Re: [oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0
On Thu, Aug 3, 2023 at 7:07 AM Trevor Gamblin wrote: > > > On 2023-08-02 16:44, Khem Raj wrote: > > On Wed, Aug 2, 2023 at 12:23 PM Trevor Gamblin > > wrote: > >> > >> On 2023-07-30 21:03, Khem Raj wrote: > >>> Hi Trevor > >>> > >>> I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly > >>> regular. > >>> > >>> https://errors.yoctoproject.org/Errors/Details/729506/ > >>> > >>> it seems rpmdeps is crashing with signal 9. I wonder if its something > >>> to do with rpm changes we might have > >>> got in core but, I can confirm that it was not an issue two weeks ago. > >>> It worked ok on Jul 17th but broke on > >>> Jul 27th CI builds. > >> Missed this until now. I see it's been merged; is this still an issue? > > yes it still is. > Hmm, I can't seem to reproduce it yet. Do you want to revert the patch > for now? A reboot of the builder has fixed this issue. I am bemused. > >>> On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin > >>> wrote: > Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: > > [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" > 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption > API (CVE-2020-25657) > [tgamblin@megalith m2crypto]$ git tag --contains > 84c53958def0f510e92119fca14d74f94215827a > 0.39.0 > > Changelog > (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): > > 0.39.0 - 2023-01-31 > --- > > - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE > COMPLETELY REMOVED IN THE NEXT RELEASE. > - Remove dependency on parameterized and use unittest.subTest > instead. > - Upgrade embedded six.py module to 1.16.0 (really tiny > inconsequential changes). > - Make tests working on MacOS again (test_bio_membuf: Use fork) > - Use OpenSSL_version_num() instead of unrealiable parsing of .h > file. > - Mitigate the Bleichenbacher timing attacks in the RSA > decryption API (CVE-2020-25657) > - Add functionality to extract EC key from public key + Update > tests > - Worked around compatibility issues with OpenSSL 3.* > - Support for Twisted has been deprecated (they have their own > SSL support anyway). > - Generate TAP while testing. > - Stop using GitHub for testing. > - Accept a small deviation from time in the testsuite (for > systems with non-standard HZ kernel parameter). > - Use the default BIO.__del__ rather tha overriding in BIO.File > (avoid a memleak). > - Resolve "X509_Name.as_der() method from X509.py -> class > X509_Name caused segmentation fault" > > Signed-off-by: Trevor Gamblin > --- > .../python3-m2crypto/CVE-2020-25657.patch | 176 -- > ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- > 2 files changed, 1 insertion(+), 178 deletions(-) > delete mode 100644 > meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > rename > meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => > python3-m2crypto_0.39.0.bb} (92%) > > diff --git > a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > > b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > deleted file mode 100644 > index 38ecd7a276..00 > --- > a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > +++ /dev/null > @@ -1,176 +0,0 @@ > -Backport patch to fix CVE-2020-25657. > - > -Upstream-Status: Backport > [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] > - > -Signed-off-by: Kai Kang > - > -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 > -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= > -Date: Tue, 28 Jun 2022 21:17:01 +0200 > -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA > - decryption API (CVE-2020-25657) > - > -Fixes #282 > > - src/SWIG/_m2crypto_wrap.c | 20 > - src/SWIG/_rsa.i | 20 > - tests/test_rsa.py | 15 +++ > - 3 files changed, 31 insertions(+), 24 deletions(-) > - > -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c > -index aba9eb6d..a9f30da9 100644 > a/src/SWIG/_m2crypto_wrap.c > -+++ b/src/SWIG/_m2crypto_wrap.c > -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject > *from, int padding) { > - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > --m2_PyErr_Msg(_rsa_err); > -+ERR_clear_error
Re: [oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0
On 2023-08-02 16:44, Khem Raj wrote: On Wed, Aug 2, 2023 at 12:23 PM Trevor Gamblin wrote: On 2023-07-30 21:03, Khem Raj wrote: Hi Trevor I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. https://errors.yoctoproject.org/Errors/Details/729506/ it seems rpmdeps is crashing with signal 9. I wonder if its something to do with rpm changes we might have got in core but, I can confirm that it was not an issue two weeks ago. It worked ok on Jul 17th but broke on Jul 27th CI builds. Missed this until now. I see it's been merged; is this still an issue? yes it still is. Hmm, I can't seem to reproduce it yet. Do you want to revert the patch for now? On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin wrote: Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a 0.39.0 Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): 0.39.0 - 2023-01-31 --- - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" Signed-off-by: Trevor Gamblin --- .../python3-m2crypto/CVE-2020-25657.patch | 176 -- ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- 2 files changed, 1 insertion(+), 178 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch deleted file mode 100644 index 38ecd7a276..00 --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch +++ /dev/null @@ -1,176 +0,0 @@ -Backport patch to fix CVE-2020-25657. - -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] - -Signed-off-by: Kai Kang - -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= -Date: Tue, 28 Jun 2022 21:17:01 +0200 -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA - decryption API (CVE-2020-25657) - -Fixes #282 - src/SWIG/_m2crypto_wrap.c | 20 - src/SWIG/_rsa.i | 20 - tests/test_rsa.py | 15 +++ - 3 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c -index aba9eb6d..a9f30da9 100644 a/src/SWIG/_m2crypto_wrap.c -+++ b/src/SWIG/_m2crypto_wrap.c -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen
Re: [oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0
On Wed, Aug 2, 2023 at 12:23 PM Trevor Gamblin wrote: > > > On 2023-07-30 21:03, Khem Raj wrote: > > Hi Trevor > > > > I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly > > regular. > > > > https://errors.yoctoproject.org/Errors/Details/729506/ > > > > it seems rpmdeps is crashing with signal 9. I wonder if its something > > to do with rpm changes we might have > > got in core but, I can confirm that it was not an issue two weeks ago. > > It worked ok on Jul 17th but broke on > > Jul 27th CI builds. > Missed this until now. I see it's been merged; is this still an issue? yes it still is. > > > > On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin > > wrote: > >> Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: > >> > >> [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" > >> 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption > >> API (CVE-2020-25657) > >> [tgamblin@megalith m2crypto]$ git tag --contains > >> 84c53958def0f510e92119fca14d74f94215827a > >> 0.39.0 > >> > >> Changelog > >> (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): > >> > >> 0.39.0 - 2023-01-31 > >> --- > >> > >> - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE > >>COMPLETELY REMOVED IN THE NEXT RELEASE. > >> - Remove dependency on parameterized and use unittest.subTest > >>instead. > >> - Upgrade embedded six.py module to 1.16.0 (really tiny > >>inconsequential changes). > >> - Make tests working on MacOS again (test_bio_membuf: Use fork) > >> - Use OpenSSL_version_num() instead of unrealiable parsing of .h > >>file. > >> - Mitigate the Bleichenbacher timing attacks in the RSA > >>decryption API (CVE-2020-25657) > >> - Add functionality to extract EC key from public key + Update > >>tests > >> - Worked around compatibility issues with OpenSSL 3.* > >> - Support for Twisted has been deprecated (they have their own > >>SSL support anyway). > >> - Generate TAP while testing. > >> - Stop using GitHub for testing. > >> - Accept a small deviation from time in the testsuite (for > >>systems with non-standard HZ kernel parameter). > >> - Use the default BIO.__del__ rather tha overriding in BIO.File > >>(avoid a memleak). > >> - Resolve "X509_Name.as_der() method from X509.py -> class > >>X509_Name caused segmentation fault" > >> > >> Signed-off-by: Trevor Gamblin > >> --- > >> .../python3-m2crypto/CVE-2020-25657.patch | 176 -- > >> ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- > >> 2 files changed, 1 insertion(+), 178 deletions(-) > >> delete mode 100644 > >> meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb > >> => python3-m2crypto_0.39.0.bb} (92%) > >> > >> diff --git > >> a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> > >> b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> deleted file mode 100644 > >> index 38ecd7a276..00 > >> --- > >> a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > >> +++ /dev/null > >> @@ -1,176 +0,0 @@ > >> -Backport patch to fix CVE-2020-25657. > >> - > >> -Upstream-Status: Backport > >> [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] > >> - > >> -Signed-off-by: Kai Kang > >> - > >> -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 > >> -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= > >> -Date: Tue, 28 Jun 2022 21:17:01 +0200 > >> -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA > >> - decryption API (CVE-2020-25657) > >> - > >> -Fixes #282 > >> > >> - src/SWIG/_m2crypto_wrap.c | 20 > >> - src/SWIG/_rsa.i | 20 > >> - tests/test_rsa.py | 15 +++ > >> - 3 files changed, 31 insertions(+), 24 deletions(-) > >> - > >> -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c > >> -index aba9eb6d..a9f30da9 100644 > >> a/src/SWIG/_m2crypto_wrap.c > >> -+++ b/src/SWIG/_m2crypto_wrap.c > >> -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject > >> *from, int padding) { > >> - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> --m2_PyErr_Msg(_rsa_err); > >> -+ERR_clear_error(); > >> -+PyErr_Clear(); > >> - PyMem_Free(tbuf); > >> --return NULL; > >> -+Py_RETURN_NONE; > >> - } > >> - > >> - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > >> -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject > >> *from, int padding) { > >> - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > >> - (unsigned char *)tbuf, rsa, padding); > >> - if (tlen == -1) { > >> --m2_PyE
Re: [oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0
On 2023-07-30 21:03, Khem Raj wrote: Hi Trevor I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. https://errors.yoctoproject.org/Errors/Details/729506/ it seems rpmdeps is crashing with signal 9. I wonder if its something to do with rpm changes we might have got in core but, I can confirm that it was not an issue two weeks ago. It worked ok on Jul 17th but broke on Jul 27th CI builds. Missed this until now. I see it's been merged; is this still an issue? On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin wrote: Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a 0.39.0 Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): 0.39.0 - 2023-01-31 --- - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" Signed-off-by: Trevor Gamblin --- .../python3-m2crypto/CVE-2020-25657.patch | 176 -- ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- 2 files changed, 1 insertion(+), 178 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch deleted file mode 100644 index 38ecd7a276..00 --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch +++ /dev/null @@ -1,176 +0,0 @@ -Backport patch to fix CVE-2020-25657. - -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] - -Signed-off-by: Kai Kang - -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= -Date: Tue, 28 Jun 2022 21:17:01 +0200 -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA - decryption API (CVE-2020-25657) - -Fixes #282 - src/SWIG/_m2crypto_wrap.c | 20 - src/SWIG/_rsa.i | 20 - tests/test_rsa.py | 15 +++ - 3 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c -index aba9eb6d..a9f30da9 100644 a/src/SWIG/_m2crypto_wrap.c -+++ b/src/SWIG/_m2crypto_wrap.c -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_Fro
Re: [oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0
Hi Trevor I am seeing a failure on qemux86 on ubuntu 22.04 host and its fairly regular. https://errors.yoctoproject.org/Errors/Details/729506/ it seems rpmdeps is crashing with signal 9. I wonder if its something to do with rpm changes we might have got in core but, I can confirm that it was not an issue two weeks ago. It worked ok on Jul 17th but broke on Jul 27th CI builds. On Tue, Jul 25, 2023 at 12:09 PM Trevor Gamblin wrote: > > Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: > > [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" > 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API > (CVE-2020-25657) > [tgamblin@megalith m2crypto]$ git tag --contains > 84c53958def0f510e92119fca14d74f94215827a > 0.39.0 > > Changelog > (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): > > 0.39.0 - 2023-01-31 > --- > > - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE > COMPLETELY REMOVED IN THE NEXT RELEASE. > - Remove dependency on parameterized and use unittest.subTest > instead. > - Upgrade embedded six.py module to 1.16.0 (really tiny > inconsequential changes). > - Make tests working on MacOS again (test_bio_membuf: Use fork) > - Use OpenSSL_version_num() instead of unrealiable parsing of .h > file. > - Mitigate the Bleichenbacher timing attacks in the RSA > decryption API (CVE-2020-25657) > - Add functionality to extract EC key from public key + Update > tests > - Worked around compatibility issues with OpenSSL 3.