From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 108F4C4829A for ; Sun, 11 Feb 2024 21:44:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id CAAD1850F1; Sun, 11 Feb 2024 21:44:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fU9-u3svjhXG; Sun, 11 Feb 2024 21:44:14 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 71EB584E10 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 71EB584E10; Sun, 11 Feb 2024 21:44:14 +0000 (UTC) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 52FD91BF2EF for ; Sun, 11 Feb 2024 21:44:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 3F7BC4194E for ; Sun, 11 Feb 2024 21:44:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ig5Gq1SYPf4P for ; Sun, 11 Feb 2024 21:44:12 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a01:e0c:1:1599::12; helo=smtp3-g21.free.fr; envelope-from=yann.morin.1998@free.fr; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org B923240078 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B923240078 Received: from smtp3-g21.free.fr (smtp3-g21.free.fr [IPv6:2a01:e0c:1:1599::12]) by smtp4.osuosl.org (Postfix) with ESMTPS id B923240078 for ; Sun, 11 Feb 2024 21:44:11 +0000 (UTC) Received: from ymorin.is-a-geek.org (unknown [IPv6:2a01:cb19:8290:3800:e05a:3b8d:ff83:9629]) (Authenticated sender: yann.morin.1998@free.fr) by smtp3-g21.free.fr (Postfix) with ESMTPSA id F206213F88E; Sun, 11 Feb 2024 22:44:07 +0100 (CET) Received: by ymorin.is-a-geek.org (sSMTP sendmail emulation); Sun, 11 Feb 2024 22:44:07 +0100 Date: Sun, 11 Feb 2024 22:44:07 +0100 From: "Yann E. MORIN" To: Peter Korsgaard Message-ID: References: <20240208111214.679980-1-peter@korsgaard.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240208111214.679980-1-peter@korsgaard.com> X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1707687850; bh=gbtrCzFEQkPEnIrAd1qqW7crjRSYKPzECKo8xx+So4E=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=tA5yrICbiWFIPwXYGYE2YzNqsM114mJlXAiy6pxvVTeTbXzaj2296J2T5MfmIPAgK yuiwLqeZkUEfyMCUSP2tDgeDbnqOTdHzFNel4LevHUI5KUXO78TbBKycRWSUmY1rbc SszTfSLKFyM3wiEe/v0Wt70y1DuJ7tPjdllG4cojuILMyscDPqRjNxijH7uFKhks2x 3lqNCtIcUjReM6zCoVCmaCth1NMw46If9Hbzpv4+Et6M5J0tghSdQRYY/RnLgOzk0r YZ6hX+zOqYaNLkRy2QvS4rZs5n1MBxhcJahyNpoRJ8A5/Tl5GGx3Cg8ihUTq/A9Kz1 lPFdxupzoTReA== X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=free.fr X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=free.fr header.i=@free.fr header.a=rsa-sha256 header.s=smtp-20201208 header.b=tA5yrICb Subject: Re: [Buildroot] [PATCH] package/libopenssl: security bump to version 3.2.1 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: buildroot@buildroot.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" Peter, all, On 2024-02-08 12:12 +0100, Peter Korsgaard spake thusly: > And drop the now upstreamed patches. > > Fixes the following (low severity) issues: > > - CVE-2023-6129 POLY1305 MAC implementation corrupts vector registers on > PowerPC > https://www.openssl.org/news/secadv/20240109.txt > > - CVE-2023-6237 Excessive time spent checking invalid RSA public keys > https://www.openssl.org/news/secadv/20240115.txt > > - CVE-2024-0727 PKCS12 Decoding crashes > https://www.openssl.org/news/secadv/20240125.txt > > Signed-off-by: Peter Korsgaard Applied to master, thanks. Regards, Yann E. MORIN. > --- > ...x-mispelling-of-extension-test-macro.patch | 30 ----- > ...x-genstr-genconf-option-in-asn1parse.patch | 42 ------ > ...en-asn1-oid-loader-to-invalid-inputs.patch | 122 ------------------ > package/libopenssl/libopenssl.hash | 4 +- > package/libopenssl/libopenssl.mk | 2 +- > 5 files changed, 3 insertions(+), 197 deletions(-) > delete mode 100644 package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch > delete mode 100644 package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch > delete mode 100644 package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch > > diff --git a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch b/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch > deleted file mode 100644 > index 93b191a61c..0000000000 > --- a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch > +++ /dev/null > @@ -1,30 +0,0 @@ > -From 68c549df05892c16b99603b9a831c79c540f268c Mon Sep 17 00:00:00 2001 > -From: Grant Nichol > -Date: Fri, 22 Dec 2023 23:46:39 -0600 > -Subject: [PATCH] riscv: Fix mispelling of extension test macro > - > -When refactoring the riscv extension test macros, > -RISCV_HAS_ZKND_AND_ZKNE was mispelled. > - > -Upstream: https://github.com/openssl/openssl/pull/23139 > -Signed-off-by: Grant Nichol > ---- > - providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c > -index b35b71020e..65adc47d1f 100644 > ---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c > -+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c > -@@ -285,7 +285,7 @@ static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = { \ > - # define PROV_CIPHER_HW_select_xts() \ > - if (RISCV_HAS_ZBKB_AND_ZKND_AND_ZKNE()) \ > - return &aes_xts_rv32i_zbkb_zknd_zkne; \ > --if (RISCV_HAS_ZKND_ZKNE()) \ > -+if (RISCV_HAS_ZKND_AND_ZKNE()) \ > - return &aes_xts_rv32i_zknd_zkne; > - # else > - /* The generic case */ > --- > -2.43.0 > - > diff --git a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch b/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch > deleted file mode 100644 > index 9fa36d83be..0000000000 > --- a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch > +++ /dev/null > @@ -1,42 +0,0 @@ > -From 749fcc0e3ce796474a15d6fac221e57daeacff1e Mon Sep 17 00:00:00 2001 > -From: Neil Horman > -Date: Tue, 5 Dec 2023 14:50:01 -0500 > -Subject: [PATCH] Fix genstr/genconf option in asn1parse > - > -At some point the asn1parse applet was changed to default the inform to > -PEM, and defalt input file to stdin. Doing so broke the -genstr|conf options, > -in that, before we attempt to generate an ASN1 block from the provided > -genstr string, we attempt to read a PEM input from stdin. As a result, > -this command: > -openssl asn1parse -genstr OID:1.2.3.4 > -hangs because we are attempting a blocking read on stdin, waiting for > -data that never arrives > - > -Fix it by giving priority to genstr|genconf, such that, if set, will just run > -do_generate on that string and exit > - > -Reviewed-by: Hugo Landau > -Reviewed-by: Tomas Mraz > -(Merged from https://github.com/openssl/openssl/pull/22957) > -Upstream: https://github.com/openssl/openssl/commit/749fcc0e3ce796474a15d6fac221e57daeacff1e > -Signed-off-by: Martin Kurbanov > ---- > - apps/asn1parse.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/apps/asn1parse.c b/apps/asn1parse.c > -index 097b0cc1ed..6597a6180b 100644 > ---- a/apps/asn1parse.c > -+++ b/apps/asn1parse.c > -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) > - > - if ((buf = BUF_MEM_new()) == NULL) > - goto end; > -- if (informat == FORMAT_PEM) { > -+ if (genstr == NULL && informat == FORMAT_PEM) { > - if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { > - BIO_printf(bio_err, "Error reading PEM file\n"); > - ERR_print_errors(bio_err); > --- > -2.40.0 > - > diff --git a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch b/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch > deleted file mode 100644 > index 299ecbc2ed..0000000000 > --- a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch > +++ /dev/null > @@ -1,122 +0,0 @@ > -From a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 Mon Sep 17 00:00:00 2001 > -From: Neil Horman > -Date: Tue, 5 Dec 2023 15:24:20 -0500 > -Subject: [PATCH] Harden asn1 oid loader to invalid inputs > - > -In the event that a config file contains this sequence: > -======= > -openssl_conf = openssl_init > - > -config_diagnostics = 1 > - > -[openssl_init] > -oid_section = oids > - > -[oids] > -testoid1 = 1.2.3.4.1 > -testoid2 = A Very Long OID Name, 1.2.3.4.2 > -testoid3 = ,1.2.3.4.3 > -====== > - > -The leading comma in testoid3 can cause a heap buffer overflow, as the > -parsing code will move the string pointer back 1 character, thereby > -pointing to an invalid memory space > - > -correct the parser to detect this condition and handle it by treating it > -as if the comma doesn't exist (i.e. an empty long oid name) > - > -Reviewed-by: Hugo Landau > -Reviewed-by: Tomas Mraz > -(Merged from https://github.com/openssl/openssl/pull/22957) > -Upstream: https://github.com/openssl/openssl/commit/a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 > -Signed-off-by: Martin Kurbanov > ---- > - apps/asn1parse.c | 2 +- > - crypto/asn1/asn_moid.c | 4 ++++ > - test/recipes/04-test_asn1_parse.t | 26 ++++++++++++++++++++++++++ > - test/test_asn1_parse.cnf | 12 ++++++++++++ > - 4 files changed, 43 insertions(+), 1 deletion(-) > - create mode 100644 test/recipes/04-test_asn1_parse.t > - create mode 100644 test/test_asn1_parse.cnf > - > -diff --git a/apps/asn1parse.c b/apps/asn1parse.c > -index 6597a6180b..bf62f85947 100644 > ---- a/apps/asn1parse.c > -+++ b/apps/asn1parse.c > -@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv) > - > - if ((buf = BUF_MEM_new()) == NULL) > - goto end; > -- if (genstr == NULL && informat == FORMAT_PEM) { > -+ if (genconf == NULL && genstr == NULL && informat == FORMAT_PEM) { > - if (PEM_read_bio(in, &name, &header, &str, &num) != 1) { > - BIO_printf(bio_err, "Error reading PEM file\n"); > - ERR_print_errors(bio_err); > -diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c > -index 6f816307af..1e183f4f18 100644 > ---- a/crypto/asn1/asn_moid.c > -+++ b/crypto/asn1/asn_moid.c > -@@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name) > - if (p == NULL) { > - ln = name; > - ostr = value; > -+ } else if (p == value) { > -+ /* we started with a leading comma */ > -+ ln = name; > -+ ostr = p + 1; > - } else { > - ln = value; > - ostr = p + 1; > -diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t > -new file mode 100644 > -index 0000000000..f3af436592 > ---- /dev/null > -+++ b/test/recipes/04-test_asn1_parse.t > -@@ -0,0 +1,26 @@ > -+#! /usr/bin/env perl > -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. > -+# > -+# Licensed under the Apache License 2.0 (the "License"). You may not use > -+# this file except in compliance with the License. You can obtain a copy > -+# in the file LICENSE in the source distribution or at > -+# https://www.openssl.org/source/license.html > -+ > -+use strict; > -+use OpenSSL::Test qw(:DEFAULT srctop_file); > -+use OpenSSL::Test::Utils; > -+ > -+setup("test_asn1_parse"); > -+ > -+plan tests => 3; > -+ > -+$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf"); > -+ > -+ok(run(app(([ 'openssl', 'asn1parse', > -+ '-genstr', 'OID:1.2.3.4.1'])))); > -+ > -+ok(run(app(([ 'openssl', 'asn1parse', > -+ '-genstr', 'OID:1.2.3.4.2'])))); > -+ > -+ok(run(app(([ 'openssl', 'asn1parse', > -+ '-genstr', 'OID:1.2.3.4.3'])))); > -diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf > -new file mode 100644 > -index 0000000000..5f0305657e > ---- /dev/null > -+++ b/test/test_asn1_parse.cnf > -@@ -0,0 +1,12 @@ > -+openssl_conf = openssl_init > -+ > -+# Comment out the next line to ignore configuration errors > -+config_diagnostics = 1 > -+ > -+[openssl_init] > -+oid_section = oids > -+ > -+[oids] > -+testoid1 = 1.2.3.4.1 > -+testoid2 = A Very Long OID Name, 1.2.3.4.2 > -+testoid3 = ,1.2.3.4.3 > --- > -2.40.0 > - > diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash > index 9e09e12461..841d4b4cfd 100644 > --- a/package/libopenssl/libopenssl.hash > +++ b/package/libopenssl/libopenssl.hash > @@ -1,5 +1,5 @@ > -# From https://www.openssl.org/source/openssl-3.2.0.tar.gz.sha256 > -sha256 14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e openssl-3.2.0.tar.gz > +# From https://www.openssl.org/source/openssl-3.2.1.tar.gz.sha256 > +sha256 83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 openssl-3.2.1.tar.gz > > # License files > sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt > diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk > index 7dc6d93256..feb5026c02 100644 > --- a/package/libopenssl/libopenssl.mk > +++ b/package/libopenssl/libopenssl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBOPENSSL_VERSION = 3.2.0 > +LIBOPENSSL_VERSION = 3.2.1 > LIBOPENSSL_SITE = https://www.openssl.org/source > LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz > LIBOPENSSL_LICENSE = Apache-2.0 > -- > 2.39.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot