import edk2-20220126gitbb1bba3d77-4.el8

2023-02-18 00:19:01 +00:00 · 2023-02-18 00:19:01 +00:00 · ed27138976
commit ed27138976
parent 40cc9cace6
4 changed files with 63 additions and 4 deletions
--- a/.edk2.metadata
+++ b/.edk2.metadata
@ -1,3 +1,3 @@
 fdcb04021414cdd5a7e286058ca36aca359d323d SOURCES/RedHatSecureBootPkKek1.pem
 ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
-50747c8a7bb55619b69e95683c7c4172d52d1974 SOURCES/openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
+df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/RedHatSecureBootPkKek1.pem
 SOURCES/edk2-bb1bba3d77.tar.xz
-SOURCES/openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
+SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
--- a/SOURCES/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
+++ b/SOURCES/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
@ -0,0 +1,42 @@
+From ec7ff1612b2f5b0075545dc705b7c2610ec83748 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 10 Feb 2023 11:43:06 +0100
+Subject: [PATCH 2/2] rh openssl: add crypto/bn/rsa_sup_mul.c to file list
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 21: openssl update
+RH-Bugzilla: 2164531 2164543 2164558 2164581
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Commit: [2/2] 61acf48e337f04b34c4f309241775b204ae2e54f (kraxel/rhel-edk-2)
+---
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf       | 1 +
+ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index 19913a4ac6..4eaa8a756d 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -571,6 +571,7 @@
+   $(OPENSSL_PATH)/ssl/statem/statem_local.h
+ # Autogenerated files list ends here
+ # RHEL8-specific OpenSSL file list starts here
+  $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+   $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
+   $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
+   $(OPENSSL_PATH)/crypto/kdf/kbkdf.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index 5057857e8d..eec4771f2c 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -520,6 +520,7 @@
+   $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ # Autogenerated files list ends here
+ # RHEL8-specific OpenSSL file list starts here
+  $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+   $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
+   $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
+   $(OPENSSL_PATH)/crypto/kdf/kbkdf.c
+-- 
+2.37.3
+
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64

 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    3%{?dist}
+Release:    4%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@ -19,7 +19,7 @@ URL:        http://www.tianocore.org
 # | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
 Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
 Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
+Source2: openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
 Source3: ovmf-vars-generator
 Source4: LICENSE.qosb
 Source5: RedHatSecureBootPkKek1.pem
@ -51,6 +51,11 @@ Patch0025: 0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
 Patch0026: 0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
 # For bz#2112307 - Mark SEV launch secret area as reserved
 Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
+# For bz#2164531 - CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-8]
+# For bz#2164543 - CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-8]
+# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
+# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
+Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch


 # python3-devel and libuuid-devel are required for building tools.
@ -495,6 +500,18 @@ true
 %endif

 %changelog
+* Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
+- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
+- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
+- Resolves: bz#2164531
+  (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-8])
+- Resolves: bz#2164543
+  (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-8])
+- Resolves: bz#2164558
+  (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8])
+- Resolves: bz#2164581
+  (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8])
+
 * Tue Aug 02 2022 Camilla Conte <cconte@redhat.com> - 20220126gitbb1bba3d77-3
 - Bumping OpenSSL version [bz# 2074834]
 - Resolves: bz# 2074834