[OE-core] [master][krogoth][PATCH] openssl: Security fix via update to 1.0.2h
akuster808
akuster808 at gmail.com
Sun May 15 20:17:13 UTC 2016
On 05/13/2016 09:19 AM, Martin Jansa wrote:
> On Fri, May 13, 2016 at 04:31:39PM +0200, Martin Jansa wrote:
>> On Wed, May 11, 2016 at 03:37:59AM -0700, akuster808 wrote:
>>> Robert,
>>>
>>>
>>> On 05/10/2016 11:22 PM, Robert Yang wrote:
>>>>
>>>>
>>>> On 05/04/2016 07:46 AM, Armin Kuster wrote:
>>>>> From: Armin Kuster <akuster at mvista.com>
>>>>>
>>>>> CVE-2016-2105
>>>>> CVE-2016-2106
>>>>> CVE-2016-2109
>>>>> CVE-2016-2176
>>>>>
>>>>> https://www.openssl.org/news/secadv/20160503.txt
>>>>>
>>>>> fixup openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
>>>>>
>>>>> drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in latest.
>>>>
>>>> After I looked into the code, it seems that this patch is not in latest
>>>> code ?
>>>
>>> hmm, my old eyes deceive me.
>>>
>>> thanks for checking.
>>>
>>> I will send a correcting.
>>
>> 1.0.2h is already in fido, jethro and master, can we quickly get it to krogoth
>> which is still using older version 1.0.2g?
>>
>> It's always strange to see recipe version downgrades when upgrading to
>> newer Yocto release.
>
> It also seems to break python-cryptography again:
> http://errors.yoctoproject.org/Errors/Details/62854/
yeah. just hit this in krogoth-next after looking at the logs again.
There is an upstream fix I am bac porting. There are a version 1.4 for
this package we should update master if possible. I will send a patch
later today.
- armin
>
> You have fixed compatibility with 1.0.2g in:
> http://git.openembedded.org/meta-openembedded/commit/?id=44f0e74954628d6a3d04fa5249dbe0c94f6dff59
>
> Maybe it needs another update for 1.0.2h and the same fix should be
> backported to fido and jethro, now when they all have newer openssl as
> well?
>
>>> - armin
>>>> It is a backported patch from gentoo.
>>>>
>>>> // Robert
>>>>
>>>>>
>>>>> Signed-off-by: Armin Kuster <akuster at mvista.com>
>>>>> ---
>>>>> ...oid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch | 14
>>>>> +++++++-------
>>>>> .../openssl/{openssl_1.0.2g.bb => openssl_1.0.2h.bb} | 6 ++----
>>>>> 2 files changed, 9 insertions(+), 11 deletions(-)
>>>>> rename meta/recipes-connectivity/openssl/{openssl_1.0.2g.bb =>
>>>>> openssl_1.0.2h.bb} (91%)
>>>>>
>>>>> diff --git
>>>>> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
>>>>> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
>>>>>
>>>>> index cebc8cf..f736e5c 100644
>>>>> ---
>>>>> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
>>>>>
>>>>> +++
>>>>> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
>>>>>
>>>>> @@ -8,16 +8,16 @@
>>>>> http://www.mail-archive.com/openssl-dev@openssl.org/msg32860.html
>>>>>
>>>>> Signed-off-by: Xufeng Zhang <xufeng.zhang at windriver.com>
>>>>> ---
>>>>> -Index: openssl-1.0.2/crypto/evp/digest.c
>>>>> +Index: openssl-1.0.2h/crypto/evp/digest.c
>>>>> ===================================================================
>>>>> ---- openssl-1.0.2.orig/crypto/evp/digest.c
>>>>> -+++ openssl-1.0.2/crypto/evp/digest.c
>>>>> -@@ -208,7 +208,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
>>>>> - return 0;
>>>>> +--- openssl-1.0.2h.orig/crypto/evp/digest.c
>>>>> ++++ openssl-1.0.2h/crypto/evp/digest.c
>>>>> +@@ -211,7 +211,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
>>>>> + type = ctx->digest;
>>>>> }
>>>>> #endif
>>>>> - if (ctx->digest != type) {
>>>>> + if (type && (ctx->digest != type)) {
>>>>> - if (ctx->digest && ctx->digest->ctx_size)
>>>>> + if (ctx->digest && ctx->digest->ctx_size) {
>>>>> OPENSSL_free(ctx->md_data);
>>>>> - ctx->digest = type;
>>>>> + ctx->md_data = NULL;
>>>>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
>>>>> b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
>>>>> similarity index 91%
>>>>> rename from meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
>>>>> rename to meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
>>>>> index 290f129..ae65992 100644
>>>>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
>>>>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
>>>>> @@ -34,15 +34,13 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
>>>>> file://openssl-fix-des.pod-error.patch \
>>>>> file://Makefiles-ptest.patch \
>>>>> file://ptest-deps.patch \
>>>>> - file://crypto_use_bigint_in_x86-64_perl.patch \
>>>>> file://openssl-1.0.2a-x32-asm.patch \
>>>>> file://ptest_makefile_deps.patch \
>>>>> file://configure-musl-target.patch \
>>>>> file://parallel.patch \
>>>>> "
>>>>> -
>>>>> -SRC_URI[md5sum] = "f3c710c045cdee5fd114feb69feba7aa"
>>>>> -SRC_URI[sha256sum] =
>>>>> "b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33"
>>>>> +SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
>>>>> +SRC_URI[sha256sum] =
>>>>> "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
>>>>>
>>>>> PACKAGES =+ "${PN}-engines"
>>>>> FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
>>>>>
>>> --
>>> _______________________________________________
>>> Openembedded-core mailing list
>>> Openembedded-core at lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>> --
>> Martin 'JaMa' Jansa jabber: Martin.Jansa at gmail.com
>
>
>
More information about the Openembedded-core
mailing list