diff options
| author | Ed Tanous <edtanous@google.com> | 2022-11-01 10:03:10 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-02 09:21:28 +0000 |
| commit | a2a6fb25e634409ae35c40a64b6721c1ccb0b5f0 (patch) | |
| tree | 536410e16ccc60d03c09fb934b4dabd12a958642 /meta/recipes-connectivity | |
| parent | a501f13c500ffe0f5f6a7a971dfeb56f80f09955 (diff) | |
| download | poky-a2a6fb25e634409ae35c40a64b6721c1ccb0b5f0.tar.gz | |
openssl: Upgrade 3.0.5 -> 3.0.7
OpenSSL 3.0.5 includes a HIGH level security vulnerability [1].
Upgrade the recipe to point to 3.0.7.
CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as
well.
[1] https://www.openssl.org/news/vulnerabilities.html
Fixes CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
(From OE-Core rev: a69ea1f7db96ec8b853573bd581438edd42ad6e0)
Signed-off-by: Ed Tanous <edtanous@google.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch | 55 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.0.7.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.0.5.bb) | 3 |
2 files changed, 1 insertions, 57 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch deleted file mode 100644 index 18b2a5a6b2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3358.patch +++ /dev/null | |||
| @@ -1,55 +0,0 @@ | |||
| 1 | From 56e1d693f0ec5550a8e3dd52d30e57a02f0287af Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 3 | Date: Wed, 19 Oct 2022 11:08:23 +0530 | ||
| 4 | Subject: [PATCH] CVE-2022-3358 | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] | ||
| 7 | CVE : CVE-2022-3358 | ||
| 8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 9 | --- | ||
| 10 | crypto/evp/digest.c | 4 +++- | ||
| 11 | crypto/evp/evp_enc.c | 6 ++++-- | ||
| 12 | 2 files changed, 7 insertions(+), 3 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c | ||
| 15 | index de9a1dc..e6e03ea 100644 | ||
| 16 | --- a/crypto/evp/digest.c | ||
| 17 | +++ b/crypto/evp/digest.c | ||
| 18 | @@ -225,7 +225,9 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, | ||
| 19 | || tmpimpl != NULL | ||
| 20 | #endif | ||
| 21 | || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 | ||
| 22 | - || type->origin == EVP_ORIG_METH) { | ||
| 23 | + || (type != NULL && type->origin == EVP_ORIG_METH) | ||
| 24 | + || (type == NULL && ctx->digest != NULL | ||
| 25 | + && ctx->digest->origin == EVP_ORIG_METH)) { | ||
| 26 | if (ctx->digest == ctx->fetched_digest) | ||
| 27 | ctx->digest = NULL; | ||
| 28 | EVP_MD_free(ctx->fetched_digest); | ||
| 29 | diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c | ||
| 30 | index 19a07de..5df08bd 100644 | ||
| 31 | --- a/crypto/evp/evp_enc.c | ||
| 32 | +++ b/crypto/evp/evp_enc.c | ||
| 33 | @@ -131,7 +131,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, | ||
| 34 | #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) | ||
| 35 | || tmpimpl != NULL | ||
| 36 | #endif | ||
| 37 | - || impl != NULL) { | ||
| 38 | + || impl != NULL | ||
| 39 | + || (cipher != NULL && cipher->origin == EVP_ORIG_METH) | ||
| 40 | + || (cipher == NULL && ctx->cipher != NULL | ||
| 41 | + && ctx->cipher->origin == EVP_ORIG_METH)) { | ||
| 42 | if (ctx->cipher == ctx->fetched_cipher) | ||
| 43 | ctx->cipher = NULL; | ||
| 44 | EVP_CIPHER_free(ctx->fetched_cipher); | ||
| 45 | @@ -147,7 +150,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, | ||
| 46 | ctx->cipher_data = NULL; | ||
| 47 | } | ||
| 48 | |||
| 49 | - | ||
| 50 | /* Start of non-legacy code below */ | ||
| 51 | |||
| 52 | /* Ensure a context left lying around from last time is cleared */ | ||
| 53 | -- | ||
| 54 | 2.25.1 | ||
| 55 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb index 175692436d..45fd1de2fd 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.5.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.7.bb | |||
| @@ -12,14 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
| 12 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ | 12 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ |
| 13 | file://afalg.patch \ | 13 | file://afalg.patch \ |
| 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ |
| 15 | file://CVE-2022-3358.patch \ | ||
| 16 | " | 15 | " |
| 17 | 16 | ||
| 18 | SRC_URI:append:class-nativesdk = " \ | 17 | SRC_URI:append:class-nativesdk = " \ |
| 19 | file://environment.d-openssl.sh \ | 18 | file://environment.d-openssl.sh \ |
| 20 | " | 19 | " |
| 21 | 20 | ||
| 22 | SRC_URI[sha256sum] = "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a" | 21 | SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" |
| 23 | 22 | ||
| 24 | inherit lib_package multilib_header multilib_script ptest perlnative | 23 | inherit lib_package multilib_header multilib_script ptest perlnative |
| 25 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 24 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |