0.39.0

Khem Raj Sun, 30 Jul 2023 18:03:48 -0700

Hi Trevor

I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular.


https://errors.yoctoproject.org/Errors/Details/729506/

it seems rpmdeps is crashing with signal 9. I wonder if its something
to do with rpm changes we might have
got in core but, I can confirm that it was not an issue two weeks ago.
It worked ok on Jul 17th but broke on
Jul 27th CI builds.

On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin <tgamb...@baylibre.com> wrote:
>
> Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0:
>
> [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657"
> 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API 
> (CVE-2020-25657)
> [tgamblin@megalith m2crypto]$ git tag --contains 
> 84c53958def0f510e92119fca14d74f94215827a
> 0.39.0
>
> Changelog 
> (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads):
>
> 0.39.0 - 2023-01-31
> -------------------
>
> - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE
>   COMPLETELY REMOVED IN THE NEXT RELEASE.
> - Remove dependency on parameterized and use unittest.subTest
>   instead.
> - Upgrade embedded six.py module to 1.16.0 (really tiny
>   inconsequential changes).
> - Make tests working on MacOS again (test_bio_membuf: Use fork)
> - Use OpenSSL_version_num() instead of unrealiable parsing of .h
>   file.
> - Mitigate the Bleichenbacher timing attacks in the RSA
>   decryption API (CVE-2020-25657)
> - Add functionality to extract EC key from public key + Update
>   tests
> - Worked around compatibility issues with OpenSSL 3.*
> - Support for Twisted has been deprecated (they have their own
>   SSL support anyway).
> - Generate TAP while testing.
> - Stop using GitHub for testing.
> - Accept a small deviation from time in the testsuite (for
>   systems with non-standard HZ kernel parameter).
> - Use the default BIO.__del__ rather tha overriding in BIO.File
>   (avoid a memleak).
> - Resolve "X509_Name.as_der() method from X509.py -> class
>   X509_Name caused segmentation fault"
>
> Signed-off-by: Trevor Gamblin <tgamb...@baylibre.com>
> ---
>  .../python3-m2crypto/CVE-2020-25657.patch     | 176 ------------------
>  ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} |   3 +-
>  2 files changed, 1 insertion(+), 178 deletions(-)
>  delete mode 100644 
> meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
>  rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => 
> python3-m2crypto_0.39.0.bb} (92%)
>
> diff --git 
> a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch 
> b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
> deleted file mode 100644
> index 38ecd7a276..0000000000
> --- 
> a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
> +++ /dev/null
> @@ -1,176 +0,0 @@
> -Backport patch to fix CVE-2020-25657.
> -
> -Upstream-Status: Backport 
> [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958]
> -
> -Signed-off-by: Kai Kang <kai.k...@windriver.com>
> -
> -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mc...@cepl.eu>
> -Date: Tue, 28 Jun 2022 21:17:01 +0200
> -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
> - decryption API (CVE-2020-25657)
> -
> -Fixes #282
> ----
> - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
> - src/SWIG/_rsa.i           | 20 ++++++++++++--------
> - tests/test_rsa.py         | 15 +++++++--------
> - 3 files changed, 31 insertions(+), 24 deletions(-)
> -
> -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
> -index aba9eb6d..a9f30da9 100644
> ---- a/src/SWIG/_m2crypto_wrap.c
> -+++ b/src/SWIG/_m2crypto_wrap.c
> -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject 
> *from, int padding) {
> -     tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject 
> *from, int padding) {
> -     tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject 
> *from, int padding) {
> -     tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject 
> *from, int padding) {
> -     tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -
> -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
> -index bc714e01..1377b8be 100644
> ---- a/src/SWIG/_rsa.i
> -+++ b/src/SWIG/_rsa.i
> -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, 
> int padding) {
> -     tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, 
> int padding) {
> -     tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, 
> int padding) {
> -     tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, 
> int padding) {
> -     tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
> -         (unsigned char *)tbuf, rsa, padding);
> -     if (tlen == -1) {
> --        m2_PyErr_Msg(_rsa_err);
> -+        ERR_clear_error();
> -+        PyErr_Clear();
> -         PyMem_Free(tbuf);
> --        return NULL;
> -+        Py_RETURN_NONE;
> -     }
> -     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
> -
> -diff --git a/tests/test_rsa.py b/tests/test_rsa.py
> -index 7bb3af75..5e75d681 100644
> ---- a/tests/test_rsa.py
> -+++ b/tests/test_rsa.py
> -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
> -         # The other paddings.
> -         for padding in self.s_padding_nok:
> -             p = getattr(RSA, padding)
> --            with self.assertRaises(RSA.RSAError):
> --                priv.private_encrypt(self.data, p)
> -+            # Exception disabled as a part of mitigation against 
> CVE-2020-25657
> -+            # with self.assertRaises(RSA.RSAError):
> -+            priv.private_encrypt(self.data, p)
> -         # Type-check the data to be encrypted.
> -         with self.assertRaises(TypeError):
> -             priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
> -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
> -             self.assertEqual(ptxt, self.data)
> -
> -         # no_padding
> --        with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
> --            priv.public_encrypt(self.data, RSA.no_padding)
> -+        # Exception disabled as a part of mitigation against CVE-2020-25657
> -+        # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
> -+        priv.public_encrypt(self.data, RSA.no_padding)
> -
> -         # Type-check the data to be encrypted.
> -+        # Exception disabled as a part of mitigation against CVE-2020-25657
> -         with self.assertRaises(TypeError):
> -             priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
> -
> -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
> -                          b'\000\000\000\003\001\000\001')  # aka 65537 aka 
> 0xf4
> -         with self.assertRaises(RSA.RSAError):
> -             setattr(rsa, 'e', '\000\000\000\003\001\000\001')
> --        with self.assertRaises(RSA.RSAError):
> --            rsa.private_encrypt(1)
> --        with self.assertRaises(RSA.RSAError):
> --            rsa.private_decrypt(1)
> -         assert rsa.check_key()
> -
> -     def test_loadpub_bad(self):
> ---
> -GitLab
> -
> diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb 
> b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb
> similarity index 92%
> rename from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb
> rename to meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb
> index 40e3bfb316..3a4a700bf7 100644
> --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb
> +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb
> @@ -10,9 +10,8 @@ SRC_URI += 
> "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \
>              file://cross-compile-platform.patch \
>              file://avoid-host-contamination.patch \
>              file://0001-setup.py-address-openssl-3.x-build-issue.patch \
> -            file://CVE-2020-25657.patch \
>              "
> -SRC_URI[sha256sum] = 
> "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb"
> +SRC_URI[sha256sum] = 
> "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a"
>
>  PYPI_PACKAGE = "M2Crypto"
>  inherit pypi siteinfo setuptools3
> --
> 2.41.0
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#104077): 
https://lists.openembedded.org/g/openembedded-devel/message/104077
Mute This Topic: https://lists.openembedded.org/mt/100356779/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0

Reply via email to