[poky] [PATCH] openssl: drop the valgrind patch that introduce a security hole

Saul Wold saul.wold at intel.com
Thu Jan 20 17:04:24 PST 2011 

On 01/17/2011 02:36 PM, Ilya Yanok wrote:
> debian/valgrind.patch is the 'famous' Debian OpenSSL patch responsible
> for everyone using Debian and derivatives changing their keys. All keys
> generated with the patched OpenSSL are compromised so at very least we
> have to drop this patch for good.
>
> Signed-off-by: Ilya Yanok<yanok at emcraft.com>
> ---
>   .../openssl/openssl-0.9.8p/debian/valgrind.patch   |   15 ---------------
>   .../recipes-connectivity/openssl/openssl_0.9.8p.bb |    1 -
>   2 files changed, 0 insertions(+), 16 deletions(-)
>   delete mode 100644 meta/recipes-connectivity/openssl/openssl-0.9.8p/debian/valgrind.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl-0.9.8p/debian/valgrind.patch b/meta/recipes-connectivity/openssl/openssl-0.9.8p/debian/valgrind.patch
> deleted file mode 100644
> index e9f86ea..0000000
> --- a/meta/recipes-connectivity/openssl/openssl-0.9.8p/debian/valgrind.patch
> +++ /dev/null
> @@ -1,15 +0,0 @@
> -Index: openssl-0.9.8k/crypto/rand/md_rand.c
> -===================================================================
> ---- openssl-0.9.8k.orig/crypto/rand/md_rand.c	2008-09-16 13:50:05.000000000 +0200
> -+++ openssl-0.9.8k/crypto/rand/md_rand.c	2009-07-19 11:36:05.000000000 +0200
> -@@ -477,8 +477,10 @@
> - 		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
> - 		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
> - #ifndef PURIFY
> -+#if 0 /* Don't add uninitialised data. */
> - 		MD_Update(&m,buf,j); /* purify complains */
> - #endif
> -+#endif
> - 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
> - 		if (k>  0)
> - 			{
> diff --git a/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb b/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb
> index 3ae6bf4..283b82a 100644
> --- a/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb
> @@ -13,7 +13,6 @@ SRC_URI += "file://debian/ca.patch \
>               file://debian/no-symbolic.patch \
>               file://debian/pic.patch \
>               file://debian/pkg-config.patch \
> -            file://debian/valgrind.patch \
>               file://debian/rc4-amd64.patch \
>               file://debian/rehash-crt.patch \
>               file://debian/rehash_pod.patch \
Pulled into Master

Thanks
	Sau!

More information about the poky mailing list