[OpenWrt-Devel] [PATCH 0/1] wolfssl: bump to 4.1.0-stable
Eneas U de Queiroz
cotequeiroz at gmail.com
Mon Aug 5 10:47:57 EDT 2019
I'm requesting comments about updating this in 18.06.
I'm sending this to 19.07 right away, but it won't be so easy with 18.06
because there is an ABI version change from 3.15.3 (current) to 3.15.7.
Besides CVE-2019-13628, it is vulnerable to CVE-2018-16870: a variant of
the Bleichenbacher attack.
I've managed to backport both fixes;
* CVE-2019-13628 applied cleanly;
* CVE-2018-16870 needed some work. I've run the testsuite, and all
tests passed. I've used gdb while running them, and could verify that
the tests covered all of the changed lines, except for some of the
newly added error conditions.
CVE-2019-13628 is scheduled to be issued on Sep 02.
So we have three choices:
* update to 4.1.0-stable: we have to deal with the ABI version change.
If we do nothing, then dependent packages will not work without
removal and reinstallation.
We can increase PKG_RELEASE for the dependent packages, some of which
may be cumbersome: hostapd and ustream-ssl will either require a
cumbersome subpackage bump, or have everybody else that do not use
wolfssl be prompted to needlessly update their packages.
* apply a custom patch that will not be so thoroughly tested.
* do nothing: both vulnerabilities are timing attacks, CVE-2018-16870 is
rated medium-severity. We can wait for CVE-2019-13628's final grade,
but wolfssl states it "is considered difficult to exploit".
Even though I'm confident the patches will not do much harm, I'm more
comfortable with updating to 4.1.0 and bumping dependent subpackages.
A note about the removed patches:
400-additional_compatibility.patch: I couldn't find much about the need
for this; it appears to be related to SNI support, which was new at the
time. I've compiled all packages that use wolfssl and found no issues
with them. ustream-ssl actually defines HAVE_SNI, and I have done
extensive runtime tests without any issues.
900-remove-broken-autoconf-macros.patch: this was fixed upstream, and
the jobserver was disabled by ./configure --disable-jobserver.
Eneas U de Queiroz (1):
wolfssl: bump to 4.1.0-stable
package/libs/wolfssl/Config.in | 14 ++++-------
package/libs/wolfssl/Makefile | 23 ++++++++-----------
.../400-additional_compatibility.patch | 12 ----------
.../900-remove-broken-autoconf-macros.patch | 21 -----------------
4 files changed, 15 insertions(+), 55 deletions(-)
delete mode 100644 package/libs/wolfssl/patches/400-additional_compatibility.patch
delete mode 100644 package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel