[Openembedded-architecture] Yocto post-release CVE and package uprev policy - openssl, ffmpeg, etc.
akuster808
akuster808 at gmail.com
Mon Jan 30 23:02:56 UTC 2017
On 01/30/2017 09:31 AM, Mark Hatle wrote:
> On 1/30/17 10:45 AM, akuster808 wrote:
>>
>> On 01/26/2017 12:10 PM, Randy MacLeod wrote:
>>> Yocto seems to have a policy not to update packages once a
>>> release is generally available.
>> I believe this is already covered in the current policy.
>>
>> (lifted from policy)
>> No recipe upgrades unless:
>> The new version contains a security patch or other critical bugfix that
>> is too difficult to backport to the version already in the stable branch.
>>
>> does that not cover this concern?
> No. The issue is that there are other non-security fixes that are roughly being
> ignored. And we often get a lot of the "why aren't you on version XYZ of
> OpenSSL" type questions.
The reply should be "Hey, send a patch".
>
> Doesn't matter if it's up-to-date or not, they're convinced by their 'security
> scanning software' that anything it says 'might' have a problem -does- have a
> problem.
We will never get around that issue.
>
> As others have indicate the worry is always around the APIs. They change and it
> screws up everything else.
>
> (there is also a secondary issue of... it's easier to just jump versions, then
> backport fixes and verify the fixes are working...)
The depends on the package. If there are any pending upstream patches,
those may need to be ported forward if not included in the update.
- armin
>
> --Mark
>
>
>>> I think that rule should be
>>> broken for certain packages that have been reviewed and tested
>>> properly.
>> To me the responsibility is on the person who wants for issue fixed via
>> a package update. They need to convince the package maintainer or branch
>> maintainer that this is the better course of action than to back port a
>> patch.
>>> See:
>>> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10707
>>> for additional background.
>>>
>>> For some packages, the upstream development team fixes CVE and
>>> other bugs on their released version and by YP only cherry-picking back
>>> specific fixes, we expose users to additional risk and incur higher
>>> costs of maintenance. At least two packages that I know of have released
>>> "bug fix only" updates to fix CVEs and other defects for packages
>>> that are in morty:
>>>
>>> - openssl 1.0.2j -> 1.0.2k
>>> - ffmpeg 3.1.3 -> 3.1.5
>>>
>> Gcc, Glibc and kernel fall into this bucket too so where do you draw the
>> line?
>>
>>> Should we continue to cherry-pick back only the CVEs fixes
>>> or should we review, test, and release the full minor release?
>> My preference is to improve the guidelines rather than creating
>> exceptions. There is the scenario that if a CVE fix exists and no new
>> package version has been released, we should wait.
>>
>> It not uncommon for a commit message to a package upgrade lacks
>> information to help a stable branch maintainer make a decision for
>> backporting.
>>
>>> I've done a review of openssl below but
>>> before I proceed with more evaluation or sending the
>>> uprev to the list for morty, I'd like to know if the upgrade
>>> policy will block such a change. From my analysis, there's only
>>> one change that seems like an upgrade blocker and I need help
>>> to evaluate that since I'm not an openssl maintainer.
>>>
>>>
>>> I've done the upgrade locally. It's just a few lines and builds
>>> seem to be fine so far. I'll send the upgrade for master
>>> at least once my builds complete and I've done some other
>>> tests.
>> Then send patches and explain why. The maintainer of the stable branch
>> appears to be some what reasonable and does appreciate all input on what
>> should be back ported to the stable branches.
>>
>> Regards,
>> Armin
>>
>>> ../Randy
>>>
>>>
>>> Review of openssl-1.0.2j->k.
>>>
>>>
>>> Early next week, I'll check for an update on: 1.0.2j->k compatibility
>>> here:
>>> https://abi-laboratory.pro/tracker/timeline/openssl/
>>> 'k' hasn't been done as of Jan 26th.
>>>
>>>
>>> I looked at the 78 changes to openssl-1.0.2j->k and
>>> found that 4 header files had changed. Here's a list of
>>> the header files and my conclusion/summary.
