diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-connectivity')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch | 53 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend | 1 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch | 62 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch | 99 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb (renamed from meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb) | 55 |
5 files changed, 261 insertions, 9 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch new file mode 100644 index 000000000..d1f05b7b7 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch @@ -0,0 +1,53 @@ +From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Thu, 17 Nov 2022 01:51:53 +0100 +Subject: [PATCH] Emit error if requested service is not found + +It currently just crashes instead of replying with error. Check return +value and emit error instead of passing NULL pointer to reply. + +Fixes #375 +--- + avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c +index 70d7687bc..406d0b441 100644 +--- a/avahi-daemon/dbus-protocol.c ++++ b/avahi-daemon/dbus-protocol.c +@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM + } + + t = avahi_alternative_host_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); ++ } + } + + static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) { +@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB + } + + t = avahi_alternative_service_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); ++ } + } + + static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) { diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend index fa58d9726..06343a29d 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend @@ -1,4 +1,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ + file://CVE-2023-1981.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..d62b9344c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,62 @@ +From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Thu, 29 Aug 2019 13:56:21 -0700 +Subject: [PATCH] Add support for io_pgetevents_time64 syscall + +32-bit architectures that are y2038 safe don't include syscalls that use +32-bit time_t. Instead these architectures have suffixed syscalls that +always use a 64-bit time_t. In the case of the io_getevents syscall the +syscall has been replaced with the io_pgetevents_time64 syscall instead. + +This patch changes the io_getevents() function to use the correct +syscall based on the avaliable syscalls and the time_t size. We will +only use the new 64-bit time_t syscall if the architecture is using a +64-bit time_t. This is to avoid having to deal with 32/64-bit +conversions and relying on a 64-bit timespec struct on 32-bit time_t +platforms. As of Linux 5.3 there are no 32-bit time_t architectures +without __NR_io_getevents. In the future if a 32-bit time_t architecture +wants to use the 64-bit syscalls we can handle the conversion. + +This fixes build failures on 32-bit RISC-V. + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Paul Dale <paul.dale@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/9819) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index dacbe358cb..99516cb1bb 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_getevents) + return syscall(__NR_io_getevents, ctx, min, max, events, timeout); ++#elif defined(__NR_io_pgetevents_time64) ++ /* Let's only support the 64 suffix syscalls for 64-bit time_t. ++ * This simplifies the code for us as we don't need to use a 64-bit ++ * version of timespec with a 32-bit time_t and handle converting ++ * between 64-bit and 32-bit times and check for overflows. ++ */ ++ if (sizeof(timeout->tv_sec) == 8) ++ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ else { ++ errno = ENOSYS; ++ return -1; ++ } ++#else ++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." ++#endif + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..c8bc6f5c6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,99 @@ +From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Thu, 4 Mar 2021 12:10:11 -0500 +Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall + +This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc +"Add support for io_pgetevents_time64 syscall" that didn't correctly +work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V. + +For a full discussion of the issue see: +https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/14432) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 42 insertions(+), 13 deletions(-) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index 9480d7c24b..4e9d67db2d 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) + return syscall(__NR_io_submit, ctx, n, iocb); + } + ++/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */ ++struct __timespec32 ++{ ++ __kernel_long_t tv_sec; ++ __kernel_long_t tv_nsec; ++}; ++ + static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_pgetevents_time64) ++ /* Check if we are a 32-bit architecture with a 64-bit time_t */ ++ if (sizeof(*timeout) != sizeof(struct __timespec32)) { ++ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events, ++ timeout, NULL); ++ if (ret == 0 || errno != ENOSYS) ++ return ret; ++ } ++#endif ++ + #if defined(__NR_io_getevents) +- return syscall(__NR_io_getevents, ctx, min, max, events, timeout); +-#elif defined(__NR_io_pgetevents_time64) +- /* Let's only support the 64 suffix syscalls for 64-bit time_t. +- * This simplifies the code for us as we don't need to use a 64-bit +- * version of timespec with a 32-bit time_t and handle converting +- * between 64-bit and 32-bit times and check for overflows. +- */ +- if (sizeof(timeout->tv_sec) == 8) +- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ if (sizeof(*timeout) == sizeof(struct __timespec32)) ++ /* ++ * time_t matches our architecture length, we can just use ++ * __NR_io_getevents ++ */ ++ return syscall(__NR_io_getevents, ctx, min, max, events, timeout); + else { +- errno = ENOSYS; +- return -1; ++ /* ++ * We don't have __NR_io_pgetevents_time64, but we are using a ++ * 64-bit time_t on a 32-bit architecture. If we can fit the ++ * timeout value in a 32-bit time_t, then let's do that ++ * and then use the __NR_io_getevents syscall. ++ */ ++ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) { ++ struct __timespec32 ts32; ++ ++ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; ++ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; ++ ++ return syscall(__NR_io_getevents, ctx, min, max, events, ts32); ++ } else { ++ return syscall(__NR_io_getevents, ctx, min, max, events, NULL); ++ } + } +-#else +-# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." + #endif ++ ++ errno = ENOSYS; ++ return -1; + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb index dc2a8ccff..6e0ad9ac4 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb @@ -11,23 +11,28 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" DEPENDS = "hostperl-runtime-native" -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ +PV = "1.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +SRCREV = "3f499b24f3bcd66db022074f7e8b4f6ee266a3ae" + +SRC_URI = "git://github.com/openssl/openssl.git;branch=OpenSSL_1_1_1-stable;protocol=https \ file://run-ptest \ file://0001-skip-test_symbol_presence.patch \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://reproducible.patch \ - file://CVE-2022-0778.patch \ - file://CVE-2022-1292-Fix-openssl-c_rehash.patch \ - file://CVE-2022-2068-Fix-file-operations-in-c_rehash.patch \ - file://CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" +SRC_URI:append:riscv32 = " \ + file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \ + file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ + " inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -37,6 +42,8 @@ PACKAGECONFIG:class-native = "" PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" +PACKAGECONFIG[no-tls1] = "no-tls1" +PACKAGECONFIG[no-tls1_1] = "no-tls1_1" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -56,6 +63,20 @@ EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +# Disable deprecated crypto algorithms +# Retained for compatibilty +# des (curl) +# dh (python-ssl) +# dsa (rpm) +# md4 (cyrus-sasl freeradius hostapd) +# bf (wvstreams postgresql x11vnc crda znc cfengine) +# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php) +# rc2 (mailx) +# psk (qt5) +# srp (libest) +# whirlpool (qca) +DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4" + do_configure () { os=${HOST_OS} case $os in @@ -117,6 +138,9 @@ do_configure () { linux-sparc | linux-supersparc) target=linux-sparcv9 ;; + mingw32-x86_64) + target=mingw64 + ;; esac useprefix=${prefix} @@ -126,7 +150,7 @@ do_configure () { # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } @@ -184,6 +208,10 @@ do_install_ptest () { install -d ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines + + # seems to be needed with perl 5.32.1 + install -d ${D}${PTEST_PATH}/util/perl/recipes + cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ } # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto @@ -195,21 +223,30 @@ PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES:libssl = "${libdir}/libssl${SOLIBS}" -FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ + ${libdir}/ssl-1.1/openssl.cnf* \ + " FILES:${PN}-engines = "${libdir}/engines-1.1" -FILES:${PN}-misc = "${libdir}/ssl-1.1/misc" +# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) +FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-1_1" +FILES:${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" FILES:${PN} =+ "${libdir}/ssl-1.1/*" FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS:libcrypto += "openssl-conf" +RDEPENDS:${PN}-misc = "perl" RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" +RDEPENDS:${PN}-bin += "openssl-conf" + BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "openssl:openssl" +CVE_VERSION_SUFFIX = "alphabetical" + # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough CVE_CHECK_WHITELIST += "CVE-2019-0190" |