header multilib_script ptest perlnative
25MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 24MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"