diff --git a/README.md b/README.md index 1d4c0b1e..ce2a4f05 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,10 @@ Build commands for the console: cd feeds/routing git am --whitespace=nowarn ../../firmware/patches/routing/*.patch cd ../../ + + cd feeds/packages + git am --whitespace=nowarn ../../firmware/patches/packages/*.patch + cd ../../ rm -rf firmware tmp diff --git a/files/etc/config/freifunk b/files/etc/config/freifunk index 495fd0ae..f1ba8768 100644 --- a/files/etc/config/freifunk +++ b/files/etc/config/freifunk @@ -5,7 +5,7 @@ config settings option longitude '' option contact '' option community 'ulm' - option version '2.3.0' + option version '2.3.1' option publish_map 'basic' option allow_access_from 'lan' option service_link '' diff --git a/files/etc/uci-defaults/50_freifunk-setup b/files/etc/uci-defaults/50_freifunk-setup index defcfb3b..9d2cf355 100755 --- a/files/etc/uci-defaults/50_freifunk-setup +++ b/files/etc/uci-defaults/50_freifunk-setup @@ -624,6 +624,12 @@ update_220_to_230() { cp /rom/etc/uhttpd.key /etc/ 2> /dev/null } +update_230_to_231() { + # Preserve self signed certificates + cp /rom/etc/uhttpd.crt /etc/ 2> /dev/null + cp /rom/etc/uhttpd.key /etc/ 2> /dev/null +} + start() { echo "(I) Start freifunk_setup" @@ -658,6 +664,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.5.1*) @@ -673,6 +680,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.6.0*) @@ -687,6 +695,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.6.1*) @@ -700,6 +709,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.6.2*) @@ -712,6 +722,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.6.3*) @@ -723,6 +734,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.6.4*) @@ -733,6 +745,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 0.6.5*) @@ -742,6 +755,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 1.0.0*) @@ -750,6 +764,7 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 2.0.0*) @@ -757,19 +772,29 @@ start() update_200_to_210 update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 2.1.0*) echo "(I) Apply update." update_210_to_220 update_220_to_230 + update_230_to_231 update_version ;; 2.2.0*) echo "(I) Apply update." update_220_to_230 + update_230_to_231 update_version ;; + + 2.3.0*) + echo "(I) Apply update." + update_230_to_231 + update_version + ;; + "") echo "(I) Start initial setup." initial_setup diff --git a/patches/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch b/patches/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch new file mode 100644 index 00000000..11cc1bbc --- /dev/null +++ b/patches/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch @@ -0,0 +1,73 @@ +From: Matthias Schiffer +Date: Wed, 27 Apr 2022 19:01:39 +0200 +Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884) + +Signed-off-by: Matthias Schiffer + +diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile +index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644 +--- a/utils/ecdsautils/Makefile ++++ b/utils/ecdsautils/Makefile +@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk + + PKG_NAME:=ecdsautils + PKG_VERSION:=0.3.2.20160630 +-PKG_RELEASE:=1 ++PKG_RELEASE:=2 + PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46 + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba +--- /dev/null ++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch +@@ -0,0 +1,48 @@ ++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001 ++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net> ++From: Matthias Schiffer ++Date: Wed, 20 Apr 2022 22:04:07 +0200 ++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884) ++ ++Verify that r and s are non-zero. Without these checks, an all-zero ++signature is always considered valid. ++ ++While it would be nicer to error out in ecdsa_verify_prepare_legacy() ++already, that would require users of libecdsautil to check a return value ++of the prepare step. To be safe, implement the fix in an API/ABI-compatible ++way that doesn't need changes to the users. ++--- ++ src/lib/ecdsa.c | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c ++index 8cd7722be8cd..a661b56bd7c8 100644 ++--- a/src/lib/ecdsa.c +++++ b/src/lib/ecdsa.c ++@@ -135,6 +135,12 @@ regenerate: ++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) { ++ ecc_int256_t w, u1, tmp; ++ +++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) { +++ // Signature is invalid, mark by setting ctx->r to an invalid value +++ memset(&ctx->r, 0, sizeof(ctx->r)); +++ return; +++ } +++ ++ ctx->r = signature->r; ++ ++ ecc_25519_gf_recip(&w, &signature->s); ++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work ++ ecc_25519_work_t s2, work; ++ ecc_int256_t w, tmp; ++ +++ // Signature was detected as invalid in prepare step +++ if (ecc_25519_gf_is_zero(&ctx->r)) +++ return false; +++ ++ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey); ++ ecc_25519_add(&work, &ctx->s1, &s2); ++ ecc_25519_store_xy_legacy(&w, NULL, &work); ++-- ++2.36.0 ++