[OE-core] [PATCH] sysklogd: update Makefile for PPC e500v2
Previous patch doesn't apply cleanly anymore, just replace it with ported patch. Signed-off-by: Alexandru Moise <00moses.alexande...@gmail.com> --- .../sysklogd/files/no-vectorization.patch | 32 ++ 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/meta/recipes-extended/sysklogd/files/no-vectorization.patch b/meta/recipes-extended/sysklogd/files/no-vectorization.patch index c1cc042c9c..76f60e54b1 100644 --- a/meta/recipes-extended/sysklogd/files/no-vectorization.patch +++ b/meta/recipes-extended/sysklogd/files/no-vectorization.patch @@ -1,20 +1,30 @@ -Upstream-Status: Inappropriate +From 9f17a051a77923fabfd831e946f5d919e452a86f Mon Sep 17 00:00:00 2001 +From: Alexandru Moise <00moses.alexande...@gmail.com> +Date: Fri, 15 Dec 2017 20:19:38 +0100 +Subject: [PATCH] sysklogd: no vectorization The compiler should not be generating vectorized instructions on this target. This is a work around until I can determine why this is occuring on this -particular recipe +particular recipe. -Index: sysklogd-1.5/Makefile -=== sysklogd-1.5.orig/Makefile -+++ sysklogd-1.5/Makefile -@@ -20,7 +20,8 @@ - CC= gcc +Signed-off-by: Alexandru Moise <00moses.alexande...@gmail.com> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index af699d2..cb3ff41 100644 +--- a/Makefile b/Makefile +@@ -19,7 +19,7 @@ + #SKFLAGS= -g -DSYSV -Wall #LDFLAGS= -g --SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce -+SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce \ -+ -fno-tree-vectorize +-SKFLAGS = $(CFLAGS) $(CPPFLAGS) -DSYSV -Wall -fno-strength-reduce ++SKFLAGS = $(CFLAGS) $(CPPFLAGS) -DSYSV -Wall -fno-strength-reduce -fno-tree-vectorize # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE # $(shell getconf LFS_SKFLAGS) +-- +2.15.1 + -- 2.15.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-selinux] [PATCH v3] refpolicy-mls: user native bzip2 instead of host
The behavior of b{zip,unzip}2 an vary from host to host with regards to a number of things such as return value or permissions. We should always use the native bzip2 package to keep the behavior deterministic. This change prevents a warning at do_package_qa task of refpolicy-mls package. Signed-off-by: Alexandru Moise --- Changes in v2: Use Ross Burton's suggestion of using appending the bzip2-native path to EXTRANATIVEPATH variable instead of using the absolute path. Changes in v3: Add "bzip2-replacement-native" as dependency to ensure that the bzip2-native package exists in the STAGING_BINDIR_NATIVE path. recipes-security/refpolicy/refpolicy_common.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 58152a8..6a45e79 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -27,7 +27,9 @@ FILES_${PN}-dev =+ " \ ${sysconfdir}/selinux/sepolgen.conf \ " -DEPENDS += "checkpolicy-native policycoreutils-native m4-native" +EXTRANATIVEPATH += "bzip2-native" + +DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native m4-native" RDEPENDS-${PN}-dev =+ " \ python \ -- 2.10.2 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-selinux] [PATCH v2] refpolicy-mls: user native bzip2 instead of host
The behavior of b{zip,unzip}2 an vary from host to host with regards to a number of things such as return value or permissions. We should always use the native bzip2 package to keep the behavior deterministic. This change prevents a warning at do_package_qa task of refpolicy-mls package. Signed-off-by: Alexandru Moise --- Changes since v1: Use Ross Burton's suggestion of using appending the bzip2-native path to EXTRANATIVEPATH variable instead of using the absolute path. recipes-security/refpolicy/refpolicy_common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 58152a8..8c0a3fd 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -27,6 +27,8 @@ FILES_${PN}-dev =+ " \ ${sysconfdir}/selinux/sepolgen.conf \ " +EXTRANATIVEPATH += "bzip2-native" + DEPENDS += "checkpolicy-native policycoreutils-native m4-native" RDEPENDS-${PN}-dev =+ " \ -- 2.10.2 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [yocto] [meta-selinux] [PATCH] refpolicy-mls: user native bzip2 instead of host
The behavior of b{zip,unzip}2 an vary from host to host with regards to a number of things such as return value or permissions. We should always use the native bzip2 package to keep the behavior deterministic. This change prevents a warning at do_package_qa task of refpolicy-mls package. Signed-off-by: Alexandru Moise --- recipes-security/refpolicy/refpolicy_common.inc | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 58152a8..91dd2ba 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -27,7 +27,7 @@ FILES_${PN}-dev =+ " \ ${sysconfdir}/selinux/sepolgen.conf \ " -DEPENDS += "checkpolicy-native policycoreutils-native m4-native" +DEPENDS += "checkpolicy-native policycoreutils-native m4-native bzip2-native" RDEPENDS-${PN}-dev =+ " \ python \ @@ -99,19 +99,21 @@ prepare_policy_store () { # get hll type from suffix on base policy module HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} + native_bzip2=${STAGING_BINDIR_NATIVE}/bzip2-native/bzip2 + native_bunzip2=${STAGING_BINDIR_NATIVE}/bzip2-native/bunzip2 for i in ${POL_SRC}/*.${HLL_TYPE}; do MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} mkdir -p ${MOD_DIR} echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext - if ! bzip2 -t $i >/dev/null 2>&1; then - ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil - bzip2 -f $i && mv -f $i.bz2 $i + if ! ${native_bzip2} -t $i >/dev/null 2>&1; then + ${HLL_BIN} $i | ${native_bzip2} --stdout > ${MOD_DIR}/cil + ${native_bzip2} -f $i && mv -f $i.bz2 $i else - bunzip2 --stdout $i | \ + ${native_bunzip2} --stdout $i | \ ${HLL_BIN} | \ - bzip2 --stdout > ${MOD_DIR}/cil + ${native_bzip2} --stdout > ${MOD_DIR}/cil fi cp $i ${MOD_DIR}/hll done -- 2.10.2 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v5][morty] openssl: CVE: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. Backported from: https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051 * CVE: CVE-2017-3731 Upstream-status: Backport Signed-off-by: Alexandru Moise --- .../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++ .../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++ .../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 + 3 files changed, 101 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch new file mode 100644 index 000..b378c5e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch @@ -0,0 +1,46 @@ +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:13:19 +0200 +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +8e20499629b6bcf868d0072c7011e590b5c2294d + +Upstream-Status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +index 5e92855..3293419 100644 +--- a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch new file mode 100644 index 000..990cbfd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch @@ -0,0 +1,53 @@ +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:16:13 +0200 +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory. Since hash +operation is read-only it is not considered to be exploitable +beyond a DoS condition. Other ciphers were hardened. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +2198b3a55de681e1f3c23edb0586afe13f438051 + +Upstream-Status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_aes.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 1734a82..16dcd10 100644 +--- a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +-if (!c->encrypt) ++if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb index f2aca
[OE-core] [PATCH v4][morty] openssl: CVE: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. Backported from: https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051 * CVE: CVE-2017-3731 Upstream-status: Backport Signed-off-by: Alexandru Moise --- .../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++ .../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++ .../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 + 3 files changed, 101 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch new file mode 100644 index 000..b378c5e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch @@ -0,0 +1,46 @@ +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:13:19 +0200 +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +8e20499629b6bcf868d0072c7011e590b5c2294d + +Upstream-status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +index 5e92855..3293419 100644 +--- a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch new file mode 100644 index 000..990cbfd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch @@ -0,0 +1,53 @@ +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:16:13 +0200 +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory. Since hash +operation is read-only it is not considered to be exploitable +beyond a DoS condition. Other ciphers were hardened. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +2198b3a55de681e1f3c23edb0586afe13f438051 + +Upstream-status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_aes.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 1734a82..16dcd10 100644 +--- a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +-if (!c->encrypt) ++if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb index f2aca
[OE-core] [PATCH v3][morty] openssl: CVE: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. Backported from: https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051 * CVE: CVE-2017-3731 Upstream-status: Backport Signed-off-by: Alexandru Moise --- .../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++ .../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++ .../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 + 3 files changed, 101 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch new file mode 100644 index 000..b378c5e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch @@ -0,0 +1,46 @@ +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:13:19 +0200 +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +8e20499629b6bcf868d0072c7011e590b5c2294d + +Upstream status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +index 5e92855..3293419 100644 +--- a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch new file mode 100644 index 000..990cbfd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch @@ -0,0 +1,53 @@ +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:16:13 +0200 +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory. Since hash +operation is read-only it is not considered to be exploitable +beyond a DoS condition. Other ciphers were hardened. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +2198b3a55de681e1f3c23edb0586afe13f438051 + +Upstream status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_aes.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 1734a82..16dcd10 100644 +--- a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +-if (!c->encrypt) ++if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb index f2aca
[OE-core] [PATCH v2][morty] openssl: fix for CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. Backported from: https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051 Upstream status: Backport Signed-off-by: Alexandru Moise --- .../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++ .../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++ .../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 + 3 files changed, 101 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch new file mode 100644 index 000..b378c5e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch @@ -0,0 +1,46 @@ +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:13:19 +0200 +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +8e20499629b6bcf868d0072c7011e590b5c2294d + +Upstream status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +index 5e92855..3293419 100644 +--- a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch new file mode 100644 index 000..990cbfd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch @@ -0,0 +1,53 @@ +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:16:13 +0200 +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory. Since hash +operation is read-only it is not considered to be exploitable +beyond a DoS condition. Other ciphers were hardened. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +2198b3a55de681e1f3c23edb0586afe13f438051 + +Upstream status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_aes.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 1734a82..16dcd10 100644 +--- a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +-if (!c->encrypt) ++if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb index f2aca36..9a7cded 100644
[OE-core] [morty][PATCH] openssl: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. Backported from: https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051 Signed-off-by: Alexandru Moise --- .../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++ .../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++ .../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 + 3 files changed, 101 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch new file mode 100644 index 000..b378c5e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch @@ -0,0 +1,46 @@ +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:13:19 +0200 +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +8e20499629b6bcf868d0072c7011e590b5c2294d + +Upstream status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +index 5e92855..3293419 100644 +--- a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch new file mode 100644 index 000..990cbfd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch @@ -0,0 +1,53 @@ +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Tue, 7 Feb 2017 11:16:13 +0200 +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory. Since hash +operation is read-only it is not considered to be exploitable +beyond a DoS condition. Other ciphers were hardened. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +2198b3a55de681e1f3c23edb0586afe13f438051 + +Upstream status: Backport + +Reviewed-by: Rich Salz +Signed-off-by: Alexandru Moise +--- + crypto/evp/e_aes.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 1734a82..16dcd10 100644 +--- a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +-if (!c->encrypt) ++if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +-- +2.10.2 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb index f2aca36..9a7cded 100644 --- a/meta/recipes
[OE-core] [PATCH] vim: split tools directory into vim-tools package
Normal install of vim packs with it also the /usr/share/vim/vim*/tools directory that consist of a bunch of scripts such as "vim132" that just starts up vim in 132 column mode for VT-100 terminals and lookalikes. Created the vim-tools separate package for the tools directory. If anyone needs these scripts they can be added to the fs image together with their dependencies. Signed-off-by: Alexandru Moise --- meta-oe/recipes-support/vim/vim_7.4.1689.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-oe/recipes-support/vim/vim_7.4.1689.bb b/meta-oe/recipes-support/vim/vim_7.4.1689.bb index 5e6282b..f94a497 100644 --- a/meta-oe/recipes-support/vim/vim_7.4.1689.bb +++ b/meta-oe/recipes-support/vim/vim_7.4.1689.bb @@ -78,12 +78,13 @@ do_install() { PARALLEL_MAKEINST = "" -PACKAGES =+ "${PN}-common ${PN}-syntax ${PN}-help ${PN}-tutor ${PN}-vimrc" +PACKAGES =+ "${PN}-common ${PN}-syntax ${PN}-help ${PN}-tutor ${PN}-vimrc ${PN}-tools" FILES_${PN}-syntax = "${datadir}/${BPN}/${VIMDIR}/syntax" FILES_${PN}-help = "${datadir}/${BPN}/${VIMDIR}/doc" FILES_${PN}-tutor = "${datadir}/${BPN}/${VIMDIR}/tutor ${bindir}/${BPN}tutor" FILES_${PN}-vimrc = "${datadir}/${BPN}/vimrc" FILES_${PN}-data = "${datadir}/${BPN}" +FILES_${PN}-tools = "${datadir}/${BPN}/${VIMDIR}/tools" FILES_${PN}-common = " \ ${datadir}/${BPN}/${VIMDIR}/*.vim \ ${datadir}/${BPN}/${VIMDIR}/autoload \ @@ -97,7 +98,6 @@ FILES_${PN}-common = " \ ${datadir}/${BPN}/${VIMDIR}/plugin \ ${datadir}/${BPN}/${VIMDIR}/print \ ${datadir}/${BPN}/${VIMDIR}/spell \ -${datadir}/${BPN}/${VIMDIR}/tools \ " RDEPENDS_${PN} = "ncurses-terminfo-base" -- 1.9.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] Fix S4U2Self KDC crash when anon is restricted
This is CVE-2016-3120 The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request. Signed-off-by: Alexandru Moise --- .../krb5/krb5/krb5-CVE-2016-3120.patch | 63 ++ meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch new file mode 100644 index 000..dbc46bb --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch @@ -0,0 +1,63 @@ +From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 19 Jul 2016 11:00:28 -0400 +Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted + +cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream + +In validate_as_request(), when enforcing restrict_anonymous_to_tgt, +use client.princ instead of request->client; the latter is NULL when +validating S4U2Self requests. + +CVE-2016-3120: + +In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc +to dereference a null pointer if the restrict_anonymous_to_tgt option +is set to true, by making an S4U2Self request. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C + +ticket: 8458 (new) +target_version: 1.14-next +target_version: 1.13-next + +Upstream-Status: Backport + +Signed-off-by: Alexandru Moise +--- + src/kdc/kdc_util.c| 2 +- + src/tests/t_pkinit.py | 5 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 48be1ae..10daec4 100644 +--- a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, + return(KDC_ERR_MUST_USE_USER2USER); + } + +-if (check_anon(kdc_active_realm, request->client, request->server) != 0) { ++if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { + *status = "ANONYMOUS NOT ALLOWED"; + return(KDC_ERR_POLICY); + } +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 762e322..d27d05b 100644 +--- a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1) + if 'KDC policy rejects request' not in out: + fail('Wrong error for restricted anonymous PKINIT') + ++# Regression test for #8458: S4U2Self requests crash the KDC if ++# anonymous is restricted. ++realm.kinit(realm.host_princ, flags=['-k']) ++realm.run([kvno, '-U', 'user', realm.host_princ]) ++ + # Go back to a normal KDC and disable anonymous PKINIT. + realm.stop_kdc() + realm.start_kdc() +-- +2.5.0 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb index 500e194..776eed4 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb @@ -36,6 +36,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar file://krb5-admin-server.service \ file://krb5-CVE-2016-3119.patch;striplevel=2 \ file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \ + file://krb5-CVE-2016-3120.patch;striplevel=2 \ " SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189" SRC_URI[sha256sum] = "e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1" -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] squid: don't build squid-conf-tests binary
autotools ends up stripping this binary which ends up causing QA Errors at do_package. Remove it. Signed-off-by: Alexandru Moise --- ...squid-don-t-build-squid-conf-tests-binary.patch | 30 ++ .../recipes-daemons/squid/squid_3.5.7.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch diff --git a/meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch b/meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch new file mode 100644 index 000..82cd0b0 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch @@ -0,0 +1,30 @@ +From 75f4072e6fc9704713629c87eec750ff708135c4 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Thu, 16 Jun 2016 10:01:41 +0300 +Subject: [PATCH] squid: don't build squid-conf-tests binary + +autotools ends up stripping this binary which ends up causing +QA Errors at do_package. Remove it. + +Signed-off-by: Alexandru Moise +--- + test-suite/Makefile.am | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/test-suite/Makefile.am b/test-suite/Makefile.am +index b9c412d..0471bf0 100644 +--- a/test-suite/Makefile.am b/test-suite/Makefile.am +@@ -43,8 +43,7 @@ TESTS += debug \ + MemPoolTest\ + mem_node_test\ + mem_hdr_test\ +- $(ESI_TESTS) \ +- squid-conf-tests ++ $(ESI_TESTS) + + ## Sort by alpha - any build failures are significant. + check_PROGRAMS += debug \ +-- +2.7.4 + diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb index b571e29..2d243fb 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb @@ -21,6 +21,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P file://volatiles.03_squid \ file://CVE-2016-3947.patch \ file://CVE-2016-4553.patch \ + file://0001-squid-don-t-build-squid-conf-tests-binary.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] STIG: The system default umask in /etc/login.defs must be 077
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. Also modify /etc/profile in base-files because the /etc/profile file overloads the behavior of /etc/login.defs, so if we desire the functionality provided by setting umask to 077 we should set it in login.defs to adhere to STIG but also set it in /etc/profile to have the intended functionality. Signed-off-by: Alexandru Moise --- meta/recipes-core/base-files/base-files/profile| 2 +- ...stem-default-umask-in-etc-login.defs-to-0.patch | 29 ++ meta/recipes-extended/shadow/shadow.inc| 1 + 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch diff --git a/meta/recipes-core/base-files/base-files/profile b/meta/recipes-core/base-files/base-files/profile index 53c2680..f48a3c0 100644 --- a/meta/recipes-core/base-files/base-files/profile +++ b/meta/recipes-core/base-files/base-files/profile @@ -32,5 +32,5 @@ fi export PATH PS1 OPIEDIR QPEDIR QTDIR EDITOR TERM -umask 022 +umask 077 diff --git a/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch new file mode 100644 index 000..c0d6ee7 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch @@ -0,0 +1,29 @@ +From dd2295715fabd823f01656cef0393cedc5a4bc34 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise +Date: Wed, 6 Apr 2016 05:45:58 + +Subject: [PATCH] STIG: set system default umask in /etc/login.defs to 077 + +Conform to STIG standard: +https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645 + +Signed-off-by: Alexandru Moise +--- + etc/login.defs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/etc/login.defs b/etc/login.defs +index 8dd7c44..e2a8a65 100644 +--- a/etc/login.defs b/etc/login.defs +@@ -190,7 +190,7 @@ KILLCHAR 025 + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up his/her mind. +-UMASK 022 ++UMASK 077 + + # + # Password aging controls: +-- +2.5.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 4313ffe..9337493 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://fix-installation-failure-with-subids-disabled.patch \ file://0001-Do-not-read-login.defs-before-doing-chroot.patch \ file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ + file://0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] libtool: fix contaminated path to lt_truncate_bin
lt_truncate_bin path is contaminated by the path from the sysroot directory for the build host. Steps to reproduce this issue: $ bitbake -c cleanall libtool $ bitbake coreutils-native $ bitbake libtool $ grep -in "lt_truncate_bin=" tmp/work/*/libtool/*/image/usr/bin/libtool Signed-off-by: Alexandru Moise --- meta/recipes-devtools/libtool/libtool_2.4.6.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/libtool/libtool_2.4.6.bb b/meta/recipes-devtools/libtool/libtool_2.4.6.bb index 45f1b2f..3851ec7 100644 --- a/meta/recipes-devtools/libtool/libtool_2.4.6.bb +++ b/meta/recipes-devtools/libtool/libtool_2.4.6.bb @@ -10,6 +10,7 @@ SYSROOT_PREPROCESS_FUNCS += "libtool_sysroot_preprocess" do_install_append () { sed -e 's@--sysroot=${STAGING_DIR_HOST}@@g' \ -e 's@${STAGING_DIR_HOST}@@g' \ +-e 's@${STAGING_DIR_NATIVE}@@g' \ -e 's@^\(sys_lib_search_path_spec="\).*@\1${libdir} ${base_libdir}"@' \ -e 's@^\(compiler_lib_search_dirs="\).*@\1${libdir} ${base_libdir}"@' \ -e 's@^\(compiler_lib_search_path="\).*@\1${libdir} ${base_libdir}"@' \ -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] dhcpd: create dhcpd user for dhcp dameon
This patch enables the functionality for dhcpd service to be started with dhcp uid and gid. Test steps: Step 1: Assign ip to interface ifconfig eth0 192.168.1.1 Step 2: Edit /etc/dhcp/dhcpd.conf: default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; subnet 192.168.1.0 netmask 255.255.255.0 { option broadcast-address 192.168.1.255; range 192.168.1.88 192.168.1.88; option routers 192.168.1.0; } Step 3: Edit /etc/default/dhcp-server: INTERFACES="eth0" Step 4: Check uid and gid of running dhcpd process $ ps -eo user:19,group:19,cmd | grep dhcpd dhcpdhcp/usr/sbin/dhcpd eth0 -user dhcp -group dhcp Signed-off-by: Alexandru Moise --- meta/recipes-connectivity/dhcp/dhcp.inc | 6 +- meta/recipes-connectivity/dhcp/files/init-server | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/meta/recipes-connectivity/dhcp/dhcp.inc b/meta/recipes-connectivity/dhcp/dhcp.inc index 9c4233b..5703f1e 100644 --- a/meta/recipes-connectivity/dhcp/dhcp.inc +++ b/meta/recipes-connectivity/dhcp/dhcp.inc @@ -24,7 +24,10 @@ SRC_URI = "ftp://ftp.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \ UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/dhcp/"; UPSTREAM_CHECK_REGEX = "(?P\d+\.\d+\.(\d+?))/" -inherit autotools systemd +inherit autotools systemd useradd + +USERADD_PACKAGES = "${PN}-server" +USERADD_PARAM_${PN}-server = "--system --no-create-home --home-dir /var/run/${PN} --shell /bin/false --user-group ${PN}" SYSTEMD_PACKAGES = "${PN}-server ${PN}-relay" SYSTEMD_SERVICE_${PN}-server = "dhcpd.service dhcpd6.service" @@ -39,6 +42,7 @@ EXTRA_OECONF = "--with-srv-lease-file=${localstatedir}/lib/dhcp/dhcpd.leases \ --with-cli-lease-file=${localstatedir}/lib/dhcp/dhclient.leases \ --with-cli6-lease-file=${localstatedir}/lib/dhcp/dhclient6.leases \ --with-libbind=${STAGING_LIBDIR}/ \ + --enable-paranoia \ " do_install_append () { diff --git a/meta/recipes-connectivity/dhcp/files/init-server b/meta/recipes-connectivity/dhcp/files/init-server index 34c2085..5e693ad 100644 --- a/meta/recipes-connectivity/dhcp/files/init-server +++ b/meta/recipes-connectivity/dhcp/files/init-server @@ -20,7 +20,7 @@ case "$1" in echo -n "Starting DHCP server: " test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/ test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases - start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES + start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES -user dhcp -group dhcp echo "." ;; stop) -- 1.9.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core