Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/, profiles/
Date: Thu, 30 Jun 2022 19:32:58
Message-Id: 1656617565.82e7edabadc776d7b123ee7bfd65a78a892eae47.sam@gentoo
1 commit: 82e7edabadc776d7b123ee7bfd65a78a892eae47
2 Author: Sam James <sam <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jun 30 19:31:38 2022 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Thu Jun 30 19:32:45 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e7edab
7
8 dev-libs/openssl: backport AVX512 overflow fix
9
10 Bug: https://github.com/openssl/openssl/issues/18625
11 Signed-off-by: Sam James <sam <AT> gentoo.org>
12
13 .../files/openssl-1.1.1p-fix-test-build.patch | 6 ++++
14 .../openssl-3.0.4-avx512-buffer-overflow.patch | 34 ++++++++++++++++++++++
15 ...ld.patch => openssl-3.0.4-fix-test-build.patch} | 0
16 ...penssl-3.0.4.ebuild => openssl-3.0.4-r1.ebuild} | 7 +++--
17 profiles/package.mask | 7 -----
18 5 files changed, 45 insertions(+), 9 deletions(-)
19
20 diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
21 index f96e54f3127e..5dca6926dd8f 100644
22 --- a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
23 +++ b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
24 @@ -16,6 +16,12 @@ Reviewed-by: Paul Dale <pauli@×××××××.org>
25 (Merged from https://github.com/openssl/openssl/pull/18634)
26
27 (cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe)
28 +---
29 + test/v3ext.c | 4 ++++
30 + 1 file changed, 4 insertions(+)
31 +
32 +diff --git a/test/v3ext.c b/test/v3ext.c
33 +index e96b6f79b58f..a2adb1a9f0ef 100644
34 --- a/test/v3ext.c
35 +++ b/test/v3ext.c
36 @@ -37,6 +37,7 @@ static int test_pathlen(void)
37
38 diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
39 new file mode 100644
40 index 000000000000..c72e958ff535
41 --- /dev/null
42 +++ b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
43 @@ -0,0 +1,34 @@
44 +https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c
45 +https://github.com/openssl/openssl/issues/18625
46 +
47 +From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001
48 +From: Xi Ruoyao <xry111@××××××.site>
49 +Date: Wed, 22 Jun 2022 18:07:05 +0800
50 +Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for
51 + rsaz_mod_exp_avx512_x2
52 +
53 +bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size
54 +is moduli bit size.
55 +
56 +Fixes #18625.
57 +
58 +Signed-off-by: Xi Ruoyao <xry111@××××××.site>
59 +
60 +Reviewed-by: Tomas Mraz <tomas@×××××××.org>
61 +Reviewed-by: Paul Dale <pauli@×××××××.org>
62 +(Merged from https://github.com/openssl/openssl/pull/18626)
63 +
64 +(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345)
65 +--- a/crypto/bn/rsaz_exp_x2.c
66 ++++ b/crypto/bn/rsaz_exp_x2.c
67 +@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1,
68 + from_words52(res1, factor_size, rr1_red);
69 + from_words52(res2, factor_size, rr2_red);
70 +
71 ++ /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */
72 ++ factor_size /= sizeof(BN_ULONG) * 8;
73 ++
74 + bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size);
75 + bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size);
76 +
77 +
78
79 diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
80 similarity index 100%
81 copy from dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
82 copy to dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
83
84 diff --git a/dev-libs/openssl/openssl-3.0.4.ebuild b/dev-libs/openssl/openssl-3.0.4-r1.ebuild
85 similarity index 98%
86 rename from dev-libs/openssl/openssl-3.0.4.ebuild
87 rename to dev-libs/openssl/openssl-3.0.4-r1.ebuild
88 index ede15424a910..f4951da01454 100644
89 --- a/dev-libs/openssl/openssl-3.0.4.ebuild
90 +++ b/dev-libs/openssl/openssl-3.0.4-r1.ebuild
91 @@ -46,12 +46,15 @@ DEPEND="${COMMON_DEPEND}"
92 RDEPEND="${COMMON_DEPEND}"
93 PDEPEND="app-misc/ca-certificates"
94
95 -REQUIRED_USE="test? ( rfc3779 )"
96 -
97 MULTILIB_WRAPPED_HEADERS=(
98 /usr/include/openssl/configuration.h
99 )
100
101 +PATCHES=(
102 + "${FILESDIR}"/${P}-avx512-buffer-overflow.patch
103 + "${FILESDIR}"/${P}-fix-test-build.patch
104 +)
105 +
106 pkg_setup() {
107 if use ktls ; then
108 if kernel_is -lt 4 18 ; then
109
110 diff --git a/profiles/package.mask b/profiles/package.mask
111 index e9663afb0ce2..4c5d63309305 100644
112 --- a/profiles/package.mask
113 +++ b/profiles/package.mask
114 @@ -44,13 +44,6 @@
115 # as deprecated since March 2022. Removal in 30 days (Bug #855299).
116 gnome-extra/gtkhtml
117
118 -# Sam James <sam@g.o> (2022-06-29)
119 -# Pre-emptively mask broken upstream versions.
120 -# openssl 3.0.4 has a buffer overflow w/ AVX512 (https://github.com/openssl/openssl/issues/18625)
121 -# Gentoo isn't vulnerable to the original CVE which caused these releases
122 -# (CVE-2022-2068) as we have our own rehash script.
123 -=dev-libs/openssl-3.0.4
124 -
125 # Piotr Karbowski <slashbeast@g.o> (2022-06-26)
126 # Abandoned upstream, depends on API that no longer exists.
127 # Removal on 2022-07-26.