Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Should update openssl to 3.4.1 for CVE-2024-13176 #10664

Closed
2 of 5 tasks
liyi77 opened this issue Jan 24, 2025 · 0 comments
Closed
2 of 5 tasks

[Bug]: Should update openssl to 3.4.1 for CVE-2024-13176 #10664

liyi77 opened this issue Jan 24, 2025 · 0 comments
Assignees
@liyi77
Labels
package:cryptopkg priority:low Little to no impact. No urgency to fix. type:bug Something isn't working

Comments

@liyi77
Copy link
Contributor

liyi77 commented Jan 24, 2025

Is there an existing issue for this?

  • I have searched existing issues

Bug Type

  • Firmware
  • Tool
  • Unit Test

Code first?

  • Yes

What packages are impacted?

CryptoPkg

Which targets are impacted by this bug?

DEBUG, NOOPT, RELEASE

Current Behavior

Current openssl version is 3.4.0

Expected Behavior

update openssl to 3.4.1

Steps To Reproduce

Nope

Build Environment

- OS(s):
- Tool Chain(s):

Version Information

feb8d49834b12e1eab3f3052e21433b9d535ac4e

Urgency

Low

Are you going to fix this?

I will fix it

Do you need maintainer feedback?

No maintainer feedback needed

Anything else?

https://openssl-library.org/news/secadv/20250120.txt

CryptoPkg currently supports ECDSA Sign of NIST P-521, so this problem will affect EDK2 code.

Edk2\CryptoPkg\Include\Library\BaseCryptLib.h L28:
#define CRYPTO_NID_SECP521R1 0x0206

Edk2\CryptoPkg\Library\BaseCryptLib\Pk\CryptEc.c L800:
EFIAPI
EcDsaSign (
@liyi77 liyi77 added state:needs-triage type:bug Something isn't working labels Jan 24, 2025
@github-actions github-actions bot added package:cryptopkg priority:low Little to no impact. No urgency to fix. labels Jan 24, 2025
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 12, 2025
@liyi77
CryptoPkg: Update openssl submodule to 3.4.1
c57b15c 
FIX: tianocore#10664

CVE-2024-13176 affects TLS-client implementation of EDK2. Fix it by
updating to 3.4.1.

Signed-off-by: Yi Li <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 12, 2025
@liyi77
CryptoPkg: Update generated files based on openssl 3.0.15
fbd5b28 
FIX: tianocore#10664

Signed-off-by: Li Yi <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 12, 2025
@liyi77
CryptoPkg: Update generated files based on openssl 3.4.1
a411613 
FIX: tianocore#10664

Signed-off-by: Li Yi <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 12, 2025
@liyi77
CryptoPkg: Update openssl submodule to 3.4.1
60a90af 
FIX: tianocore#10664

CVE-2024-13176 affects ECDSA Sign of NIST P-521 implementation of
EDK2. Fix it by updating openssl to 3.4.1.

Signed-off-by: Yi Li <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 12, 2025
@liyi77
CryptoPkg: Update generated files based on openssl 3.4.1
69ff17e 
FIX: tianocore#10664

Signed-off-by: Li Yi <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 21, 2025
@liyi77
CryptoPkg: Update openssl submodule to 3.4.1
2697a16 
FIX: tianocore#10664

CVE-2024-13176 affects ECDSA Sign of NIST P-521 implementation of
EDK2. Fix it by updating openssl to 3.4.1.

Signed-off-by: Yi Li <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 21, 2025
@liyi77
CryptoPkg: Update generated files based on openssl 3.4.1
31eefa6 
FIX: tianocore#10664

Signed-off-by: Li Yi <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 24, 2025
@liyi77
CryptoPkg: Update openssl submodule to 3.4.1
aabf7f9 
FIX: tianocore#10664

CVE-2024-13176 affects ECDSA Sign of NIST P-521 implementation of
EDK2. Fix it by updating openssl to 3.4.1.

Signed-off-by: Yi Li <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 24, 2025
@liyi77
CryptoPkg: Update generated files based on openssl 3.4.1
156695b 
FIX: tianocore#10664

Signed-off-by: Li Yi <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 26, 2025
@liyi77
CryptoPkg: Update openssl submodule to 3.4.1
a7ea695 
FIX: tianocore#10664

CVE-2024-13176 affects ECDSA Sign of NIST P-521 implementation of
EDK2. Fix it by updating openssl to 3.4.1.

Signed-off-by: Yi Li <[email protected]>
liyi77 added a commit to liyi77/edk2 that referenced this issue Feb 26, 2025
@liyi77
CryptoPkg: Update generated files based on openssl 3.4.1
e3a122b 
FIX: tianocore#10664

Signed-off-by: Li Yi <[email protected]>
@mergify mergify bot closed this as completed in a59d7fa Feb 26, 2025
mergify bot pushed a commit that referenced this issue Feb 26, 2025
@liyi77 @mergify
CryptoPkg: Update generated files based on openssl 3.4.1
3b93347 
FIX: #10664

Signed-off-by: Li Yi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liyi77 liyi77

Labels
package:cryptopkg priority:low Little to no impact. No urgency to fix. type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lgao4 @liyi77