All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Anuj Mittal" <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [hardknott][PATCH 01/13] curl: cleanup CVE patches for hardknott
Date: Tue, 22 Jun 2021 17:50:20 +0800	[thread overview]
Message-ID: <456ba1717fc3ebb9d10cc6a3c916b07f7c4e8a22.1624352878.git.anuj.mittal@intel.com> (raw)
In-Reply-To: <cover.1624352878.git.anuj.mittal@intel.com>

From: Trevor Gamblin <trevor.gamblin@windriver.com>

The patch backported to address CVE-2021-22890 was missing a bracket to
properly close out the logic in lib/vtls/wolfssl.c. Fix this so to avoid
any surprise failures when using curl with hardknott.

Also fix the CVE designation in the patch descriptions for CVEs
CVE-2021-22890 and CVE-2021-22876 so that CVE checks run with bitbake
correctly detect that they are patched.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...oxy-argument-to-Curl_ssl_get-addsession.patch | 16 ++++++++--------
 ...p-credentials-from-the-auto-referer-hea.patch |  5 ++++-
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
index a0c7d68f33..1e0e18cf12 100644
--- a/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
+++ b/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
@@ -1,15 +1,14 @@
-From a2d3885223db9616283bfe33435fbe9b3140eac7 Mon Sep 17 00:00:00 2001
+From e499142d377b56c7606437d14c99d3cb27aba9fd Mon Sep 17 00:00:00 2001
 From: Trevor Gamblin <trevor.gamblin@windriver.com>
 Date: Tue, 1 Jun 2021 09:50:20 -0400
-Subject: [PATCH 1/2] vtls: add 'isproxy' argument to
- Curl_ssl_get/addsessionid()
+Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
 
 To make sure we set and extract the correct session.
 
 Reported-by: Mingtao Yang
 Bug: https://curl.se/docs/CVE-2021-22890.html
 
-CVE-2021-22890
+CVE: CVE-2021-22890
 
 Upstream-Status: Backport
 (https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
@@ -25,8 +24,8 @@ Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
  lib/vtls/sectransp.c | 10 ++++----
  lib/vtls/vtls.c      | 12 +++++++---
  lib/vtls/vtls.h      |  2 ++
- lib/vtls/wolfssl.c   | 28 +++++++++++++----------
- 10 files changed, 111 insertions(+), 51 deletions(-)
+ lib/vtls/wolfssl.c   | 29 ++++++++++++++----------
+ 10 files changed, 112 insertions(+), 51 deletions(-)
 
 diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
 index 29b08c0e6..0432dfadc 100644
@@ -463,7 +462,7 @@ index 9666682ec..4dc29794c 100644
                                 size_t idsize,
                                 int sockindex);
 diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
-index e1fa45926..e4c70877f 100644
+index e1fa45926..f1b12b1d8 100644
 --- a/lib/vtls/wolfssl.c
 +++ b/lib/vtls/wolfssl.c
 @@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
@@ -477,7 +476,7 @@ index e1fa45926..e4c70877f 100644
        /* we got a session id, use it! */
        if(!SSL_set_session(backend->handle, ssl_sessionid)) {
          char error_buffer[WOLFSSL_MAX_ERROR_SZ];
-@@ -774,21 +776,23 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+@@ -774,21 +776,24 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
      void *old_ssl_sessionid = NULL;
  
      our_ssl_sessionid = SSL_get_session(backend->handle);
@@ -501,6 +500,7 @@ index e1fa45926..e4c70877f 100644
 +            infof(data, "old SSL session ID is stale, removing\n");
 +            Curl_ssl_delsessionid(data, old_ssl_sessionid);
 +            incache = FALSE;
++        }
        }
      }
  
diff --git a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
index 6c4f6f2f48..c02c9bed68 100644
--- a/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
+++ b/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch
@@ -6,7 +6,10 @@ Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header
 
 Added test 2081 to verify.
 
-CVE-2021-22876
+CVE: CVE-2021-22876
+
+Upstream-Status: Backport
+(https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)
 
 Bug: https://curl.se/docs/CVE-2021-22876.html
 
-- 
2.31.1


  reply	other threads:[~2021-06-22  9:51 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-22  9:50 [hardknott][PATCH 00/13] review request Anuj Mittal
2021-06-22  9:50 ` Anuj Mittal [this message]
2021-06-22  9:50 ` [hardknott][PATCH 02/13] libx11: fix CVE-2021-31535 Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 03/13] util-linux.inc: Do not modify BPN Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 04/13] native.bbclass: Do not remove "-native" in the middle of recipe names Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 05/13] linux-yocto/5.4: update to v5.4.124 Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 06/13] lttng-tools: upgrade 2.12.3 -> 2.12.4 Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 07/13] linux-yocto/5.4: update to v5.4.125 Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 08/13] linuxloader: Be aware of riscv32 ldso Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 09/13] valgrind: remove buggy ptest from arm64 Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 10/13] valgrind: Actually install list of non-deterministic ptests Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 11/13] perf: Use python3targetconfig to ensure we use target libraries Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 12/13] avahi: apply fix for CVE-2021-3468 Anuj Mittal
2021-06-22  9:50 ` [hardknott][PATCH 13/13] kernel.bbclass: fix do_sizecheck() comparison Anuj Mittal
2021-06-26 14:29 ` [OE-core] [hardknott][PATCH 00/13] review request Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=456ba1717fc3ebb9d10cc6a3c916b07f7c4e8a22.1624352878.git.anuj.mittal@intel.com \
    --to=anuj.mittal@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.