From patchwork Sun Jan 30 16:25:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1586409 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=xVhSgXkm; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=uXDANOju; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JmxTN4n9bz9sFM for ; Mon, 31 Jan 2022 03:28:39 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=YphoWqbiZ21+4XhqqMcq7yVWuT1Kl7u3TDtai98UGqo=; b=xVhSgXkmpiNCfn FaMTGHNSkICNg+t2+OU5y2jcILzM1MecucnOcUmAsN3apRkKOiumIowvDRO5fghYGsRnycC5TT8V3 +QxCb0eeyjpy8j3eHwQJI0AaldnEvwDtOoiBwvHn5VHBYdIdpqJ4Dy1hFx7jIzbALn1KzkGbDIboY adDvHfZVLewpINXs8AD3Ls5TGAlJQJbWAIWmSBNvqMkrMuocQvin2SQAb7QtxUNOgitJnKh9f1fNf w1+asjVKU2d83BJHJ7XR7/Gd24csGcRor4UfKYuUiJ3AneCDLrSCoUvKTkFFMuA+FqyLgbkiZsi7M +NWYDoG1A4HfroBFiNWg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nED22-006xEw-8b; Sun, 30 Jan 2022 16:26:26 +0000 Received: from mout-p-202.mailbox.org ([2001:67c:2050::465:202]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nED1g-006xAs-6y for openwrt-devel@lists.openwrt.org; Sun, 30 Jan 2022 16:26:08 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [80.241.60.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4JmxQL14wRz9sS0; Sun, 30 Jan 2022 17:26:02 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1643559960; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TYaIICv95CCw6wP/W0jmkFGpN6mVCGMi03iGnUeD0R8=; b=uXDANOjulkmo2ZrjnQ8Q7ZrX2/uhZfMqAfQ2xrbwYmVg5ftGMcRxwR8+y9HscuxwU/ipCb Yeojqlo8MSsHlIwmAqpz0xgiiuyueRyPz8/5y3IhH1eNVZEzxauwZ3ioQummCsbBBTOFQw UzslTn240/Q7/zg9Pw5WUmMHqteK4hQq5EirxUCTcwRXxCTK9dsBwBlGsnPBFS2wCP+FPd +HCDarR3WPTOIi1e9OWez59iA6kH43DaH0x/WXxYTuROCayjY0/ihXMjJC2foCSvJwaprs rfgtN67xL86JTsEvioGaP0NoCb/y3s5ool0IIF0AiVqZwSpkj1ieCILyPowNAg== From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Cc: Hauke Mehrtens Subject: [PATCH 04/11] mbedtls: Update to version 2.16.12 Date: Sun, 30 Jan 2022 17:25:31 +0100 Message-Id: <20220130162538.3370704-4-hauke@hauke-m.de> In-Reply-To: <20220130162538.3370704-1-hauke@hauke-m.de> References: <20220130162538.3370704-1-hauke@hauke-m.de> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220130_082604_429637_97986055 X-CRM114-Status: GOOD ( 10.46 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value l [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [2001:67c:2050:0:0:0:465:202 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens --- package/libs/mbedtls/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 6adf091c3ce0..d3f7d0cad2a6 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls -PKG_VERSION:=2.16.11 +PKG_VERSION:=2.16.12 PKG_RELEASE:=$(AUTORELEASE) PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=c18e7e9abf95e69e425260493720470021384a1728417042060a35d0b7b18b41 +PKG_HASH:=294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=gpl-2.0.txt