[OE-core] [PATCH][master][Drown] openssl: Security fix Drown via 1.0.1g update

Andre McCurdy armccurdy at gmail.com
Wed Mar 2 18:06:12 UTC 2016 

On Tue, Mar 1, 2016 at 11:38 PM, Armin Kuster <akuster808 at gmail.com> wrote:
> From: Armin Kuster <akuster at mvista.com>
>
> CVE-2016-0800
> CVE-2016-0705
> CVE-2016-0798
> CVE-2016-0797
> CVE-2016-0799
> CVE-2016-0702
> CVE-2016-0703
> CVE-2016-0704
>
> https://www.openssl.org/news/secadv/20160301.txt
>
> Updated 2 debian patches to match changes in 1.0.1g

Could you give some details on why the linker version script is now
required and how it was generated?

> Signed-off-by: Armin Kuster <akuster at mvista.com>
> ---
>  .../openssl/debian1.0.2/block_diginotar.patch      |   17 +-
>  .../openssl/debian1.0.2/version-script.patch       | 4656 ++++++++++++++++++++
>  .../{openssl_1.0.2f.bb => openssl_1.0.2g.bb}       |    6 +-
>  3 files changed, 4668 insertions(+), 11 deletions(-)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2f.bb => openssl_1.0.2g.bb} (91%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
> index 0c1a0b6..d81e22c 100644
> --- a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
> +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
> @@ -9,14 +9,15 @@ Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
>  Reviewed-by: Dr Stephen N Henson <shenson at drh-consultancy.co.uk>
>
>  This is not meant as final patch.
> -
> +
>  Upstream-Status: Backport [debian]
>
> +Signed-off-by: Armin Kuster <akuster at mvista.com>
>
> -Index: openssl-1.0.2/crypto/x509/x509_vfy.c
> +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c
>  ===================================================================
> ---- openssl-1.0.2.orig/crypto/x509/x509_vfy.c
> -+++ openssl-1.0.2/crypto/x509/x509_vfy.c
> +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c
> ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c
>  @@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
>   static int check_revocation(X509_STORE_CTX *ctx);
>   static int check_cert(X509_STORE_CTX *ctx);
> @@ -25,17 +26,17 @@ Index: openssl-1.0.2/crypto/x509/x509_vfy.c
>
>   static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
>                            unsigned int *preasons, X509_CRL *crl, X509 *x);
> -@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
> +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
>       if (!ok)
> -         goto end;
> +         goto err;
>
>  +      ok = check_ca_blacklist(ctx);
> -+      if(!ok) goto end;
> ++      if(!ok) goto err;
>  +
>   #ifndef OPENSSL_NO_RFC3779
>       /* RFC 3779 path validation, now that CRL check has been done */
>       ok = v3_asid_validate_path(ctx);
> -@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX
> +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX
>       return 1;
>   }
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
> new file mode 100644
> index 0000000..29f11a2
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
> @@ -0,0 +1,4656 @@
> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure
> +===================================================================
> +--- openssl-1.0.2~beta1.obsolete.0.0498436515490575.orig/Configure     2014-02-24 21:02:30.000000000 +0100
> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure  2014-02-24 21:02:30.000000000 +0100
> +@@ -1651,6 +1651,8 @@
> +               }
> +       }
> +
> ++$shared_ldflag .= " -Wl,--version-script=openssl.ld";
> ++
> + open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
> + unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
> + open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
> +===================================================================
> +--- /dev/null  1970-01-01 00:00:00.000000000 +0000
> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 22:19:08.601827266 +0100
> +@@ -0,0 +1,4608 @@
> ++OPENSSL_1.0.2d {
> ++      global:
> ++              BIO_f_ssl;
> ++              BIO_new_buffer_ssl_connect;
> ++              BIO_new_ssl;
> ++              BIO_new_ssl_connect;
> ++              BIO_proxy_ssl_copy_session_id;
> ++              BIO_ssl_copy_session_id;
> ++              BIO_ssl_shutdown;
> ++              d2i_SSL_SESSION;
> ++ ...
> ++ ...

More information about the Openembedded-core mailing list