diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-support')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch | 41 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests | 14 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest | 2 | ||||
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb (renamed from meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.1.0.bb) | 42 |
4 files changed, 88 insertions, 11 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch new file mode 100644 index 000000000..9385c1421 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch @@ -0,0 +1,41 @@ +From c28e9478cb2548848eca9b765d0d409bfb18668c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 22 Jan 2024 23:54:08 +0100 +Subject: [PATCH] openssl: when verifystatus fails, remove session id from + cache + +To prevent that it gets used in a subsequent transfer that skips the +verifystatus check since that check can't be done when the session id is +reused. + +Reported-by: Hiroki Kurosawa +Closes #12760 +--- + lib/vtls/openssl.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 0e36dc6aa7e1e4..8d6087022b32c2 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -4351,6 +4351,20 @@ static CURLcode servercert(struct Curl_cfilter *cf, + /* don't do this after Session ID reuse */ + result = verifystatus(cf, data); + if(result) { ++ /* when verifystatus failed, remove the session id from the cache again ++ if present */ ++ if(!Curl_ssl_cf_is_proxy(cf)) { ++ void *old_ssl_sessionid = NULL; ++ bool incache; ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL)); ++ if(incache) { ++ infof(data, "Remove session ID again from cache"); ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ } ++ Curl_ssl_sessionid_unlock(data); ++ } ++ + X509_free(backend->server_cert); + backend->server_cert = NULL; + return result; diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests index 92056bd8c..419022091 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests @@ -1,14 +1,23 @@ +# Intermittently fails e.g. https://autobuilder.yocto.io/pub/non-release/20231220-28/testresults/qemux86-64-ptest/curl.log +# https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +337 # These CRL test (alt-avc) are failing 356 412 413 # These CRL tests are scanning docs 971 +# Intermittently hangs e.g http://autobuilder.yocto.io/pub/non-release/20231228-18/testresults/qemux86-64-ptest/curl.log +1091 +# Intermittently hangs e.g https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +1096 +# These CRL tests are scanning docs 1119 1132 1135 -# These CRL tests are scnning headers +# These CRL tests are scanning headers 1167 +1477 # These CRL tests are scanning man pages 1139 1140 @@ -18,7 +27,10 @@ 1165 # This CRL test is looking for src files 1185 +# This test is scanning the source tree +1222 # These CRL tests need --libcurl option to be enabled +1279 1400 1401 1402 diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest index 614e82292..8f9c20f34 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest @@ -1,6 +1,6 @@ #!/bin/sh cd tests -./runtests.pl -a -n -s | sed \ +{ ./runtests.pl -a -n -s -j4 !flaky || echo "FAIL: curl" ; } | sed \ -e 's|\([^ ]* *\) \([^ ]* *\)...OK|PASS: \1 \2|' \ -e 's|\([^ ]* *\) \([^ ]* *\)...FAILED|FAIL: \1 \2|' \ -e 's/Warning: test[0-9]\+ not present in tests\/data\/Makefile.inc//' diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.1.0.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb index 0efd0de5c..c8450e929 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.1.0.bb +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb @@ -13,8 +13,9 @@ SRC_URI = " \ https://curl.se/download/${BP}.tar.xz \ file://run-ptest \ file://disable-tests \ + file://CVE-2024-0853.patch \ " -SRC_URI[sha256sum] = "6bd80ad4f07187015911216ee7185b90d285ac5162aed1bded144f9f93232a3c" +SRC_URI[sha256sum] = "42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb" # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" @@ -24,21 +25,26 @@ inherit autotools pkgconfig binconfig multilib_header ptest # Entropy source for random PACKAGECONFIG option RANDOM ?= "/dev/urandom" -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} libidn openssl proxy random threaded-resolver verbose zlib" +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws basic-auth bearer-auth digest-auth negotiate-auth libidn openssl proxy random threaded-resolver verbose zlib" PACKAGECONFIG:class-native = "ipv6 openssl proxy random threaded-resolver verbose zlib" PACKAGECONFIG:class-nativesdk = "ipv6 openssl proxy random threaded-resolver verbose zlib" # 'ares' and 'threaded-resolver' are mutually exclusive PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" +PACKAGECONFIG[aws] = "--enable-aws,--disable-aws" +PACKAGECONFIG[basic-auth] = "--enable-basic-auth,--disable-basic-auth" +PACKAGECONFIG[bearer-auth] = "--enable-bearer-auth,--disable-bearer-auth" PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" # Don't use this in production PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," +PACKAGECONFIG[digest-auth] = "--enable-digest-auth,--disable-digest-auth" PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth" PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap" PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap" @@ -47,6 +53,7 @@ PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls" PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," +PACKAGECONFIG[negotiate-auth] = "--enable-negotiate-auth,--disable-negotiate-auth" PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2" PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl" PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," @@ -56,7 +63,6 @@ PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," -PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss" PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" @@ -67,11 +73,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd" EXTRA_OECONF = " \ --disable-libcurl-option \ --disable-ntlm-wb \ - --enable-crypto-auth \ --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ --without-libpsl \ --enable-optimize \ - ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls nss openssl', d) == '') else ''} \ + ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \ " do_install:append:class-target() { @@ -85,14 +90,18 @@ do_install:append:class-target() { } do_compile_ptest() { - oe_runmake test - oe_runmake -C ${B}/tests/server + oe_runmake -C ${B}/tests } do_install_ptest() { cat ${WORKDIR}/disable-tests >> ${S}/tests/data/DISABLED rm -f ${B}/tests/configurehelp.pm cp -rf ${B}/tests ${D}${PTEST_PATH} + rm -f ${D}${PTEST_PATH}/tests/libtest/.libs/libhostname.la + rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la + mv ${D}${PTEST_PATH}/tests/libtest/.libs/* ${D}${PTEST_PATH}/tests/libtest/ + mv ${D}${PTEST_PATH}/tests/libtest/libhostname.so ${D}${PTEST_PATH}/tests/libtest/.libs/ + mv ${D}${PTEST_PATH}/tests/http/clients/.libs/* ${D}${PTEST_PATH}/tests/http/clients/ cp -rf ${S}/tests ${D}${PTEST_PATH} find ${D}${PTEST_PATH}/ -type f -name Makefile.am -o -name Makefile.in -o -name Makefile -delete install -d ${D}${PTEST_PATH}/src @@ -100,8 +109,23 @@ do_install_ptest() { cp -rf ${D}${bindir}/curl-config ${D}${PTEST_PATH} } -RDEPENDS:${PN}-ptest += "bash perl-modules perl-module-time-hires perl-module-digest-md5 \ - perl-module-digest perl-module-ipc-open2" +RDEPENDS:${PN}-ptest += " \ + bash \ + perl-module-b \ + perl-module-base \ + perl-module-cwd \ + perl-module-digest \ + perl-module-digest-md5 \ + perl-module-file-basename \ + perl-module-file-spec \ + perl-module-file-temp \ + perl-module-io-socket \ + perl-module-ipc-open2 \ + perl-module-list-util \ + perl-module-memoize \ + perl-module-storable \ + perl-module-time-hires \ +" PACKAGES =+ "lib${BPN}" |