From f10b82c44a3c4dde9a6a2718b54a38404798d456 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sat, 18 Feb 2023 00:19:17 +0000 Subject: [PATCH] Auto sync2gitlab import of edk2-20220126gitbb1bba3d77-4.el8.src.rpm --- .gitignore | 1 + ...crypto-bn-rsa_sup_mul.c-to-file-list.patch | 42 +++++++++++++++++++ edk2.spec | 21 +++++++++- sources | 2 +- 4 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch diff --git a/.gitignore b/.gitignore index f89ab29..fb56625 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /edk2-bb1bba3d77.tar.xz /openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz /openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz +/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz diff --git a/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch b/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch new file mode 100644 index 0000000..f0ee17f --- /dev/null +++ b/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch @@ -0,0 +1,42 @@ +From ec7ff1612b2f5b0075545dc705b7c2610ec83748 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 10 Feb 2023 11:43:06 +0100 +Subject: [PATCH 2/2] rh openssl: add crypto/bn/rsa_sup_mul.c to file list + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 21: openssl update +RH-Bugzilla: 2164531 2164543 2164558 2164581 +RH-Acked-by: Miroslav Rezanina +RH-Commit: [2/2] 61acf48e337f04b34c4f309241775b204ae2e54f (kraxel/rhel-edk-2) +--- + CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + + CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +index 19913a4ac6..4eaa8a756d 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +@@ -571,6 +571,7 @@ + $(OPENSSL_PATH)/ssl/statem/statem_local.h + # Autogenerated files list ends here + # RHEL8-specific OpenSSL file list starts here ++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c + $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c + $(OPENSSL_PATH)/crypto/kdf/kbkdf.c +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +index 5057857e8d..eec4771f2c 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +@@ -520,6 +520,7 @@ + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h + # Autogenerated files list ends here + # RHEL8-specific OpenSSL file list starts here ++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c + $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c + $(OPENSSL_PATH)/crypto/kdf/kbkdf.c +-- +2.37.3 + diff --git a/edk2.spec b/edk2.spec index 95ba556..c430c1c 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 3%{?dist} +Release: 4%{?dist} Summary: UEFI firmware for 64-bit virtual machines Group: Applications/Emulators License: BSD-2-Clause-Patent and OpenSSL and MIT @@ -19,7 +19,7 @@ URL: http://www.tianocore.org # | xz -9ev >/tmp/edk2-$COMMIT.tar.xz Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz Source1: ovmf-whitepaper-c770f8c.txt -Source2: openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz +Source2: openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz Source3: ovmf-vars-generator Source4: LICENSE.qosb Source5: RedHatSecureBootPkKek1.pem @@ -51,6 +51,11 @@ Patch0025: 0025-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch Patch0026: 0026-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch # For bz#2112307 - Mark SEV launch secret area as reserved Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch +# For bz#2164531 - CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-8] +# For bz#2164543 - CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-8] +# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8] +# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8] +Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch # python3-devel and libuuid-devel are required for building tools. @@ -495,6 +500,18 @@ true %endif %changelog +* Wed Feb 15 2023 Jon Maloy - 20220126gitbb1bba3d77-4 +- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581] +- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581] +- Resolves: bz#2164531 + (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-8]) +- Resolves: bz#2164543 + (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-8]) +- Resolves: bz#2164558 + (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]) +- Resolves: bz#2164581 + (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]) + * Tue Aug 02 2022 Camilla Conte - 20220126gitbb1bba3d77-3 - Bumping OpenSSL version [bz# 2074834] - Resolves: bz# 2074834 diff --git a/sources b/sources index 42da63a..1f4d8b0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (edk2-bb1bba3d77.tar.xz) = 3e0deb750d3443f4a2c15a066842e35a05a6dc65ce1869c229a8328d3dba8375949ee3825e16c7fe01bd77516a6717ccbdda1d674a2a862453e5480094c49c4c -SHA512 (openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz) = 6005e52a174788edc53dea287938546095197ea2d9c4802fae35d6c0eba563496ea25f6ae9f498e6826fca7b753e28a0b8d956f37c8289f20d681c43e6109391 +SHA512 (openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz) = 4962a8d907f2913b80f72508cc688487cf0b38b1d3cd0c934f5307b236cb96d598af8e936d234de02c227795386045b5d19084a22ac447649a0f2b6c9fe753da