>>>
>>> $ git diff OpenSSL_1_0_2j..OpenSSL_1_0_2k | \
>>> diffstat| grep "\.h"
>>> apps/apps.h | 4
>>> --> Add: always call setup_engine
>>> crypto/evp/evp.h | 6
>>> --> +# define EVP_R_INVALID_KEY and whitespace
>>> crypto/opensslv.h | 6
>>> --> version update
>>> ssl/ssl_locl.h | 2
>>> --> api change but according to [1] it's an internal header
>>> -int ssl_check_clienthello_tlsext_late(SSL *s);
>>> +int ssl_check_clienthello_tlsext_late(SSL *s, int *al);
>>>
>>>
>>> [1] Mr Burton claims this is (or was?) a private api:
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641711
>>>
>>>
>>> The change to always call setup_engine() may be a problem
>>> but I'm not familiar with the openssl code base so I'm
>>> not sure how big a deal it is. Alex, are you familiar with
>>> this part of openssl?
>>>
>>>
>>> Here is a list of the commits:
>>>
>>> $ git log --oneline OpenSSL_1_0_2j..OpenSSL_1_0_2k | wc -l
>>> 78
>>>
>>> $ git log --oneline OpenSSL_1_0_2j..OpenSSL_1_0_2k
>>>
>>> 081314d Prepare for 1.0.2k release
>>> 06f87e9 Update CHANGES and NEWS for new release
>>> 918d8ea Better check of DH parameters in TLS data
>>> 760d043 bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
>>> 51d0090 crypto/evp: harden RC4_MD5 cipher.
>>> 8957add Fix error handling in compute_key, BN_CTX_get can return NULL
>>> cb00d4f Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert
>>> e203f49 Fix SSL_VERIFY_CLIENT_ONCE
>>> 149e98d Add missing va_end
>>> 16f013f Fix DSA parameter generation control error
>>> 52b703f Clean one unused variable, plus an useless one.
>>> 1f234f7 GH1986: Document -header flag.
>>> 0ecb682 Fix error handling in SSL_CTX_new
>>> 2045c58 Fix a memory leak in RSA_padding_add_PKCS1_OAEP_mgf1
>>> 18b8431 replace "will lookup up" by "will look up"
>>> 58c81e7 Reformat M_check_autoarg to match our coding style
>>> 222333c M_check_autoarg: sanity check the key
>>> 3fb9f87 Fix typo.
>>> 5bbedd3 zero pad DHE public key in ServerKeyExchange message for interop
>>> 70705b2 Fix ssl_cert_dup: change one 'return NULL' to 'goto err'
>>> 3b584ef Make 'err' lable in ssl_cert_dup unconditional
>>> 292bb56 Fix a bug in clienthello processing
>>> 7624a31 perlasm/x86_64-xlate.pl: refine sign extension in ea package.
>>> 10a5037 UI_OpenSSL()'s session opener fails on MacOS X
>>> 78a3e80 VMS UI_OpenSSL:
>>> if the TT device isn't a tty, flag instead of error
>>> fecd4c2 Check input length to pkey_rsa_verify()
>>> 5ae285e Remove extra bang
>>> 59ba83c UI code style cleanup
>>> 748a2d9 Revert "Fix heartbeat_test"
>>> be3a7dd apps/speed.c: Fix crash when config loading fails
>>> c477f8e INSTALL: clarify 386 and no-sse2 options.
>>> f47201b modes/ctr128.c: fix false carry in counter increment procedure.
>>> c4c7165 Clarify what X509_NAME_online does with
>>> the given buffer and size
>>> 31b4307 Make SSL_read and SSL_write return
>>> the old behaviour and document it.
>>> 09b894b Use consistent variable names
>>> f4ef1c5 domd: Preserve Makefile time when it is unchanged
>>> 7a9d712 mklink: Do not needlessly overwrite linked files...
>>> 62f16de domd: Do not needlessly overwrite Makefiles
>>> 22cc44d mklink: Do not needlessly overwrite linked files...
