Wind River Security Vulnerability Notice: CVE-2020-1971 of openssl may effect on Wind River Linux
Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux CD, Wind River Linux LTS 19
CVE-2020-1971
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.
openssl 1.1.1h and below, 1.0.2w and below are affected by this issue.
Affected Windriver Linux releases:
All releases including Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8
Affected software components:
openssl
Affected hardware:
This is a pure software issue.
Mitigation
All WRLinux releases effected by this issue and need source patches to avoid it.
Additional References
...
Changelog
- 12/3/2020: Initial
- 12/8/2020: Public
LTS1019
1) Download the hotpatch locally and unpackage it:
# cd /PATH_2_download/
7b016b6124ec7f7b6900b243af58f377b165ab60a1c83e63b82569c83c531050 LTS1019-HOTPATCH-openssl-CVE-2020-1971.patch
2) Integrate them and rebuild openssl
# cd /PATH_2_project/
# cd layers/oe-core/meta/recipes-connectivity/openssl
# git am /PATH_2_download/LTS1019-HOTPATCH-openssl-CVE-2020-1971.patch
# cd /PATH_2_project/build
# bitbake openssl
LTS1018
...
LTS1017
...
WRLinux-9
...
WRLinux-8
...
