[OE-core] [PATCH] sysklogd: update Makefile for PPC e500v2
Previous patch doesn't apply cleanly anymore, just replace it with ported patch. Signed-off-by: Alexandru Moise <00moses.alexande...@gmail.com> --- .../sysklogd/files/no-vectorization.patch | 32 ++ 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/meta/recipes-extended/sysklogd/files/no-vectorization.patch b/meta/recipes-extended/sysklogd/files/no-vectorization.patch index c1cc042c9c..76f60e54b1 100644 --- a/meta/recipes-extended/sysklogd/files/no-vectorization.patch +++ b/meta/recipes-extended/sysklogd/files/no-vectorization.patch @@ -1,20 +1,30 @@ -Upstream-Status: Inappropriate +From 9f17a051a77923fabfd831e946f5d919e452a86f Mon Sep 17 00:00:00 2001 +From: Alexandru Moise <00moses.alexande...@gmail.com> +Date: Fri, 15 Dec 2017 20:19:38 +0100 +Subject: [PATCH] sysklogd: no vectorization The compiler should not be generating vectorized instructions on this target. This is a work around until I can determine why this is occuring on this -particular recipe +particular recipe. -Index: sysklogd-1.5/Makefile -=== sysklogd-1.5.orig/Makefile -+++ sysklogd-1.5/Makefile -@@ -20,7 +20,8 @@ - CC= gcc +Signed-off-by: Alexandru Moise <00moses.alexande...@gmail.com> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index af699d2..cb3ff41 100644 +--- a/Makefile b/Makefile +@@ -19,7 +19,7 @@ + #SKFLAGS= -g -DSYSV -Wall #LDFLAGS= -g --SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce -+SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce \ -+ -fno-tree-vectorize +-SKFLAGS = $(CFLAGS) $(CPPFLAGS) -DSYSV -Wall -fno-strength-reduce ++SKFLAGS = $(CFLAGS) $(CPPFLAGS) -DSYSV -Wall -fno-strength-reduce -fno-tree-vectorize # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE # $(shell getconf LFS_SKFLAGS) +-- +2.15.1 + -- 2.15.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-selinux] [PATCH v3] refpolicy-mls: user native bzip2 instead of host
The behavior of b{zip,unzip}2 an vary from host to host with
regards to a number of things such as return value or permissions.
We should always use the native bzip2 package to keep the behavior
deterministic. This change prevents a warning at do_package_qa
task of refpolicy-mls package.
Signed-off-by: Alexandru Moise
---
Changes in v2:
Use Ross Burton's suggestion of using appending the bzip2-native
path to EXTRANATIVEPATH variable instead of using the absolute path.
Changes in v3:
Add "bzip2-replacement-native" as dependency to ensure that the
bzip2-native package exists in the STAGING_BINDIR_NATIVE path.
recipes-security/refpolicy/refpolicy_common.inc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc
b/recipes-security/refpolicy/refpolicy_common.inc
index 58152a8..6a45e79 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -27,7 +27,9 @@ FILES_${PN}-dev =+ " \
${sysconfdir}/selinux/sepolgen.conf \
"
-DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
+EXTRANATIVEPATH += "bzip2-native"
+
+DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native
m4-native"
RDEPENDS-${PN}-dev =+ " \
python \
--
2.10.2
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-selinux] [PATCH v2] refpolicy-mls: user native bzip2 instead of host
The behavior of b{zip,unzip}2 an vary from host to host with
regards to a number of things such as return value or permissions.
We should always use the native bzip2 package to keep the behavior
deterministic. This change prevents a warning at do_package_qa
task of refpolicy-mls package.
Signed-off-by: Alexandru Moise
---
Changes since v1:
Use Ross Burton's suggestion of using appending the bzip2-native
path to EXTRANATIVEPATH variable instead of using the absolute path.
recipes-security/refpolicy/refpolicy_common.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc
b/recipes-security/refpolicy/refpolicy_common.inc
index 58152a8..8c0a3fd 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -27,6 +27,8 @@ FILES_${PN}-dev =+ " \
${sysconfdir}/selinux/sepolgen.conf \
"
+EXTRANATIVEPATH += "bzip2-native"
+
DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
RDEPENDS-${PN}-dev =+ " \
--
2.10.2
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [yocto] [meta-selinux] [PATCH] refpolicy-mls: user native bzip2 instead of host
The behavior of b{zip,unzip}2 an vary from host to host with
regards to a number of things such as return value or permissions.
