[OE-core] [PATCH][master][Drown] openssl: Security fix Drown via 1.0.1g update

Andre McCurdy armccurdy at gmail.com
Thu Mar 3 07:03:08 UTC 2016 

On Wed, Mar 2, 2016 at 12:06 PM, Andre McCurdy <armccurdy at gmail.com> wrote:
> On Wed, Mar 2, 2016 at 11:14 AM, akuster <akuster at mvista.com> wrote:
>>
>> On 03/02/2016 10:06 AM, Andre McCurdy wrote:
>>> On Tue, Mar 1, 2016 at 11:38 PM, Armin Kuster <akuster808 at gmail.com> wrote:
>>>> From: Armin Kuster <akuster at mvista.com>
>>>>
>>>> CVE-2016-0800
>>>> CVE-2016-0705
>>>> CVE-2016-0798
>>>> CVE-2016-0797
>>>> CVE-2016-0799
>>>> CVE-2016-0702
>>>> CVE-2016-0703
>>>> CVE-2016-0704
>>>>
>>>> https://www.openssl.org/news/secadv/20160301.txt
>>>>
>>>> Updated 2 debian patches to match changes in 1.0.1g

That should be 1.0.2g (and the commit summary has the same typo too).

>>> Could you give some details on why the linker version script is now
>>> required
>>
>> it has been part of openssl for over a year.
>>
>> See commit ( Better call Saul )
>>
>> http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/openssl?id=10b689033551c37d6cafa284d82bdccd43f6113e
>>
>>>> and how it was generated?
>>
>> This is just an update from debian to support 1.0.2g. Have no idea how
>> they create that file.
>
> OK, yes, I see it now in the Debian openssl 1.0.2g patches:
>
>   http://http.debian.net/debian/pool/main/o/openssl/openssl_1.0.2g-1.debian.tar.xz
>
> It seems that Debian have been versioning openssl symbols for quite
> some time and we've inherited that via the Debian patches.
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333349
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=180725
>   ...
>
> Perhaps some comments in the openssl recipe would be useful to make it
> a little clearer that we are providing Debian openssl and not the
> vanilla upstream version. Maybe even use Debian version numbers (ie
> 1.0.2g-1 in this case) and apply the complete set of Debian patches
> for each new release instead of keeping our own local copies?
>
>> If you don't have it this package wont build.
>>
>> It was there when you updated to 1.0.2f, which I suspect you did not
>> realize.
>>
>> Sorry I don't have a better answer.
>>
>> - Armin
>>
>>>
>>>> Signed-off-by: Armin Kuster <akuster at mvista.com>
>>>> ---
>>>>  .../openssl/debian1.0.2/block_diginotar.patch      |   17 +-
>>>>  .../openssl/debian1.0.2/version-script.patch       | 4656 ++++++++++++++++++++
>>>>  .../{openssl_1.0.2f.bb => openssl_1.0.2g.bb}       |    6 +-
>>>>  3 files changed, 4668 insertions(+), 11 deletions(-)
>>>>  create mode 100644 meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
>>>>  rename meta/recipes-connectivity/openssl/{openssl_1.0.2f.bb => openssl_1.0.2g.bb} (91%)
>>>>
>>>> diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
>>>> index 0c1a0b6..d81e22c 100644
>>>> --- a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
>>>> +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
>>>> @@ -9,14 +9,15 @@ Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
>>>>  Reviewed-by: Dr Stephen N Henson <shenson at drh-consultancy.co.uk>
>>>>
>>>>  This is not meant as final patch.
>>>> -
>>>> +
>>>>  Upstream-Status: Backport [debian]
>>>>
>>>> +Signed-off-by: Armin Kuster <akuster at mvista.com>
>>>>
>>>> -Index: openssl-1.0.2/crypto/x509/x509_vfy.c
>>>> +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c
>>>>  ===================================================================
>>>> ---- openssl-1.0.2.orig/crypto/x509/x509_vfy.c
>>>> -+++ openssl-1.0.2/crypto/x509/x509_vfy.c
>>>> +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c
>>>> ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c
>>>>  @@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
>>>>   static int check_revocation(X509_STORE_CTX *ctx);
>>>>   static int check_cert(X509_STORE_CTX *ctx);
>>>> @@ -25,17 +26,17 @@ Index: openssl-1.0.2/crypto/x509/x509_vfy.c
>>>>
>>>>   static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
>>>>                            unsigned int *preasons, X509_CRL *crl, X509 *x);
>>>> -@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
>>>> +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
>>>>       if (!ok)
>>>> -         goto end;
>>>> +         goto err;
>>>>
>>>>  +      ok = check_ca_blacklist(ctx);
>>>> -+      if(!ok) goto end;
>>>> ++      if(!ok) goto err;
>>>>  +
>>>>   #ifndef OPENSSL_NO_RFC3779
>>>>       /* RFC 3779 path validation, now that CRL check has been done */
>>>>       ok = v3_asid_validate_path(ctx);
>>>> -@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX
>>>> +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX
>>>>       return 1;
>>>>   }
>>>>
>>>> diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
>>>> new file mode 100644
>>>> index 0000000..29f11a2
>>>> --- /dev/null
>>>> +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
>>>> @@ -0,0 +1,4656 @@
>>>> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure
>>>> +===================================================================
>>>> +--- openssl-1.0.2~beta1.obsolete.0.0498436515490575.orig/Configure     2014-02-24 21:02:30.000000000 +0100
>>>> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/Configure  2014-02-24 21:02:30.000000000 +0100
>>>> +@@ -1651,6 +1651,8 @@
>>>> +               }
>>>> +       }
>>>> +
>>>> ++$shared_ldflag .= " -Wl,--version-script=openssl.ld";
>>>> ++
>>>> + open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
>>>> + unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
>>>> + open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
>>>> +Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
>>>> +===================================================================
>>>> +--- /dev/null  1970-01-01 00:00:00.000000000 +0000
>>>> ++++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 22:19:08.601827266 +0100
>>>> +@@ -0,0 +1,4608 @@
>>>> ++OPENSSL_1.0.2d {
>>>> ++      global:
>>>> ++              BIO_f_ssl;
>>>> ++              BIO_new_buffer_ssl_connect;
>>>> ++              BIO_new_ssl;
>>>> ++              BIO_new_ssl_connect;
>>>> ++              BIO_proxy_ssl_copy_session_id;
>>>> ++              BIO_ssl_copy_session_id;
>>>> ++              BIO_ssl_shutdown;
>>>> ++              d2i_SSL_SESSION;
>>>> ++ ...
>>>> ++ ...

More information about the Openembedded-core mailing list