* > - Support for Twisted has been deprecated (they have their own > SSL support anyway). > - Generate TAP while testing. > - Stop using GitHub for testing. > - Accept a small deviation from time in the testsuite (for > systems with non-standard HZ kernel parameter). > - Use the default BIO.__del__ rather tha overriding in BIO.File > (avoid a memleak). > - Resolve "X509_Name.as_der() method from X509.py -> class > X509_Name caused segmentation fault" > > Signed-off-by: Trevor Gamblin > --- > .../python3-m2crypto/CVE-2020-25657.patch | 176 -- > ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- > 2 files changed, 1 insertion(+), 178 deletions(-) > delete mode 100644 > meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => > python3-m2crypto_0.39.0.bb} (92%) > > diff --git > a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > deleted file mode 100644 > index 38ecd7a276..00 > --- > a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch > +++ /dev/null > @@ -1,176 +0,0 @@ > -Backport patch to fix CVE-2020-25657. > - > -Upstream-Status: Backport > [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] > - > -Signed-off-by: Kai Kang > - > -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 > -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= > -Date: Tue, 28 Jun 2022 21:17:01 +0200 > -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA > - decryption API (CVE-2020-25657) > - > -Fixes #282 > > - src/SWIG/_m2crypto_wrap.c | 20 > - src/SWIG/_rsa.i | 20 > - tests/test_rsa.py | 15 +++ > - 3 files changed, 31 insertions(+), 24 deletions(-) > - > -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c > -index aba9eb6d..a9f30da9 100644 > a/src/SWIG/_m2crypto_wrap.c > -+++ b/src/SWIG/_m2crypto_wrap.c > -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject > *from, int padding) { > - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > --m2_PyErr_Msg(_rsa_err); > -+ERR_clear_error(); > -+PyErr_Clear(); > - PyMem_Free(tbuf); > --return NULL; > -+Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject > *from, int padding) { > - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > --m2_PyErr_Msg(_rsa_err); > -+ERR_clear_error(); > -+PyErr_Clear(); > - PyMem_Free(tbuf); > --return NULL; > -+Py_RETURN_NONE; > - } > - > - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); > -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject > *from, int padding) { > - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, > - (unsigned char *)tbuf, rsa, padding); > - if (tlen == -1) { > --m2_PyErr_Msg(_rsa_err); > -+ERR_clear_error(); > -+PyErr_Clear(); > -
[oe] [meta-python][PATCH 3/7] python3-m2crypto: upgrade 0.38.0 -> 0.39.0
Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a 0.39.0 Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): 0.39.0 - 2023-01-31 --- - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" Signed-off-by: Trevor Gamblin --- .../python3-m2crypto/CVE-2020-25657.patch | 176 -- ...o_0.38.0.bb => python3-m2crypto_0.39.0.bb} | 3 +- 2 files changed, 1 insertion(+), 178 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch rename meta-python/recipes-devtools/python/{python3-m2crypto_0.38.0.bb => python3-m2crypto_0.39.0.bb} (92%) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch deleted file mode 100644 index 38ecd7a276..00 --- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch +++ /dev/null @@ -1,176 +0,0 @@ -Backport patch to fix CVE-2020-25657. - -Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] - -Signed-off-by: Kai Kang - -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= -Date: Tue, 28 Jun 2022 21:17:01 +0200 -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA - decryption API (CVE-2020-25657) - -Fixes #282 - src/SWIG/_m2crypto_wrap.c | 20 - src/SWIG/_rsa.i | 20 - tests/test_rsa.py | 15 +++ - 3 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c -index aba9eb6d..a9f30da9 100644 a/src/SWIG/_m2crypto_wrap.c -+++ b/src/SWIG/_m2crypto_wrap.c -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { --m2_PyErr_Msg(_rsa_err); -+ERR_clear_error(); -+PyErr_Clear(); - PyMem_Free(tbuf); --return NULL; -+Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i -ind