Re: [Buildroot] [PATCH] package/libopenssl: security bump to version 3.2.1

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/libopenssl: security bump to version 3.2.1
Date: Sun, 11 Feb 2024 22:44:07 +0100	[thread overview]
Message-ID: <Zck_p0rmb-ZagDds@landeda> (raw)
In-Reply-To: <20240208111214.679980-1-peter@korsgaard.com>

Peter, all,

On 2024-02-08 12:12 +0100, Peter Korsgaard spake thusly:
> And drop the now upstreamed patches.
> 
> Fixes the following (low severity) issues:
> 
> - CVE-2023-6129 POLY1305 MAC implementation corrupts vector registers on
>   PowerPC
>   https://www.openssl.org/news/secadv/20240109.txt
> 
> - CVE-2023-6237 Excessive time spent checking invalid RSA public keys
>   https://www.openssl.org/news/secadv/20240115.txt
> 
> - CVE-2024-0727 PKCS12 Decoding crashes
>   https://www.openssl.org/news/secadv/20240125.txt
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...x-mispelling-of-extension-test-macro.patch |  30 -----
>  ...x-genstr-genconf-option-in-asn1parse.patch |  42 ------
>  ...en-asn1-oid-loader-to-invalid-inputs.patch | 122 ------------------
>  package/libopenssl/libopenssl.hash            |   4 +-
>  package/libopenssl/libopenssl.mk              |   2 +-
>  5 files changed, 3 insertions(+), 197 deletions(-)
>  delete mode 100644 package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch
>  delete mode 100644 package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch
>  delete mode 100644 package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch
> 
> diff --git a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch b/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch
> deleted file mode 100644
> index 93b191a61c..0000000000
> --- a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -From 68c549df05892c16b99603b9a831c79c540f268c Mon Sep 17 00:00:00 2001
> -From: Grant Nichol <me@grantnichol.com>
> -Date: Fri, 22 Dec 2023 23:46:39 -0600
> -Subject: [PATCH] riscv: Fix mispelling of extension test macro
> -
> -When refactoring the riscv extension test macros,
> -RISCV_HAS_ZKND_AND_ZKNE was mispelled.
> -
> -Upstream: https://github.com/openssl/openssl/pull/23139
> -Signed-off-by: Grant Nichol <me@grantnichol.com>
> ----
> - providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c
> -index b35b71020e..65adc47d1f 100644
> ---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
> -+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c
> -@@ -285,7 +285,7 @@ static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = {                   \
> - # define PROV_CIPHER_HW_select_xts()                                           \
> - if (RISCV_HAS_ZBKB_AND_ZKND_AND_ZKNE())                                        \
> -     return &aes_xts_rv32i_zbkb_zknd_zkne;                                      \
> --if (RISCV_HAS_ZKND_ZKNE())                                                     \
> -+if (RISCV_HAS_ZKND_AND_ZKNE())                                                     \
> -     return &aes_xts_rv32i_zknd_zkne;
> - # else
> - /* The generic case */
> ---
> -2.43.0
> -
> diff --git a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch b/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch
> deleted file mode 100644
> index 9fa36d83be..0000000000
> --- a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -From 749fcc0e3ce796474a15d6fac221e57daeacff1e Mon Sep 17 00:00:00 2001
> -From: Neil Horman <nhorman@openssl.org>
> -Date: Tue, 5 Dec 2023 14:50:01 -0500
> -Subject: [PATCH] Fix genstr/genconf option in asn1parse
> -
> -At some point the asn1parse applet was changed to default the inform to
> -PEM, and defalt input file to stdin.  Doing so broke the -genstr|conf options,
> -in that, before we attempt to generate an ASN1 block from the provided
> -genstr string, we attempt to read a PEM input from stdin.  As a result,
> -this command:
> -openssl asn1parse -genstr OID:1.2.3.4
> -hangs because we are attempting a blocking read on stdin, waiting for
> -data that never arrives
> -
> -Fix it by giving priority to genstr|genconf, such that, if set, will just run
> -do_generate on that string and exit
> -
> -Reviewed-by: Hugo Landau <hlandau@openssl.org>
> -Reviewed-by: Tomas Mraz <tomas@openssl.org>
> -(Merged from https://github.com/openssl/openssl/pull/22957)
> -Upstream: https://github.com/openssl/openssl/commit/749fcc0e3ce796474a15d6fac221e57daeacff1e
> -Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com>
> ----
> - apps/asn1parse.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/apps/asn1parse.c b/apps/asn1parse.c
> -index 097b0cc1ed..6597a6180b 100644
> ---- a/apps/asn1parse.c
> -+++ b/apps/asn1parse.c
> -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv)
> - 
> -     if ((buf = BUF_MEM_new()) == NULL)
> -         goto end;
> --    if (informat == FORMAT_PEM) {
> -+    if (genstr == NULL && informat == FORMAT_PEM) {
> -         if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
> -             BIO_printf(bio_err, "Error reading PEM file\n");
> -             ERR_print_errors(bio_err);
> --- 
> -2.40.0
> -
> diff --git a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch b/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch
> deleted file mode 100644
> index 299ecbc2ed..0000000000
> --- a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch
> +++ /dev/null
