Re: [master][krogoth][PATCH] openssl: Security fix via update to 1.0.2h

From: Martin Jansa <martin.jansa@gmail.com>
To: akuster808 <akuster808@gmail.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [master][krogoth][PATCH] openssl: Security fix via update to 1.0.2h
Date: Fri, 13 May 2016 16:31:39 +0200	[thread overview]
Message-ID: <20160513143139.GA2565@jama> (raw)
In-Reply-To: <57330B87.5080300@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4831 bytes --]

On Wed, May 11, 2016 at 03:37:59AM -0700, akuster808 wrote:
> Robert,
> 
> 
> On 05/10/2016 11:22 PM, Robert Yang wrote:
> > 
> > 
> > On 05/04/2016 07:46 AM, Armin Kuster wrote:
> >> From: Armin Kuster <akuster@mvista.com>
> >>
> >> CVE-2016-2105
> >> CVE-2016-2106
> >> CVE-2016-2109
> >> CVE-2016-2176
> >>
> >> https://www.openssl.org/news/secadv/20160503.txt
> >>
> >> fixup openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> >>
> >> drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in latest.
> > 
> > After I looked into the code, it seems that this patch is not in latest
> > code ?
> 
> hmm, my old eyes deceive me.
> 
> thanks for checking.
> 
> I will send a correcting.

1.0.2h is already in fido, jethro and master, can we quickly get it to krogoth
which is still using older version 1.0.2g?

It's always strange to see recipe version downgrades when upgrading to
newer Yocto release.

> - armin
> > It is a backported patch from gentoo.
> > 
> > // Robert
> > 
> >>
> >> Signed-off-by: Armin Kuster <akuster@mvista.com>
> >> ---
> >>   ...oid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch | 14
> >> +++++++-------
> >>   .../openssl/{openssl_1.0.2g.bb => openssl_1.0.2h.bb}       |  6 ++----
> >>   2 files changed, 9 insertions(+), 11 deletions(-)
> >>   rename meta/recipes-connectivity/openssl/{openssl_1.0.2g.bb =>
> >> openssl_1.0.2h.bb} (91%)
> >>
> >> diff --git
> >> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> >> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> >>
> >> index cebc8cf..f736e5c 100644
> >> ---
> >> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> >>
> >> +++
> >> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> >>
> >> @@ -8,16 +8,16 @@
> >> http://www.mail-archive.com/openssl-dev@openssl.org/msg32860.html
> >>
> >>   Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
> >>   ---
> >> -Index: openssl-1.0.2/crypto/evp/digest.c
> >> +Index: openssl-1.0.2h/crypto/evp/digest.c
> >>   ===================================================================
> >> ---- openssl-1.0.2.orig/crypto/evp/digest.c
> >> -+++ openssl-1.0.2/crypto/evp/digest.c
> >> -@@ -208,7 +208,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
> >> -         return 0;
> >> +--- openssl-1.0.2h.orig/crypto/evp/digest.c
> >> ++++ openssl-1.0.2h/crypto/evp/digest.c
> >> +@@ -211,7 +211,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
> >> +         type = ctx->digest;
> >>        }
> >>    #endif
> >>   -    if (ctx->digest != type) {
> >>   +    if (type && (ctx->digest != type)) {
> >> -         if (ctx->digest && ctx->digest->ctx_size)
> >> +         if (ctx->digest && ctx->digest->ctx_size) {
> >>                OPENSSL_free(ctx->md_data);
> >> -         ctx->digest = type;
> >> +             ctx->md_data = NULL;
> >> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
> >> b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
> >> similarity index 91%
> >> rename from meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
> >> rename to meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
> >> index 290f129..ae65992 100644
> >> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
> >> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
> >> @@ -34,15 +34,13 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
> >>               file://openssl-fix-des.pod-error.patch \
> >>               file://Makefiles-ptest.patch \
> >>               file://ptest-deps.patch \
> >> -            file://crypto_use_bigint_in_x86-64_perl.patch \
> >>               file://openssl-1.0.2a-x32-asm.patch \
> >>               file://ptest_makefile_deps.patch  \
> >>               file://configure-musl-target.patch \
> >>               file://parallel.patch \
> >>              "
> >> -
> >> -SRC_URI[md5sum] = "f3c710c045cdee5fd114feb69feba7aa"
> >> -SRC_URI[sha256sum] =
> >> "b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33"
> >> +SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
> >> +SRC_URI[sha256sum] =
> >> "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
> >>
> >>   PACKAGES =+ "${PN}-engines"
> >>   FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
> >>
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]