[OpenWrt-Devel] [PATCH 0/1] wolfssl: bump to 4.1.0-stable

Eneas U de Queiroz cotequeiroz at gmail.com
Mon Aug 5 10:47:57 EDT 2019

I'm requesting comments about updating this in 18.06.

I'm sending this to 19.07 right away, but it won't be so easy with 18.06
because there is an ABI version change from 3.15.3 (current) to 3.15.7.
Besides CVE-2019-13628, it is vulnerable to CVE-2018-16870: a variant of
the Bleichenbacher attack.

I've managed to backport both fixes; 
* CVE-2019-13628 applied cleanly;
* CVE-2018-16870 needed some work.  I've run the testsuite, and all
  tests passed.  I've used gdb while running them, and could verify that
  the tests covered all of the changed lines, except for some of the
  newly added error conditions.

CVE-2019-13628 is scheduled to be issued on Sep 02.

So we have three choices:
* update to 4.1.0-stable: we have to deal with the ABI version change.
  If we do nothing, then dependent packages will not work without
  removal and reinstallation.
  We can increase PKG_RELEASE for the dependent packages, some of which
  may be cumbersome: hostapd and ustream-ssl will either require a
  cumbersome subpackage bump, or have everybody else that do not use
  wolfssl be prompted to needlessly update their packages.
* apply a custom patch that will not be so thoroughly tested.
* do nothing: both vulnerabilities are timing attacks, CVE-2018-16870 is
  rated medium-severity.  We can wait for CVE-2019-13628's final grade,
  but wolfssl states it "is considered difficult to exploit".

Even though I'm confident the patches will not do much harm, I'm more
comfortable with updating to 4.1.0 and bumping dependent subpackages.

A note about the removed patches:

400-additional_compatibility.patch: I couldn't find much about the need
for this; it appears to be related to SNI support, which was new at the
time.  I've compiled all packages that use wolfssl and found no issues
with them. ustream-ssl actually defines HAVE_SNI, and I have done
extensive runtime tests without any issues.

900-remove-broken-autoconf-macros.patch: this was fixed upstream, and
the jobserver was disabled by ./configure --disable-jobserver.

Eneas U de Queiroz (1):
  wolfssl: bump to 4.1.0-stable

 package/libs/wolfssl/Config.in                | 14 ++++-------
 package/libs/wolfssl/Makefile                 | 23 ++++++++-----------
 .../400-additional_compatibility.patch        | 12 ----------
 .../900-remove-broken-autoconf-macros.patch   | 21 -----------------
 4 files changed, 15 insertions(+), 55 deletions(-)
 delete mode 100644 package/libs/wolfssl/patches/400-additional_compatibility.patch
 delete mode 100644 package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list