> @@ -1,122 +0,0 @@
> -From a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 Mon Sep 17 00:00:00 2001
> -From: Neil Horman <nhorman@openssl.org>
> -Date: Tue, 5 Dec 2023 15:24:20 -0500
> -Subject: [PATCH] Harden asn1 oid loader to invalid inputs
> -
> -In the event that a config file contains this sequence:
> -=======
> -openssl_conf = openssl_init
> -
> -config_diagnostics = 1
> -
> -[openssl_init]
> -oid_section = oids
> -
> -[oids]
> -testoid1 = 1.2.3.4.1
> -testoid2 = A Very Long OID Name, 1.2.3.4.2
> -testoid3 = ,1.2.3.4.3
> -======
> -
> -The leading comma in testoid3 can cause a heap buffer overflow, as the
> -parsing code will move the string pointer back 1 character, thereby
> -pointing to an invalid memory space
> -
> -correct the parser to detect this condition and handle it by treating it
> -as if the comma doesn't exist (i.e. an empty long oid name)
> -
> -Reviewed-by: Hugo Landau <hlandau@openssl.org>
> -Reviewed-by: Tomas Mraz <tomas@openssl.org>
> -(Merged from https://github.com/openssl/openssl/pull/22957)
> -Upstream: https://github.com/openssl/openssl/commit/a552c23c6502592c1b3c67d93dd7e5ffbe958aa4
> -Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com>
> ----
> - apps/asn1parse.c                  |  2 +-
> - crypto/asn1/asn_moid.c            |  4 ++++
> - test/recipes/04-test_asn1_parse.t | 26 ++++++++++++++++++++++++++
> - test/test_asn1_parse.cnf          | 12 ++++++++++++
> - 4 files changed, 43 insertions(+), 1 deletion(-)
> - create mode 100644 test/recipes/04-test_asn1_parse.t
> - create mode 100644 test/test_asn1_parse.cnf
> -
> -diff --git a/apps/asn1parse.c b/apps/asn1parse.c
> -index 6597a6180b..bf62f85947 100644
> ---- a/apps/asn1parse.c
> -+++ b/apps/asn1parse.c
> -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv)
> - 
> -     if ((buf = BUF_MEM_new()) == NULL)
> -         goto end;
> --    if (genstr == NULL && informat == FORMAT_PEM) {
> -+    if (genconf == NULL && genstr == NULL && informat == FORMAT_PEM) {
> -         if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
> -             BIO_printf(bio_err, "Error reading PEM file\n");
> -             ERR_print_errors(bio_err);
> -diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c
> -index 6f816307af..1e183f4f18 100644
> ---- a/crypto/asn1/asn_moid.c
> -+++ b/crypto/asn1/asn_moid.c
> -@@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name)
> -     if (p == NULL) {
> -         ln = name;
> -         ostr = value;
> -+    } else if (p == value) {
> -+        /* we started with a leading comma */
> -+        ln = name;
> -+        ostr = p + 1;
> -     } else {
> -         ln = value;
> -         ostr = p + 1;
> -diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t
> -new file mode 100644
> -index 0000000000..f3af436592
> ---- /dev/null
> -+++ b/test/recipes/04-test_asn1_parse.t
> -@@ -0,0 +1,26 @@
> -+#! /usr/bin/env perl
> -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
> -+#
> -+# Licensed under the Apache License 2.0 (the "License").  You may not use
> -+# this file except in compliance with the License.  You can obtain a copy
> -+# in the file LICENSE in the source distribution or at
> -+# https://www.openssl.org/source/license.html
> -+
> -+use strict;
> -+use OpenSSL::Test qw(:DEFAULT srctop_file);
> -+use OpenSSL::Test::Utils;
> -+
> -+setup("test_asn1_parse");
> -+
> -+plan tests => 3;
> -+
> -+$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf");
> -+
> -+ok(run(app(([ 'openssl', 'asn1parse',
> -+              '-genstr', 'OID:1.2.3.4.1']))));
> -+
> -+ok(run(app(([ 'openssl', 'asn1parse',
> -+              '-genstr', 'OID:1.2.3.4.2']))));
> -+
> -+ok(run(app(([ 'openssl', 'asn1parse',
> -+              '-genstr', 'OID:1.2.3.4.3']))));
> -diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf
> -new file mode 100644
> -index 0000000000..5f0305657e
> ---- /dev/null
> -+++ b/test/test_asn1_parse.cnf
> -@@ -0,0 +1,12 @@
> -+openssl_conf = openssl_init
> -+
> -+# Comment out the next line to ignore configuration errors
> -+config_diagnostics = 1
> -+
> -+[openssl_init]
> -+oid_section = oids
> -+
> -+[oids]
> -+testoid1 = 1.2.3.4.1
> -+testoid2 = A Very Long OID Name, 1.2.3.4.2
> -+testoid3 = ,1.2.3.4.3
> --- 
> -2.40.0
> -
> diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
> index 9e09e12461..841d4b4cfd 100644
> --- a/package/libopenssl/libopenssl.hash
> +++ b/package/libopenssl/libopenssl.hash
> @@ -1,5 +1,5 @@
> -# From https://www.openssl.org/source/openssl-3.2.0.tar.gz.sha256
> -sha256  14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e  openssl-3.2.0.tar.gz
> +# From https://www.openssl.org/source/openssl-3.2.1.tar.gz.sha256
> +sha256  83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39  openssl-3.2.1.tar.gz
>  
>  # License files
>  sha256  7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a  LICENSE.txt
> diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> index 7dc6d93256..feb5026c02 100644
> --- a/package/libopenssl/libopenssl.mk
> +++ b/package/libopenssl/libopenssl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBOPENSSL_VERSION = 3.2.0
> +LIBOPENSSL_VERSION = 3.2.1
>  LIBOPENSSL_SITE = https://www.openssl.org/source
>  LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
>  LIBOPENSSL_LICENSE = Apache-2.0
> -- 
> 2.39.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot