modules: update OpenWrt packages
948ea0e9c046 ecdsautils: update to v0.4.1 97333939dbcc hwdata: update to version 0.359 22c8efd9377c tor: bump to 0.4.7.7 stable 241e70f5fd84 etherwake-nfqueue: swap iptables for nftables dependency 61e0ee2e8e30 rclone: Update to 1.58.1 a8374c48e14f apfree-wifidog: fix compile error 2af08fe724f3 gst1-libav: fix compilation with ffmpeg5 419054a05f56 libtorrent-rasterbar: Update to 2.0.6 With the update to ecdsautils 0.4.1, we can remove the downstream patch again.
This commit is contained in:
parent
f0e76390ef
commit
8ebba2350a
2
modules
2
modules
@ -6,7 +6,7 @@ OPENWRT_COMMIT=5ff900e0ade775062bf888b447893aefa1a37146
|
|||||||
|
|
||||||
PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
|
PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
|
||||||
PACKAGES_PACKAGES_BRANCH=openwrt-22.03
|
PACKAGES_PACKAGES_BRANCH=openwrt-22.03
|
||||||
PACKAGES_PACKAGES_COMMIT=09da83968ef0846cd1b13bfa1b91c33a1f9985bb
|
PACKAGES_PACKAGES_COMMIT=948ea0e9c0465524de92268eea13b2a7ae10b484
|
||||||
|
|
||||||
PACKAGES_ROUTING_REPO=https://github.com/openwrt/routing.git
|
PACKAGES_ROUTING_REPO=https://github.com/openwrt/routing.git
|
||||||
PACKAGES_ROUTING_BRANCH=openwrt-22.03
|
PACKAGES_ROUTING_BRANCH=openwrt-22.03
|
||||||
|
@ -1,73 +0,0 @@
|
|||||||
From: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
||||||
Date: Wed, 27 Apr 2022 19:01:39 +0200
|
|
||||||
Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
|
|
||||||
|
|
||||||
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
||||||
|
|
||||||
diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
|
|
||||||
index e6f5a916e63e9914369ae7e47106230346f9322c..096827494befad193c5904e1748c4e6768bbb15e 100644
|
|
||||||
--- a/utils/ecdsautils/Makefile
|
|
||||||
+++ b/utils/ecdsautils/Makefile
|
|
||||||
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|
||||||
|
|
||||||
PKG_NAME:=ecdsautils
|
|
||||||
PKG_VERSION:=0.3.2.20160630
|
|
||||||
-PKG_RELEASE:=1
|
|
||||||
+PKG_RELEASE:=2
|
|
||||||
|
|
||||||
PKG_SOURCE_PROTO:=git
|
|
||||||
PKG_SOURCE_URL:=https://github.com/freifunk-gluon/ecdsautils
|
|
||||||
diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
|
|
||||||
@@ -0,0 +1,48 @@
|
|
||||||
+From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
|
|
||||||
+Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
|
|
||||||
+From: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
||||||
+Date: Wed, 20 Apr 2022 22:04:07 +0200
|
|
||||||
+Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
|
|
||||||
+
|
|
||||||
+Verify that r and s are non-zero. Without these checks, an all-zero
|
|
||||||
+signature is always considered valid.
|
|
||||||
+
|
|
||||||
+While it would be nicer to error out in ecdsa_verify_prepare_legacy()
|
|
||||||
+already, that would require users of libecdsautil to check a return value
|
|
||||||
+of the prepare step. To be safe, implement the fix in an API/ABI-compatible
|
|
||||||
+way that doesn't need changes to the users.
|
|
||||||
+---
|
|
||||||
+ src/lib/ecdsa.c | 10 ++++++++++
|
|
||||||
+ 1 file changed, 10 insertions(+)
|
|
||||||
+
|
|
||||||
+diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
|
|
||||||
+index 8cd7722be8cd..a661b56bd7c8 100644
|
|
||||||
+--- a/src/lib/ecdsa.c
|
|
||||||
++++ b/src/lib/ecdsa.c
|
|
||||||
+@@ -135,6 +135,12 @@ regenerate:
|
|
||||||
+ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
|
|
||||||
+ ecc_int256_t w, u1, tmp;
|
|
||||||
+
|
|
||||||
++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
|
|
||||||
++ // Signature is invalid, mark by setting ctx->r to an invalid value
|
|
||||||
++ memset(&ctx->r, 0, sizeof(ctx->r));
|
|
||||||
++ return;
|
|
||||||
++ }
|
|
||||||
++
|
|
||||||
+ ctx->r = signature->r;
|
|
||||||
+
|
|
||||||
+ ecc_25519_gf_recip(&w, &signature->s);
|
|
||||||
+@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
|
|
||||||
+ ecc_25519_work_t s2, work;
|
|
||||||
+ ecc_int256_t w, tmp;
|
|
||||||
+
|
|
||||||
++ // Signature was detected as invalid in prepare step
|
|
||||||
++ if (ecc_25519_gf_is_zero(&ctx->r))
|
|
||||||
++ return false;
|
|
||||||
++
|
|
||||||
+ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
|
|
||||||
+ ecc_25519_add(&work, &ctx->s1, &s2);
|
|
||||||
+ ecc_25519_store_xy_legacy(&w, NULL, &work);
|
|
||||||
+--
|
|
||||||
+2.36.0
|
|
||||||
+
|
|
Loading…
Reference in New Issue
Block a user