Revert "[PA-6132] : Applied CVE Patches to openssl-1.1.1k-7, followin…

…g patches were applied" This reverts commit 0327e17.
puppetlabs · Feb 27, 2024 · 1a4f299 · 1a4f299
1 parent 723b9af
commit 1a4f299
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 339 deletions.
diff --git a/configs/components/openssl-1.1.1-fips.rb b/configs/components/openssl-1.1.1-fips.rb
@@ -24,10 +24,6 @@
   pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-spec-file.patch'
   pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-remove-env-check.patch'
   pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1l-sm2-plaintext.patch'
-  pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch'
-  pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch'
-  pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2024-0727-fips.patch'
-
 
   if platform.name =~ /-7-/
     pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-post-rand.patch'
@@ -59,10 +55,7 @@
       "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-force-fips-mode.patch && cd -",
       "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-spec-file.patch && cd -",
       "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-remove-env-check.patch && cd -",
-      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -",
-      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2023-3446-fips.patch  && cd -",
-      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2023-5678-fips.patch  && cd -",
-      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2024-0727-fips.patch  && cd -"
+      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -"
     ]
   end
 

diff --git a/resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch b/resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch
@@ -1,34 +1,28 @@
 --- a/SPECS/openssl.spec	2024-02-20 10:19:41
-+++ b/SPECS/openssl.spec	2024-02-22 20:31:28
-@@ -87,6 +87,13 @@
++++ b/SPECS/openssl.spec	2024-02-23 11:38:58
+@@ -87,6 +87,10 @@
  Patch84: openssl-1.1.1-cve-2022-1292.patch
  Patch85: openssl-1.1.1-cve-2022-2068.patch
  Patch86: openssl-1.1.1-cve-2022-2097.patch
 +Patch100: openssl-1.1.1-force-fips-on-init.patch
 +Patch101: openssl-1.1.1-openssl-cnf-fips-mode.patch
 +Patch102: openssl-1.1.1-remove-env-check.patch
 +Patch103: openssl-1.1.1l-sm2-plaintext.patch
-+Patch104: openssl-1.1.1k-CVE-2023-3446-fips.patch
-+Patch105: openssl-1.1.1k-CVE-2023-5678-fips.patch
-+Patch106: openssl-1.1.1k-CVE-2024-0727-fips.patch
 
  License: OpenSSL and ASL 2.0
  URL: http://www.openssl.org/
-@@ -212,6 +219,13 @@
+@@ -212,6 +216,10 @@
  %patch84 -p1 -b .cve-2022-1292
  %patch85 -p1 -b .cve-2022-2068
  %patch86 -p1 -b .cve-2022-2097
 +%patch100 -p1 -b .force-fips-on-init
 +%patch101 -p1 -b .openssl-cnf-fips-mode
 +%patch102 -p1 -b .remove-env-check
 +%patch103 -p1 -b .sm2-plaintext
-+%patch104 -p1 -F2 -b .CVE-2023-3446-fips
-+%patch105 -p1 -F2 -b .CVE-2023-5678-fips
-+%patch106 -p1 -b .CVE-2024-0727-fips
 
  %build
  # Figure out which flags we want to use.
-@@ -220,7 +234,7 @@
+@@ -220,7 +228,7 @@
  %ifarch %ix86
  sslarch=linux-elf
  if ! echo %{_target} | grep -q i686 ; then
@@ -37,7 +31,7 @@
  fi
  %endif
  %ifarch x86_64
-@@ -286,13 +300,13 @@
+@@ -286,13 +294,13 @@
  # usable on all platforms.  The Configure script already knows to use -fPIC and
  # RPM_OPT_FLAGS, so we can skip specifiying them here.
  ./Configure \
@@ -58,7 +52,7 @@
 
  # Do not run this in a production package the FIPS symbols must be patched-in
  #util/mkdef.pl crypto update
-@@ -352,9 +366,9 @@
+@@ -352,9 +360,9 @@
  make DESTDIR=$RPM_BUILD_ROOT install
  rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
  for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
@@ -71,7 +65,7 @@
  done
 
  # Install a makefile for generating keys and self-signed certs, and a script
-@@ -375,21 +389,21 @@
+@@ -375,21 +383,21 @@
  pushd $RPM_BUILD_ROOT%{_mandir}
  ln -s -f config.5 man5/openssl.cnf.5
  for manpage in man*/* ; do
@@ -105,7 +99,7 @@
  done
  popd
 
-@@ -424,11 +438,11 @@
+@@ -424,11 +432,11 @@
  # can have both a 32- and 64-bit version of the library, and they each need
  # their own correct-but-different versions of opensslconf.h to be usable.
  install -m644 %{SOURCE10} \

diff --git a/resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch b/resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch
diff --git a/resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch b/resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch