[meta-networking][dunfell][PATCH 1/4] mbedtls: Fix CVE product name

[meta-networking][dunfell][PATCH 1/4] mbedtls: Fix CVE product name

[Mathieu Dubois-Briand]

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
---
 meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
index 12ad39761e9f..0ad1e02630a8 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
@@ -41,3 +41,5 @@ PACKAGES =+ "${PN}-programs"
 FILES_${PN}-programs = "${bindir}/"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "mbed_tls"
-- 
2.34.1

[meta-networking][dunfell][PATCH 2/4] mbedtls: Update to 2.16.12 stable version

[Mathieu Dubois-Briand]

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
---
 .../mbedtls/{mbedtls_2.16.6.bb => mbedtls_2.16.12.bb} | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
 rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_2.16.6.bb => mbedtls_2.16.12.bb} (81%)

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
similarity index 81%
rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
index 0ad1e02630a8..adb8e4a2c994 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
@@ -18,13 +18,16 @@ understand what the code does. It features:                          \
 HOMEPAGE = "https://tls.mbed.org/"
 
 LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=302d50a6369f5f22efdb674db908167a"
+LIC_FILES_CHKSUM = " \
+    file://LICENSE;md5=d32b51202e173d9e438ca20f008209a1 \
+    file://apache-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+    "
 
 SECTION = "libs"
 
-SRC_URI = "https://tls.mbed.org/download/mbedtls-${PV}-apache.tgz"
-SRC_URI[md5sum] = "1f629a43c166de2eca808f3e30aa961d"
-SRC_URI[sha256sum] = "66455e23a6190a30142cdc1113f7418158839331a9d8e6b0778631d077281770"
+SRC_URI = "https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v${PV}.tar.gz"
+SRC_URI[md5sum] = "f3a7b041c43b35c883632a1773bf61a6"
+SRC_URI[sha256sum] = "294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393"
 
 inherit cmake
 
-- 
2.34.1

[meta-networking][dunfell][PATCH 4/4] mbedtls: Whitelist CVE-2021-43666

[Mathieu Dubois-Briand]

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
---
 .../recipes-connectivity/mbedtls/mbedtls_2.16.12.bb            | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
index 264e8abc15fc..7c61b1bfa7cf 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
@@ -49,3 +49,6 @@ FILES_${PN}-programs = "${bindir}/"
 BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "mbed_tls"
+
+# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5311
+CVE_CHECK_WHITELIST += "CVE-2021-43666"
-- 
2.34.1

Re: [meta-networking][dunfell][PATCH 1/4] mbedtls: Fix CVE product name

[Mathieu Dubois-Briand]

Hi,

Fixing the CVE product name from mbedtls uncover a lot of CVEs. Some of these
are fixed in the last 2.16 version, but some remain. Here is what I found:

- CVE-2020-36477 and CVE-2022-35409: I added patches in this PR, but they did
  NOT apply cleanly when cherry-picking them. Original commits:
  https://github.com/Mbed-TLS/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869
  https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2

- CVE-2021-43666: Patch is merged in 2.16.12 but CPE do not exclude 2.16.12, so
  I added it to whitelist.

- CVE-2021-45450 and CVE-2021-45451: I believed the CPE are completely wrong
  here, as PSA was introduced in mbedtls-2.22.0. I may add it to the whitelist,
  but I believe the CPE has to be modified.

- CVE-2021-24119: Fixed in master and has to be backported, but it's not clear
  which commits exactly fixed the issue. Seems to be be165bd32b87 and some
  parents (from https://github.com/Mbed-TLS/mbedtls/pull/4305).

Best regards,
Mathieu

Re: [meta-networking][dunfell][PATCH 2/4] mbedtls: Update to 2.16.12 stable version

[akuster808]

Why did the LIC_FILES_CHKSUM change?

- armin


On 10/4/22 2:28 AM, Mathieu Dubois-Briand wrote:
> Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
> ---
>   .../mbedtls/{mbedtls_2.16.6.bb => mbedtls_2.16.12.bb} | 11 +++++++----
>   1 file changed, 7 insertions(+), 4 deletions(-)
>   rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_2.16.6.bb => mbedtls_2.16.12.bb} (81%)
>
> diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
> similarity index 81%
> rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
> rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
> index 0ad1e02630a8..adb8e4a2c994 100644
> --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb
> +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
> @@ -18,13 +18,16 @@ understand what the code does. It features:                          \
>   HOMEPAGE = "https://tls.mbed.org/"
>   
>   LICENSE = "Apache-2.0"
> -LIC_FILES_CHKSUM = "file://LICENSE;md5=302d50a6369f5f22efdb674db908167a"
> +LIC_FILES_CHKSUM = " \
> +    file://LICENSE;md5=d32b51202e173d9e438ca20f008209a1 \
> +    file://apache-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57 \
> +    "
>   
>   SECTION = "libs"
>   
> -SRC_URI = "https://tls.mbed.org/download/mbedtls-${PV}-apache.tgz"
> -SRC_URI[md5sum] = "1f629a43c166de2eca808f3e30aa961d"
> -SRC_URI[sha256sum] = "66455e23a6190a30142cdc1113f7418158839331a9d8e6b0778631d077281770"
> +SRC_URI = "https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v${PV}.tar.gz"
> +SRC_URI[md5sum] = "f3a7b041c43b35c883632a1773bf61a6"
> +SRC_URI[sha256sum] = "294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393"
>   
>   inherit cmake
>   

Re: [meta-networking][dunfell][PATCH 2/4] mbedtls: Update to 2.16.12 stable version

[Mathieu Dubois-Briand]

On Tue, Oct 04, 2022 at 02:16:35PM -0400, akuster808 wrote:
> Why did the LIC_FILES_CHKSUM change?
> 

Oh yeh, good question !

Previous LICENSE file was Apache 2.0 license, now we have three files:
- LICENSE, who basically says "SPDX-License-Identifier: Apache-2.0 OR
  GPL-2.0-or-later". https://github.com/Mbed-TLS/mbedtls/blob/v2.16.12/LICENSE
- apache-2.0.txt, well the Apache 2.0 license.
- gpl-2.0.txt, that I choose to not include in LIC_FILES_CHKSUM, as
  LICENSE only refer to Apache.

Now, saying this, maybe I should switch LICENSE to
"GPL-2.0-or-later|Apache-2.0" and use all three files in
LIC_FILES_CHKSUM ?

Best regards,
Mathieu

Re: [oe] [meta-networking][dunfell][PATCH 4/4] mbedtls: Whitelist CVE-2021-43666

[Mathieu Dubois-Briand]

On Tue, Oct 04, 2022 at 08:28:43AM +0200, Mathieu Dubois-Briand via lists.openembedded.org wrote:
> Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
> ---
>  .../recipes-connectivity/mbedtls/mbedtls_2.16.12.bb            | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
> index 264e8abc15fc..7c61b1bfa7cf 100644
> --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
> +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb
> @@ -49,3 +49,6 @@ FILES_${PN}-programs = "${bindir}/"
>  BBCLASSEXTEND = "native nativesdk"
>  
>  CVE_PRODUCT = "mbed_tls"
> +
> +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5311
> +CVE_CHECK_WHITELIST += "CVE-2021-43666"
> -- 
> 2.34.1
> 

On the equivalent patch set against master branch, Ross Burton suggested to not add the CVE to the white list but instead get the CPE modified. We might want to do the same thing here.

Best regards,
Mathieu

Re: [meta-networking][dunfell][PATCH 2/4] mbedtls: Update to 2.16.12 stable version

[Mathieu Dubois-Briand]

On Wed, Oct 05, 2022 at 10:24:15AM +0200, Mathieu Dubois-Briand wrote:
> On Tue, Oct 04, 2022 at 02:16:35PM -0400, akuster808 wrote:
> > Why did the LIC_FILES_CHKSUM change?
> > 
> 
> Oh yeh, good question !
> 
> Previous LICENSE file was Apache 2.0 license, now we have three files:
> - LICENSE, who basically says "SPDX-License-Identifier: Apache-2.0 OR
>   GPL-2.0-or-later". https://github.com/Mbed-TLS/mbedtls/blob/v2.16.12/LICENSE
> - apache-2.0.txt, well the Apache 2.0 license.
> - gpl-2.0.txt, that I choose to not include in LIC_FILES_CHKSUM, as
>   LICENSE only refer to Apache.
> 
> Now, saying this, maybe I should switch LICENSE to
> "GPL-2.0-or-later|Apache-2.0" and use all three files in
> LIC_FILES_CHKSUM ?
> 
> Best regards,
> Mathieu

Any news regarding this patch set ? Do you believe I should change the
LICENSE content ?

Best regards,
Mathieu