From 0d58fcd2aa1240e96754aaf24665d4d1650e301a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 7 Feb 2021 16:46:55 +0000 Subject: [PATCH 1/9] misc-progs: Call unpriv_system commands in a shell Reported-by: Arne Fitzenreiter Signed-off-by: Michael Tremer --- src/misc-progs/setuid.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/misc-progs/setuid.c b/src/misc-progs/setuid.c index efd181ad8..8044742f2 100644 --- a/src/misc-progs/setuid.c +++ b/src/misc-progs/setuid.c @@ -144,7 +144,14 @@ int safe_system(char* command) { /* Much like safe_system but lets you specify a non-root uid and gid to run * the command as */ int unpriv_system(char* command, uid_t uid, gid_t gid) { - return system_core(command, NULL, uid, gid, "unpriv_system"); + char* argv[4] = { + "/bin/sh", + "-c", + command, + NULL, + }; + + return system_core(argv[0], argv, uid, gid, "unpriv_system"); } /* General routine to initialise a setuid root program, and put the From 7c6a4babf851a13292f0cfa90ca9e3fbfc42525c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 11:50:16 +0000 Subject: [PATCH 2/9] Revert "dhcpcd: Update to 9.3.4" This reverts commit d96d979e2a0bb199b5ae7bec75964f4091996268. Arne requested to revert this commit as well since dhcpcd still does not run without any problems on i586 systems. Signed-off-by: Michael Tremer --- lfs/dhcpcd | 7 ++-- ...r_SECCOMP_as_it_just_uses_socketcall.patch | 36 ------------------- 2 files changed, 2 insertions(+), 41 deletions(-) delete mode 100644 src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 4e34e19d5..3bd33dc56 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -24,7 +24,7 @@ include Config -VER = 9.3.4 +VER = 9.1.4 THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = badb02dfc69fe9bbeec35a02efcdb4db +$(DL_FILE)_MD5 = dd77711cf3232002bb075f5210269f88 install : $(TARGET) @@ -70,9 +70,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch - cd $(DIR_APP) && ./configure --prefix="" --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \ diff --git a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch deleted file mode 100644 index 9efcde219..000000000 --- a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff --git a/src/privsep-linux.c b/src/privsep-linux.c -index 050a30cf..d31d720d 100644 ---- a/src/privsep-linux.c -+++ b/src/privsep-linux.c -@@ -32,6 +32,7 @@ - - #include - #include -+#include - #include - #include - -@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = { - #ifdef __NR_sendto - SECCOMP_ALLOW(__NR_sendto), - #endif -+#ifdef __NR_socketcall -+ /* i386 needs this and demonstrates why SECCOMP -+ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4) -+ * as this is soooo tied to the kernel API which changes per arch -+ * and likely libc as well. */ -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */ -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO), -+ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), -+#endif - #ifdef __NR_shutdown - SECCOMP_ALLOW(__NR_shutdown), - #endif From 896fa74d68e83b344235dbd147b0e429aafb14d3 Mon Sep 17 00:00:00 2001 From: Adolf Belka Date: Tue, 16 Feb 2021 14:30:10 +0100 Subject: [PATCH 3/9] dhcp.cgi: Fix incorrect { placement from patch 3724 - When patch 3724 was created for bug #10743 a curly bracket was placed in the wrong place This results in the overlap of two if loops meaning that there will be no validity check carried out on Default Lease Time if Deny Known Clients is not checked. - This patch moves the { bracket to the right location. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- html/cgi-bin/dhcp.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index 2ebdde818..867614f2a 100644 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -180,12 +180,12 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'save'}) { if (($dhcpsettings{"START_ADDR_${itf}"}) eq '' && ($dhcpsettings{"END_ADDR_${itf}"}) eq '') { $errormessage = "DHCP on ${itf}: " . $Lang::tr{'dhcp valid range required when deny known clients checked'}; goto ERROR; + } } if (!($dhcpsettings{"DEFAULT_LEASE_TIME_${itf}"} =~ /^\d+$/)) { $errormessage = "DHCP on ${itf}: " . $Lang::tr{'invalid default lease time'} . $dhcpsettings{'DEFAULT_LEASE_TIME_${itf}'}; goto ERROR; - } } if (!($dhcpsettings{"MAX_LEASE_TIME_${itf}"} =~ /^\d+$/)) { From d95f3606831fd03f4bdfdd4bed0f891489907d0d Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 17:34:02 +0100 Subject: [PATCH 4/9] wirelessclient.cgi: Show when using WPA3 Signed-off-by: Michael Tremer --- html/cgi-bin/wirelessclient.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/wirelessclient.cgi b/html/cgi-bin/wirelessclient.cgi index e8c3c9628..607ef7105 100644 --- a/html/cgi-bin/wirelessclient.cgi +++ b/html/cgi-bin/wirelessclient.cgi @@ -324,6 +324,8 @@ END $encryption_mode = $Lang::tr{'wlan client encryption wpa'}; } elsif ($config[3] eq "WPA2") { $encryption_mode = $Lang::tr{'wlan client encryption wpa2'}; + } elsif ($config[3] eq "WPA3") { + $encryption_mode = $Lang::tr{'wlan client encryption wpa3'}; } elsif ($config[3] eq "EAP") { $encryption_mode = $Lang::tr{'wlan client encryption eap'}; } From 5cdf3b8c78b4c7292b304af6c0b928a3083cd5f4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 17:37:07 +0100 Subject: [PATCH 5/9] wirelessclient.cgi: Show when actually connected using WPA3 Signed-off-by: Michael Tremer --- html/cgi-bin/wirelessclient.cgi | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/wirelessclient.cgi b/html/cgi-bin/wirelessclient.cgi index 607ef7105..fc64bcb2e 100644 --- a/html/cgi-bin/wirelessclient.cgi +++ b/html/cgi-bin/wirelessclient.cgi @@ -738,12 +738,25 @@ END } if (($status{'pairwise_cipher'} ne "NONE") || ($status{'group_cipher'} ne "NONE")) { - print < + + $Lang::tr{'wlan client encryption wpa3'} + + +END + } else { + print < $Lang::tr{'wlan client encryption wpa'} +END + } + + print < $Lang::tr{'wlan client pairwise cipher'} From e902ebe3be6931f6c632b105ad8fe6997afb305c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 17:41:23 +0100 Subject: [PATCH 6/9] wirelessclient.cgi: Show when 802.11w is active Signed-off-by: Michael Tremer --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++++ html/cgi-bin/wirelessclient.cgi | 13 +++++++++++++ langs/en/cgi-bin/en.pl | 1 + 12 files changed, 31 insertions(+) diff --git a/doc/language_issues.de b/doc/language_issues.de index aae7ca565..5d079036a 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -889,6 +889,7 @@ WARNING: untranslated string: smb daemon = SMB Daemon WARNING: untranslated string: user management = User Management WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wlan client encryption wpa3 = WPA3 +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlanap 802.11w disabled = Disabled WARNING: untranslated string: wlanap 802.11w enforced = Enforced WARNING: untranslated string: wlanap 802.11w optional = Optional diff --git a/doc/language_issues.en b/doc/language_issues.en index 434115902..6e30eb995 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -2132,6 +2132,7 @@ WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity WARNING: untranslated string: wlan client invalid key length = Invalid key length. +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client new entry = Create new wireless client configuration WARNING: untranslated string: wlan client new network = New network diff --git a/doc/language_issues.es b/doc/language_issues.es index 2feec8924..82d65d99c 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1509,6 +1509,7 @@ WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity WARNING: untranslated string: wlan client invalid key length = Invalid key length. +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client new entry = Create new wireless client configuration WARNING: untranslated string: wlan client new network = New network diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 835352cf5..942be73ec 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -919,3 +919,4 @@ WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: token = Token: WARNING: untranslated string: token not set = No Token has been given. WARNING: untranslated string: wlan client encryption wpa3 = WPA3 +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection diff --git a/doc/language_issues.it b/doc/language_issues.it index 152ce4786..98074e59f 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1197,6 +1197,7 @@ WARNING: untranslated string: wlan client eap state = EAP Status WARNING: untranslated string: wlan client encryption eap = EAP WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client identity = Identity +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client password = Password WARNING: untranslated string: wlan client tls cipher = TLS Cipher diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 683c08f44..8eebbd57f 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1237,6 +1237,7 @@ WARNING: untranslated string: wlan client eap state = EAP Status WARNING: untranslated string: wlan client encryption eap = EAP WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client identity = Identity +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client password = Password WARNING: untranslated string: wlan client tls cipher = TLS Cipher diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 2feec8924..82d65d99c 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1509,6 +1509,7 @@ WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity WARNING: untranslated string: wlan client invalid key length = Invalid key length. +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client new entry = Create new wireless client configuration WARNING: untranslated string: wlan client new network = New network diff --git a/doc/language_issues.ru b/doc/language_issues.ru index cbd25d176..43c1f8c08 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1502,6 +1502,7 @@ WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity WARNING: untranslated string: wlan client invalid key length = Invalid key length. +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client new entry = Create new wireless client configuration WARNING: untranslated string: wlan client new network = New network diff --git a/doc/language_issues.tr b/doc/language_issues.tr index e4c25f931..439a58890 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1067,6 +1067,7 @@ WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon WARNING: untranslated string: wlan client encryption wpa3 = WPA3 +WARNING: untranslated string: wlan client management frame protection = Management Frame Protection WARNING: untranslated string: wlanap 802.11w disabled = Disabled WARNING: untranslated string: wlanap 802.11w enforced = Enforced WARNING: untranslated string: wlanap 802.11w optional = Optional diff --git a/doc/language_missings b/doc/language_missings index 1956eac48..0d89426ca 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -65,6 +65,7 @@ < wlanap 802.11w enforced < wlanap 802.11w optional < wlan client encryption wpa3 +< wlan client management frame protection ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ @@ -927,6 +928,7 @@ < wlan client group key algorithm < wlan client identity < wlan client invalid key length +< wlan client management frame protection < wlan client method < wlan client new entry < wlan client new network @@ -974,6 +976,7 @@ < token not set < upload fcdsl.o < wlan client encryption wpa3 +< wlan client management frame protection ############################################################################ # Checking cgi-bin translations for language: it # ############################################################################ @@ -1339,6 +1342,7 @@ < wlan client encryption eap < wlan client encryption wpa3 < wlan client identity +< wlan client management frame protection < wlan client method < wlan client password < wlan client tls cipher @@ -1777,6 +1781,7 @@ < wlan client encryption eap < wlan client encryption wpa3 < wlan client identity +< wlan client management frame protection < wlan client method < wlan client password < wlan client tls cipher @@ -2643,6 +2648,7 @@ < wlan client group key algorithm < wlan client identity < wlan client invalid key length +< wlan client management frame protection < wlan client method < wlan client new entry < wlan client new network @@ -3529,6 +3535,7 @@ < wlan client group key algorithm < wlan client identity < wlan client invalid key length +< wlan client management frame protection < wlan client method < wlan client new entry < wlan client new network @@ -3738,6 +3745,7 @@ < wlanap neighbor scan warning < wlanap ssid < wlan client encryption wpa3 +< wlan client management frame protection < working < zoneconf access native < zoneconf access none diff --git a/html/cgi-bin/wirelessclient.cgi b/html/cgi-bin/wirelessclient.cgi index fc64bcb2e..d8637ccd2 100644 --- a/html/cgi-bin/wirelessclient.cgi +++ b/html/cgi-bin/wirelessclient.cgi @@ -684,6 +684,19 @@ sub ShowStatus() { END + if ($status{'pmf'} eq "1") { + print < + + $Lang::tr{'wlan client management frame protection'} + + + $Lang::tr{'active'} + + +END + } + if ($status{'EAP state'}) { my $selected_method = $status{'selectedMethod'}; $selected_method =~ s/\d+ \((.*)\)/$1/e; diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 22e8a4cc6..95a1cfda4 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2956,6 +2956,7 @@ 'wlan client group key algorithm' => 'GKA', 'wlan client identity' => 'Identity', 'wlan client invalid key length' => 'Invalid key length.', +'wlan client management frame protection' => 'Management Frame Protection', 'wlan client method' => 'Method', 'wlan client new entry' => 'Create new wireless client configuration', 'wlan client new network' => 'New network', From 55209df391e11bf97ec1cda2dbf90aa365c75761 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 17:44:45 +0100 Subject: [PATCH 7/9] wlanclient: Do not force using legacy interface to talk to the kernel "wireless extensions" is the old interface to speak to the kernel. All newer drivers support nl80211 now. Signed-off-by: Michael Tremer --- src/initscripts/system/wlanclient | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/initscripts/system/wlanclient b/src/initscripts/system/wlanclient index 4b3938b46..338a743ab 100644 --- a/src/initscripts/system/wlanclient +++ b/src/initscripts/system/wlanclient @@ -275,9 +275,7 @@ function wpa_supplicant_start() { # Build wpa_supplicant command line. local wpa_suppl_cmd="wpa_supplicant -B -qqq -i${device} -c${config}" - if device_is_wireless ${device}; then - wpa_suppl_cmd="${wpa_suppl_cmd} -Dwext" - else + if ! device_is_wireless ${device}; then wpa_suppl_cmd="${wpa_suppl_cmd} -Dwired" fi From b31cd7d0fc12e45c2875c9619d063e1e7310e9fe Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 17:28:17 +0000 Subject: [PATCH 8/9] openssl: Update to 1.1.1j Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841) ==================================================================== Severity: Moderate The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from Google. The fix was developed by Matt Caswell. Incorrect SSLv2 rollback protection (CVE-2021-23839) ==================================================== Severity: Low OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel Luellwitz from Trustwave. The fix was developed by Matt Caswell. Integer overflow in CipherUpdate (CVE-2021-23840) ================================================= Severity: Low Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix was developed by Matt Caswell. Signed-off-by: Michael Tremer --- config/rootfiles/common/openssl | 4 ++++ lfs/openssl | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index df6bbe320..989670262 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -869,6 +869,7 @@ usr/lib/libssl.so.1.1 #usr/share/doc/openssl/html/man3/DH_check_pub_key_ex.html #usr/share/doc/openssl/html/man3/DH_clear_flags.html #usr/share/doc/openssl/html/man3/DH_compute_key.html +#usr/share/doc/openssl/html/man3/DH_compute_key_padded.html #usr/share/doc/openssl/html/man3/DH_free.html #usr/share/doc/openssl/html/man3/DH_generate_key.html #usr/share/doc/openssl/html/man3/DH_generate_parameters.html @@ -1983,6 +1984,7 @@ usr/lib/libssl.so.1.1 #usr/share/doc/openssl/html/man3/OCSP_REQUEST_new.html #usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_add1_header.html #usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_free.html +#usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_i2d.html #usr/share/doc/openssl/html/man3/OCSP_REQ_CTX_set1_req.html #usr/share/doc/openssl/html/man3/OCSP_RESPBYTES_free.html #usr/share/doc/openssl/html/man3/OCSP_RESPBYTES_new.html @@ -4838,6 +4840,7 @@ usr/lib/libssl.so.1.1 #usr/share/man/man3/DH_check_pub_key_ex.3 #usr/share/man/man3/DH_clear_flags.3 #usr/share/man/man3/DH_compute_key.3 +#usr/share/man/man3/DH_compute_key_padded.3 #usr/share/man/man3/DH_free.3 #usr/share/man/man3/DH_generate_key.3 #usr/share/man/man3/DH_generate_parameters.3 @@ -5952,6 +5955,7 @@ usr/lib/libssl.so.1.1 #usr/share/man/man3/OCSP_REQUEST_new.3 #usr/share/man/man3/OCSP_REQ_CTX_add1_header.3 #usr/share/man/man3/OCSP_REQ_CTX_free.3 +#usr/share/man/man3/OCSP_REQ_CTX_i2d.3 #usr/share/man/man3/OCSP_REQ_CTX_set1_req.3 #usr/share/man/man3/OCSP_RESPBYTES_free.3 #usr/share/man/man3/OCSP_RESPBYTES_new.3 diff --git a/lfs/openssl b/lfs/openssl index 16e20b439..ea7eff135 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 1.1.1i +VER = 1.1.1j THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -87,7 +87,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 08987c3cf125202e2b0840035efb392c +$(DL_FILE)_MD5 = cccaa064ed860a2b4d1303811bf5c682 install : $(TARGET) From 08c83af39fbd226728f0da40d25ea62e77e05fb4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 16 Feb 2021 17:36:22 +0000 Subject: [PATCH 9/9] core154: Ship openssl Signed-off-by: Michael Tremer --- config/rootfiles/core/154/filelists/i586/openssl-sse2 | 1 + config/rootfiles/core/154/filelists/openssl | 1 + 2 files changed, 2 insertions(+) create mode 120000 config/rootfiles/core/154/filelists/i586/openssl-sse2 create mode 120000 config/rootfiles/core/154/filelists/openssl diff --git a/config/rootfiles/core/154/filelists/i586/openssl-sse2 b/config/rootfiles/core/154/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/core/154/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/154/filelists/openssl b/config/rootfiles/core/154/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/154/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file