Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a 0.39.0
Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): 0.39.0 - 2023-01-31 ------------------- - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" Signed-off-by: Trevor Gamblin <tgamb...@baylibre.com> --- .../python3-m2crypto/CVE-2020-25657.patch | 176 ------------------ ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- 2 files changed, 1 insertion(+), 178 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch deleted file mode 100644 index 38ecd7a276..0000000000 --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch +++ /dev/null @@ -1,176 +0,0 @@ -Backport patch to fix CVE-2020-25657. - -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] - -Signed-off-by: Kai Kang <kai.k...@windriver.com> - -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mc...@cepl.eu> -Date: Tue, 28 Jun 2022 21:17:01 +0200 -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA - decryption API (CVE-2020-25657) - -Fixes #282 ---- - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- - src/SWIG/_rsa.i | 20 ++++++++++++-------- - tests/test_rsa.py | 15 +++++++-------- - 3 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c -index aba9eb6d..a9f30da9 100644 ---- a/src/SWIG/_m2crypto_wrap.c -+++ b/src/SWIG/_m2crypto_wrap.c -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i -index bc714e01..1377b8be 100644 ---- a/src/SWIG/_rsa.i -+++ b/src/SWIG/_rsa.i -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/tests/test_rsa.py b/tests/test_rsa.py -index 7bb3af75..5e75d681 100644 ---- a/tests/test_rsa.py -+++ b/tests/test_rsa.py -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): - # The other paddings. - for padding in self.s_padding_nok: - p = getattr(RSA, padding) -- with self.assertRaises(RSA.RSAError): -- priv.private_encrypt(self.data, p) -+ # Exception disabled as a part of mitigation against CVE-2020-25657 -+ # with self.assertRaises(RSA.RSAError): -+ priv.private_encrypt(self.data, p) - # Type-check the data to be encrypted. - with self.assertRaises(TypeError): - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): - self.assertEqual(ptxt, self.data) - - # no_padding -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): -- priv.public_encrypt(self.data, RSA.no_padding) -+ # Exception disabled as a part of mitigation against CVE-2020-25657 -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): -+ priv.public_encrypt(self.data, RSA.no_padding) - - # Type-check the data to be encrypted. -+ # Exception disabled as a part of mitigation against CVE-2020-25657 - with self.assertRaises(TypeError): - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) - -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 - with self.assertRaises(RSA.RSAError): - setattr(rsa, 'e', '\000\000\000\003\001\000\001') -- with self.assertRaises(RSA.RSAError): -- rsa.private_encrypt(1) -- with self.assertRaises(RSA.RSAError): -- rsa.private_decrypt(1) - assert rsa.check_key() - - def test_loadpub_bad(self): --- -GitLab - diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb similarity index 92% rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb index 40e3bfb316..3a4a700bf7 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb @@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ file://cross-compile-platform.patch \ file://avoid-host-contamination.patch \ file://0001-setup.py-address-openssl-3.x-build-issue.patch \ - file://CVE-2020-25657.patch \ " -SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" +SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a" PYPI_PACKAGE = "M2Crypto" inherit pypi siteinfo setuptools3 -- 2.41.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#104020): https://lists.openembedded.org/g/openembedded-devel/message/104020 Mute This Topic: https://lists.openembedded.org/mt/100356779/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
