Re: [master][krogoth][PATCH] openssl: Security fix via update to 1.0.2h

[Martin Jansa <martin.jansa@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5611 bytes --]

On Fri, May 13, 2016 at 04:31:39PM +0200, Martin Jansa wrote:
> On Wed, May 11, 2016 at 03:37:59AM -0700, akuster808 wrote:
> > Robert,
> > 
> > 
> > On 05/10/2016 11:22 PM, Robert Yang wrote:
> > > 
> > > 
> > > On 05/04/2016 07:46 AM, Armin Kuster wrote:
> > >> From: Armin Kuster <akuster@mvista.com>
> > >>
> > >> CVE-2016-2105
> > >> CVE-2016-2106
> > >> CVE-2016-2109
> > >> CVE-2016-2176
> > >>
> > >> https://www.openssl.org/news/secadv/20160503.txt
> > >>
> > >> fixup openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> > >>
> > >> drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in latest.
> > > 
> > > After I looked into the code, it seems that this patch is not in latest
> > > code ?
> > 
> > hmm, my old eyes deceive me.
> > 
> > thanks for checking.
> > 
> > I will send a correcting.
> 
> 1.0.2h is already in fido, jethro and master, can we quickly get it to krogoth
> which is still using older version 1.0.2g?
> 
> It's always strange to see recipe version downgrades when upgrading to
> newer Yocto release.

It also seems to break python-cryptography again:
http://errors.yoctoproject.org/Errors/Details/62854/

You have fixed compatibility with 1.0.2g in:
http://git.openembedded.org/meta-openembedded/commit/?id=44f0e74954628d6a3d04fa5249dbe0c94f6dff59

Maybe it needs another update for 1.0.2h and the same fix should be
backported to fido and jethro, now when they all have newer openssl as
well?

> > - armin
> > > It is a backported patch from gentoo.
> > > 
> > > // Robert
> > > 
> > >>
> > >> Signed-off-by: Armin Kuster <akuster@mvista.com>
> > >> ---
> > >>   ...oid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch | 14
> > >> +++++++-------
> > >>   .../openssl/{openssl_1.0.2g.bb => openssl_1.0.2h.bb}       |  6 ++----
> > >>   2 files changed, 9 insertions(+), 11 deletions(-)
> > >>   rename meta/recipes-connectivity/openssl/{openssl_1.0.2g.bb =>
> > >> openssl_1.0.2h.bb} (91%)
> > >>
> > >> diff --git
> > >> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> > >> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> > >>
> > >> index cebc8cf..f736e5c 100644
> > >> ---
> > >> a/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> > >>
> > >> +++
> > >> b/meta/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> > >>
> > >> @@ -8,16 +8,16 @@
> > >> http://www.mail-archive.com/openssl-dev@openssl.org/msg32860.html
> > >>
> > >>   Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
> > >>   ---
> > >> -Index: openssl-1.0.2/crypto/evp/digest.c
> > >> +Index: openssl-1.0.2h/crypto/evp/digest.c
> > >>   ===================================================================
> > >> ---- openssl-1.0.2.orig/crypto/evp/digest.c
> > >> -+++ openssl-1.0.2/crypto/evp/digest.c
> > >> -@@ -208,7 +208,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
> > >> -         return 0;
> > >> +--- openssl-1.0.2h.orig/crypto/evp/digest.c
> > >> ++++ openssl-1.0.2h/crypto/evp/digest.c
> > >> +@@ -211,7 +211,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
> > >> +         type = ctx->digest;
> > >>        }
> > >>    #endif
> > >>   -    if (ctx->digest != type) {
> > >>   +    if (type && (ctx->digest != type)) {
> > >> -         if (ctx->digest && ctx->digest->ctx_size)
> > >> +         if (ctx->digest && ctx->digest->ctx_size) {
> > >>                OPENSSL_free(ctx->md_data);
> > >> -         ctx->digest = type;
> > >> +             ctx->md_data = NULL;
> > >> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
> > >> b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
> > >> similarity index 91%
> > >> rename from meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
> > >> rename to meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
> > >> index 290f129..ae65992 100644
> > >> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2g.bb
> > >> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
> > >> @@ -34,15 +34,13 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
> > >>               file://openssl-fix-des.pod-error.patch \
> > >>               file://Makefiles-ptest.patch \
> > >>               file://ptest-deps.patch \
> > >> -            file://crypto_use_bigint_in_x86-64_perl.patch \
> > >>               file://openssl-1.0.2a-x32-asm.patch \
> > >>               file://ptest_makefile_deps.patch  \
> > >>               file://configure-musl-target.patch \
> > >>               file://parallel.patch \
> > >>              "
> > >> -
> > >> -SRC_URI[md5sum] = "f3c710c045cdee5fd114feb69feba7aa"
> > >> -SRC_URI[sha256sum] =
> > >> "b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33"
> > >> +SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
> > >> +SRC_URI[sha256sum] =
> > >> "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
> > >>
> > >>   PACKAGES =+ "${PN}-engines"
> > >>   FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
> > >>
> > -- 
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> 
> -- 
> Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com



-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]