From f0e76390ef74ae2b76160f08967662f3a4327bd8 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 5 May 2022 20:07:26 +0200 Subject: [PATCH 1/2] modules: update OpenWrt base 5ff900e0ade7 firewall: config: remove restictions on DHCPv6 allow rule 2ac5ee7f8a99 fstools: update to git HEAD ffe12f8b48cf procd: update to git HEAD 0dc3ecf0da1c base-files: simplify restorecon logic efc38b315e9b selinux-policy: update to version 1.1 6cb08b17979c base-files: add missing $IPKG_INSTROOT to restorecon call 9282cb0be06c base-files: address sed in-place without SELinux awareness dc71658a802b fstools: update to git HEAD 3a974b5bcd77 ipq40xx: fix BDF file for pcie wifi chip on the GL.Inet GL-B2200 d90c7621f40f kernel: bump 5.10 to 5.10.113 e9c14fa85f4d kernel: bump 5.10 to 5.10.112 fa8e050c4bcb f2fs-tools: fix resize.f2fs (#9800) 0c25b9cb11bf ath79: add USB power control for GL-AR300M series a142d96ade46 mpc85xx: Fix output location of padded dtb fbd9605a908d build: don't remove BUILD_LOG_DIR in _clean 946f60aaebc6 dnsmasq: add logfacility file to jail mounts 6d5a097232b0 ath79: ubnt: drop swconfig on ac-{lite,lr,mesh} 18649fbff04a bcm63xx: fix description fix name case d79380ac1dff ath79: ZTE MF286R: add comgt-ncm to DEVICE_PACKAGES 4c5d2cde1307 ramips: zbt-wg2626: Add the reset gpio for PCIe port 1 --- modules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules b/modules index 4bbbc0fe..a59bf4c9 100644 --- a/modules +++ b/modules @@ -2,7 +2,7 @@ GLUON_FEEDS='packages routing gluon' OPENWRT_REPO=https://github.com/openwrt/openwrt.git OPENWRT_BRANCH=openwrt-22.03 -OPENWRT_COMMIT=d4053d2e8e098c53d6fc6ab860ba71cd8edf5455 +OPENWRT_COMMIT=5ff900e0ade775062bf888b447893aefa1a37146 PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git PACKAGES_PACKAGES_BRANCH=openwrt-22.03 From 8ebba2350a57cccd1cbb180691f23b3490ac5451 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 5 May 2022 20:08:12 +0200 Subject: [PATCH 2/2] modules: update OpenWrt packages 948ea0e9c046 ecdsautils: update to v0.4.1 97333939dbcc hwdata: update to version 0.359 22c8efd9377c tor: bump to 0.4.7.7 stable 241e70f5fd84 etherwake-nfqueue: swap iptables for nftables dependency 61e0ee2e8e30 rclone: Update to 1.58.1 a8374c48e14f apfree-wifidog: fix compile error 2af08fe724f3 gst1-libav: fix compilation with ffmpeg5 419054a05f56 libtorrent-rasterbar: Update to 2.0.6 With the update to ecdsautils 0.4.1, we can remove the downstream patch again. --- modules | 2 +- ...ignature-verification-CVE-2022-24884.patch | 73 ------------------- 2 files changed, 1 insertion(+), 74 deletions(-) delete mode 100644 patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch diff --git a/modules b/modules index a59bf4c9..f64b81cd 100644 --- a/modules +++ b/modules @@ -6,7 +6,7 @@ OPENWRT_COMMIT=5ff900e0ade775062bf888b447893aefa1a37146 PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git PACKAGES_PACKAGES_BRANCH=openwrt-22.03 -PACKAGES_PACKAGES_COMMIT=09da83968ef0846cd1b13bfa1b91c33a1f9985bb +PACKAGES_PACKAGES_COMMIT=948ea0e9c0465524de92268eea13b2a7ae10b484 PACKAGES_ROUTING_REPO=https://github.com/openwrt/routing.git PACKAGES_ROUTING_BRANCH=openwrt-22.03 diff --git a/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch b/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch deleted file mode 100644 index de11528c..00000000 --- a/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Matthias Schiffer -Date: Wed, 27 Apr 2022 19:01:39 +0200 -Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884) - -Signed-off-by: Matthias Schiffer - -diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile -index e6f5a916e63e9914369ae7e47106230346f9322c..096827494befad193c5904e1748c4e6768bbb15e 100644 ---- a/utils/ecdsautils/Makefile -+++ b/utils/ecdsautils/Makefile -@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk - - PKG_NAME:=ecdsautils - PKG_VERSION:=0.3.2.20160630 --PKG_RELEASE:=1 -+PKG_RELEASE:=2 - - PKG_SOURCE_PROTO:=git - PKG_SOURCE_URL:=https://github.com/freifunk-gluon/ecdsautils -diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch -new file mode 100644 -index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba ---- /dev/null -+++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch -@@ -0,0 +1,48 @@ -+From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001 -+Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net> -+From: Matthias Schiffer -+Date: Wed, 20 Apr 2022 22:04:07 +0200 -+Subject: [PATCH] verify: fix signature verification (CVE-2022-24884) -+ -+Verify that r and s are non-zero. Without these checks, an all-zero -+signature is always considered valid. -+ -+While it would be nicer to error out in ecdsa_verify_prepare_legacy() -+already, that would require users of libecdsautil to check a return value -+of the prepare step. To be safe, implement the fix in an API/ABI-compatible -+way that doesn't need changes to the users. -+--- -+ src/lib/ecdsa.c | 10 ++++++++++ -+ 1 file changed, 10 insertions(+) -+ -+diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c -+index 8cd7722be8cd..a661b56bd7c8 100644 -+--- a/src/lib/ecdsa.c -++++ b/src/lib/ecdsa.c -+@@ -135,6 +135,12 @@ regenerate: -+ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) { -+ ecc_int256_t w, u1, tmp; -+ -++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) { -++ // Signature is invalid, mark by setting ctx->r to an invalid value -++ memset(&ctx->r, 0, sizeof(ctx->r)); -++ return; -++ } -++ -+ ctx->r = signature->r; -+ -+ ecc_25519_gf_recip(&w, &signature->s); -+@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work -+ ecc_25519_work_t s2, work; -+ ecc_int256_t w, tmp; -+ -++ // Signature was detected as invalid in prepare step -++ if (ecc_25519_gf_is_zero(&ctx->r)) -++ return false; -++ -+ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey); -+ ecc_25519_add(&work, &ctx->s1, &s2); -+ ecc_25519_store_xy_legacy(&w, NULL, &work); -+-- -+2.36.0 -+