>>> ecc9551 Configure: Improve incremental build time
>>> 8ac70be Check return value of some BN functions.
>>> 3201a1d Solution proposal for issue #1647.
>>> 19e1de5 Update CHANGES and NEWS
>>> 57c4b9f bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).
>>> c210840 Makefile.org: clear APPS environment variable.
>>> 95873c5 Missed a mention of RT
>>> 563a34e Add a CHANGES entry for the unrecognised record type change
>>> f118539 Fail if an unrecognised record type is received
>>> ad69a30 Fix heartbeat_test
>>> ba2bf83 Secure our notification email.
>>> e022375 Fix grammar-o in CONTRIBUTING
>>> 787b2dc Add $(EX_LIBS) to the LIBDEPS for libgost.so,
>>> just as for all other engines
>>> 0b9c5da Implement length checks as a macro
>>> a520723 Ensure we have length checks for all extensions
>>> 83a1d4b Fix length check writing status request extension
>>> 57aa2f1 Fix a double free in ca command line
>>> fa4c374 A zero return from BIO_read/BIO_write() could be retryable
>>> 31bf65c Fix typo (reported by Matthias St. Pierre)
>>> 0e46901 Fix leak of secrecy in ecdh_compute_key()
>>> 3ade92e Correctly find all critical CRL extensions
>>> 45f4761 remove redundant zero assignments
>>> cdb203f %p takes void*, so make sure to cast arguments to void*
>>> 0df1caa apps: make setup_engine() and release_engine() available always
>>> aa01b82 If an engine comes up explicitely,
>>> it must also come down explicitely
>>> 10e60f2 Fix no-des
>>> 1c6aab6 Make 'openssl prime ""' not segfault
>>> 99c002b Fix strict-warnings build
>>> b0161f6 Fix strict-warnings build
>>> 78ee64c Fix signatures of EVP_Digest{Sign,Verify}Update
>>> 02a0231 Ensure we handle len == 0 in ERR_err_string_n
>>> 6d69dc5 Degrade 3DES to MEDIUM in SSL2
>>> e8e380c RT is put out to pasture
>>> f1f9769 Add missing error string for SSL_R_TOO_MANY_WARN_ALERTS
>>> 53a71b7 apps/apps.c: initialize and de-initialize engine
>>> around key loading
>>> a269e5f Revert "Call ENGINE_init() before trying to use keys
>>> from engine"
>>> 4badd2b Call ENGINE_init() before trying to use keys from engine
>>> 9702bf5 Fix NEWS error
>>> f6e43fe Prepare for 1.0.2k-dev
>>>
>>>
>>> I've look at any commits that *seem* like they could be more than
>>> a bug fix or that might change the api. Aside from the two issues
>>> related to header files, I didn't see anything to worry about.
>>>
>>> $ git diff OpenSSL_1_0_2j..OpenSSL_1_0_2k | diffstat
>>> .travis.yml | 2
>>> CHANGES | 61 ++++++
>>> CONTRIBUTING | 55 +----
>>> Configure | 34 ++-
>>> INSTALL | 69 +++---
>>> Makefile.org | 3
>>> NEWS | 8
>>> README | 36 ---
>>> apps/apps.c | 19 +
>>> apps/apps.h | 4
>>> apps/ca.c | 6
>>> apps/cms.c | 5
>>> apps/dgst.c | 1
>>> apps/dh.c | 6
>>> apps/dhparam.c | 8
>>> apps/dsa.c | 7
>>> apps/dsaparam.c | 8
>>> apps/ec.c | 6
>>> apps/ecparam.c | 10
>>> apps/enc.c | 8
>>> apps/gendh.c | 4
>>> apps/gendsa.c | 8
>>> apps/genpkey.c | 2
>>> apps/genrsa.c | 7
>>> apps/pkcs12.c | 7
>>> apps/pkcs7.c | 8
>>> apps/pkcs8.c | 5
>>> apps/pkey.c | 5
>>> apps/pkeyparam.c | 8
>>> apps/pkeyutl.c | 1
>>> apps/prime.c | 12 -
>>> apps/rand.c | 8
>>> apps/req.c | 5
>>> apps/rsa.c | 5
>>> apps/rsautl.c | 5
>>> apps/s_cb.c | 4
>>> apps/s_client.c | 7
>>> apps/s_server.c | 7
>>> apps/smime.c | 5
>>> apps/speed.c | 14 -
>>> apps/spkac.c | 5
>>> apps/srp.c | 8
>>> apps/verify.c | 5
>>> apps/x509.c | 5
>>> crypto/aes/asm/aes-s390x.pl | 8
>>> crypto/asn1/p5_pbev2.c | 8
>>> crypto/asn1/x_crl.c | 3
>>> crypto/bn/asm/x86_64-mont.pl | 5
>>> crypto/bn/asm/x86_64-mont5.pl | 16 -
>>> crypto/bn/bn_exp.c | 5
>>> crypto/bn/bn_mul.c | 5
>>> crypto/bn/bn_prime.c | 3
>>> crypto/bn/bn_sqr.c | 5
>>> crypto/cms/cms_kari.c | 5
>>> crypto/dh/dh_key.c | 2
>>> crypto/dsa/dsa_pmeth.c | 2
>>> crypto/ec/ec2_mult.c | 20 +
>>> crypto/ecdh/ech_ossl.c | 4
>>> crypto/err/err.c | 3
>>> crypto/evp/e_aes.c | 4
>>> crypto/evp/e_rc4_hmac_md5.c | 2
>>> crypto/evp/evp.h | 6
>>> crypto/evp/evp_err.c | 3
>>> crypto/evp/pmeth_fn.c | 30 +-
>>> crypto/evp/pmeth_lib.c | 28 --
>>> crypto/modes/ctr128.c | 2
>>> crypto/opensslv.h | 6
>>> crypto/perlasm/x86_64-xlate.pl | 11 -
>>> crypto/rsa/rsa_gen.c | 3
>>> crypto/rsa/rsa_oaep.c | 8
>>> crypto/rsa/rsa_pmeth.c | 4
>>> crypto/s390xcap.c | 1
>>> crypto/ui/ui_lib.c | 138 +++++++------
>>> crypto/ui/ui_openssl.c | 59 +++--
>>> demos/easy_tls/easy-tls.c | 1
>>> doc/apps/ocsp.pod | 9
>>> doc/crypto/EVP_DigestSignInit.pod | 2
>>> doc/crypto/EVP_DigestVerifyInit.pod | 2
>>> doc/crypto/RSA_generate_key.pod | 2
>>> doc/crypto/X509_NAME_get_index_by_NID.pod | 3
>>> doc/crypto/X509_NAME_print_ex.pod | 8
>>> doc/ssl/SSL_CTX_set_session_cache_mode.pod | 2
>>> doc/ssl/SSL_get_error.pod | 22 --
>>> doc/ssl/SSL_read.pod | 32 +--
>>> doc/ssl/SSL_write.pod | 19 -
>>> engines/ccgost/Makefile | 2
>>> openssl.spec | 2
>>> ssl/bad_dtls_test.c | 5
>>> ssl/s23_pkt.c | 12 -
>>> ssl/s2_lib.c | 2
>>> ssl/s2_pkt.c | 10
>>> ssl/s3_clnt.c | 44 +++-
>>> ssl/s3_pkt.c | 23 +-
>>> ssl/s3_srvr.c | 33 ++-
>>> ssl/ssl_cert.c | 4
>>> ssl/ssl_err.c | 1
>>> ssl/ssl_lib.c | 4
>>> ssl/ssl_locl.h | 2
>>> ssl/ssl_sess.c | 9
>>> ssl/t1_lib.c | 291
>>> ++++++++++++++++++-----------
>>> util/domd | 11 -
>>> util/mklink.pl | 8
>>> 102 files changed, 836 insertions(+), 634 deletions(-)
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Openembedded-architecture mailing list
>> Openembedded-architecture at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
>>
More information about the Openembedded-architecture
mailing list