From 3f9340a9241d497753b330d90d6a3d8332c1ba7f Mon Sep 17 00:00:00 2001 From: Stefan Ghinea Date: Thu, 26 Jan 2023 23:07:40 +0200 Subject: mbedtls: upgrade to 2.28.2 to fix CVE-2022-46392, CVE-2022-46393 An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller. An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. References: https://nvd.nist.gov/vuln/detail/CVE-2022-46392 https://nvd.nist.gov/vuln/detail/CVE-2022-46393 Upstream patches: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 Signed-off-by: Stefan Ghinea Signed-off-by: Khem Raj (cherry picked from commit 2ab113e8be42ae2dd61babb8e9a1742684df1f59) Signed-off-by: Armin Kuster --- .../recipes-connectivity/mbedtls/mbedtls_2.28.1.bb | 51 ---------------------- .../recipes-connectivity/mbedtls/mbedtls_2.28.2.bb | 51 ++++++++++++++++++++++ 2 files changed, 51 insertions(+), 51 deletions(-) delete mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb deleted file mode 100644 index 742414dd8a..0000000000 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb +++ /dev/null @@ -1,51 +0,0 @@ -SUMMARY = "Lightweight crypto and SSL/TLS library" -DESCRIPTION = "mbedtls is a lean open source crypto library \ -for providing SSL and TLS support in your programs. It offers \ -an intuitive API and documented header files, so you can actually \ -understand what the code does. It features: \ - \ - - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ - Camellia and XTEA \ - - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ - - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ - - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ - ECDSA and ECDH \ - - SSL v3 and TLS 1.0, 1.1 and 1.2 \ - - Abstraction layers for ciphers, hashes, public key operations, \ - platform abstraction and threading \ -" - -HOMEPAGE = "https://tls.mbed.org/" - -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" - -SECTION = "libs" - -S = "${WORKDIR}/git" -SRCREV = "dd79db10014d85b26d11fe57218431f2e5ede6f2" -SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28" - -inherit cmake - -PACKAGECONFIG ??= "shared-libs programs" -PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" -PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" -PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" - -EXTRA_OECMAKE = "-DENABLE_TESTING=OFF -DLIB_INSTALL_DIR:STRING=${libdir}" - -PROVIDES += "polarssl" -RPROVIDES:${PN} = "polarssl" - -PACKAGES =+ "${PN}-programs" -FILES:${PN}-programs = "${bindir}/" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "mbed_tls" - -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 -CVE_CHECK_IGNORE += "CVE-2021-43666" -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c -CVE_CHECK_IGNORE += "CVE-2021-45451" diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb new file mode 100644 index 0000000000..15bd7cf43d --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb @@ -0,0 +1,51 @@ +SUMMARY = "Lightweight crypto and SSL/TLS library" +DESCRIPTION = "mbedtls is a lean open source crypto library \ +for providing SSL and TLS support in your programs. It offers \ +an intuitive API and documented header files, so you can actually \ +understand what the code does. It features: \ + \ + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ + Camellia and XTEA \ + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ + ECDSA and ECDH \ + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ + - Abstraction layers for ciphers, hashes, public key operations, \ + platform abstraction and threading \ +" + +HOMEPAGE = "https://tls.mbed.org/" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SECTION = "libs" + +S = "${WORKDIR}/git" +SRCREV = "89f040a5c938985c5f30728baed21e49d0846a53" +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28" + +inherit cmake + +PACKAGECONFIG ??= "shared-libs programs" +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" + +EXTRA_OECMAKE = "-DENABLE_TESTING=OFF -DLIB_INSTALL_DIR:STRING=${libdir}" + +PROVIDES += "polarssl" +RPROVIDES:${PN} = "polarssl" + +PACKAGES =+ "${PN}-programs" +FILES:${PN}-programs = "${bindir}/" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "mbed_tls" + +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 +CVE_CHECK_IGNORE += "CVE-2021-43666" +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c +CVE_CHECK_IGNORE += "CVE-2021-45451" -- cgit 1.2.3-korg