Re: [OE-core] [nanbield][PATCH 2/7] openssl: upgrade to 3.1.5

Tue, 12 Mar 2024 09:24:29 -0700 

I'm getting ptest failures with this patch, both on qemux86-64-pteset
and qemuarm64-ptest.

Links to logs below:

https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemux86-64-ptest/core-image-ptest-openssl/log.do_testimage.831625.20240311232818
https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemuarm64-ptest/core-image-ptest-openssl/log.do_testimage.152067.20240312011738

Steve

On Sun, Mar 10, 2024 at 10:40 PM Lee Chee Yang <chee.yang....@intel.com> wrote:
>
> From: Lee Chee Yang <chee.yang....@intel.com>
>
> Changes between 3.1.4 and 3.1.5 [30 Jan 2024]
>  * A file in PKCS12 format can contain certificates and keys and may
> come from
>    an untrusted source. The PKCS12 specification allows certain fields
> to be
>    NULL, but OpenSSL did not correctly check for this case. A fix has
> been
>    applied to prevent a NULL pointer dereference that results in OpenSSL
>    crashing. If an application processes PKCS12 files from an untrusted
> source
>    using the OpenSSL APIs then that application will be vulnerable to
> this
>    issue prior to this fix.
>
>    OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
>    PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
> PKCS12_unpack_authsafes()
>    and PKCS12_newpass().
>
>    We have also fixed a similar issue in SMIME_write_PKCS7(). However
> since this
>    function is related to writing data we do not consider it security
>    significant.
>
>    ([CVE-2024-0727])
> https://www.openssl.org/news/cl31.txt
>
> drop fix_random_labels.patch as fixed in
> https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867
>
> Signed-off-by: Lee Chee Yang <chee.yang....@intel.com>
> ---
>  .../openssl/openssl/fix_random_labels.patch   | 22 -------------------
>  .../{openssl_3.1.4.bb => openssl_3.1.5.bb}    |  3 +--
>  2 files changed, 1 insertion(+), 24 deletions(-)
>  delete mode 100644 
> meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
>  rename meta/recipes-connectivity/openssl/{openssl_3.1.4.bb => 
> openssl_3.1.5.bb} (98%)
>
> diff --git 
> a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch 
> b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
> deleted file mode 100644
> index 78dcd81685..0000000000
> --- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -The perl script adds random suffixes to the local function names to ensure
> -it doesn't clash with other parts of openssl. Set the random number seed
> -to something predictable so the assembler files are generated consistently
> -and our own reproducible builds tests pass.
> -
> -Upstream-Status: Pending
> -Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
> -
> -Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
> -===================================================================
> ---- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl
> -+++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
> -@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable    = (16 * 6);
> - # ;;; Helper functions
> - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> -
> -+# Ensure the local labels are reproduicble
> -+srand(10000);
> -+
> - # ; Generates "random" local labels
> - sub random_string() {
> -   my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb 
> b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> similarity index 98%
> rename from meta/recipes-connectivity/openssl/openssl_3.1.4.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> index 0fe4e76808..9c1d4e31be 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> @@ -11,7 +11,6 @@ SRC_URI = 
> "http://www.openssl.org/source/openssl-${PV}.tar.gz \
>             file://run-ptest \
>             
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
>             file://0001-Configure-do-not-tweak-mips-cflags.patch \
> -           file://fix_random_labels.patch \
>             
> file://0001-Added-handshake-history-reporting-when-test-fails.patch \
>             "
>
> @@ -19,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>
> -SRC_URI[sha256sum] = 
> "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
> +SRC_URI[sha256sum] = 
> "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative manpages
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> --
> 2.37.3
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196997): 
https://lists.openembedded.org/g/openembedded-core/message/196997
Mute This Topic: https://lists.openembedded.org/mt/104859411/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to