From 7dd3ed26ca09df0e582be8cc2780bba588bdd11e Mon Sep 17 00:00:00 2001
From: P Dheeraj Srujan Kumar
Date: Fri, 2 Dec 2022 23:23:31 +0530
Subject: Update to internal 1-0.92
Signed-off-by: P Dheeraj Srujan Kumar
---
.../CVE-2022-1292-Fix-openssl-c_rehash.patch | 76 ++++++++++++++++++++++
1 file changed, 76 insertions(+)
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
(limited to 'meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch')
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
new file mode 100644
index 000000000..ec4daf015
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
@@ -0,0 +1,76 @@
+From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Tue, 26 Apr 2022 12:40:24 +0200
+Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
+
+Except on VMS where it is safe.
+
+This fixes CVE-2022-1292.
+
+Reviewed-by: Matthias St. Pierre
+Reviewed-by: Matt Caswell
+---
+ tools/c_rehash.in | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index fa7c6c9fef..83c1cc80e0 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -152,6 +152,23 @@ sub check_file {
+ return ($is_cert, $is_crl);
+ }
+
++sub compute_hash {
++ my $fh;
++ if ( $^O eq "VMS" ) {
++ # VMS uses the open through shell
++ # The file names are safe there and list form is unsupported
++ if (!open($fh, "-|", join(' ', @_))) {
++ print STDERR "Cannot compute hash on '$fname'\n";
++ return;
++ }
++ } else {
++ if (!open($fh, "-|", @_)) {
++ print STDERR "Cannot compute hash on '$fname'\n";
++ return;
++ }
++ }
++ return (<$fh>, <$fh>);
++}
+
+ # Link a certificate to its subject name hash value, each hash is of
+ # the form . where n is an integer. If the hash value already exists
+@@ -161,10 +178,12 @@ sub check_file {
+
+ sub link_hash_cert {
+ my $fname = $_[0];
+- $fname =~ s/\"/\\\"/g;
+- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
++ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+@@ -202,10 +221,12 @@ sub link_hash_cert {
+
+ sub link_hash_crl {
+ my $fname = $_[0];
+- $fname =~ s/'/'\\''/g;
+- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
++ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+--
+2.25.1
+
--
cgit v1.2.3