We should always use the native bzip2 package to keep the behavior
deterministic. This change prevents a warning at do_package_qa
task of refpolicy-mls package.
Signed-off-by: Alexandru Moise
---
recipes-security/refpolicy/refpolicy_common.inc | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc
b/recipes-security/refpolicy/refpolicy_common.inc
index 58152a8..91dd2ba 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -27,7 +27,7 @@ FILES_${PN}-dev =+ " \
${sysconfdir}/selinux/sepolgen.conf \
"
-DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
+DEPENDS += "checkpolicy-native policycoreutils-native m4-native bzip2-native"
RDEPENDS-${PN}-dev =+ " \
python \
@@ -99,19 +99,21 @@ prepare_policy_store () {
# get hll type from suffix on base policy module
HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+ native_bzip2=${STAGING_BINDIR_NATIVE}/bzip2-native/bzip2
+ native_bunzip2=${STAGING_BINDIR_NATIVE}/bzip2-native/bunzip2
for i in ${POL_SRC}/*.${HLL_TYPE}; do
MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
mkdir -p ${MOD_DIR}
echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
- if ! bzip2 -t $i >/dev/null 2>&1; then
- ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
- bzip2 -f $i && mv -f $i.bz2 $i
+ if ! ${native_bzip2} -t $i >/dev/null 2>&1; then
+ ${HLL_BIN} $i | ${native_bzip2} --stdout >
${MOD_DIR}/cil
+ ${native_bzip2} -f $i && mv -f $i.bz2 $i
else
- bunzip2 --stdout $i | \
+ ${native_bunzip2} --stdout $i | \
${HLL_BIN} | \
- bzip2 --stdout > ${MOD_DIR}/cil
+ ${native_bzip2} --stdout > ${MOD_DIR}/cil
fi
cp $i ${MOD_DIR}/hll
done
--
2.10.2
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v5][morty] openssl: CVE: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a
specific cipher is being used, then a truncated packet can cause that
server or client to perform an out-of-bounds read, usually resulting
in a crash.
Backported from:
https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d
https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051
* CVE: CVE-2017-3731
Upstream-status: Backport
Signed-off-by: Alexandru Moise
---
.../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++
.../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++
.../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 +
3 files changed, 101 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
create mode 100644
meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
new file mode 100644
index 000..b378c5e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
@@ -0,0 +1,46 @@
+From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:13:19 +0200
+Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+8e20499629b6bcf868d0072c7011e590b5c2294d
+
+Upstream-Status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855..3293419 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
new file mode 100644
index 000..990cbfd
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
@@ -0,0 +1,53 @@
+From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:16:13 +0200
+Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory. Since hash
+operation is read-only it is not considered to be exploitable
+beyond a DoS condition. Other ciphers were hardened.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+2198b3a55de681e1f3c23edb0586afe13f438051
+
+Upstream-Status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_aes.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 1734a82..16dcd10 100644
+--- a/crypto/evp/e_aes.c
b/crypto/evp/e_aes.c
+@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type,
int arg, void *ptr)
+ {
+ unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+ /* Correct length for explicit IV */
++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ /* If decrypting correct for tag too */
+-if (!c->encrypt)
++if (!c->encrypt) {
++ if (len < EVP_GCM_TLS_TAG_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
++ }
+ c->buf[arg - 2] = len >> 8;
+ c->buf[arg - 1] = len & 0xff;
+ }
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
index f2aca
[OE-core] [PATCH v4][morty] openssl: CVE: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a
specific cipher is being used, then a truncated packet can cause that
server or client to perform an out-of-bounds read, usually resulting
in a crash.
Backported from:
https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d
https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051
* CVE: CVE-2017-3731
Upstream-status: Backport
Signed-off-by: Alexandru Moise
---
.../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++
.../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++
.../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 +
3 files changed, 101 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
create mode 100644
meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
new file mode 100644
index 000..b378c5e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
@@ -0,0 +1,46 @@
+From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:13:19 +0200
+Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+8e20499629b6bcf868d0072c7011e590b5c2294d
+
+Upstream-status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855..3293419 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
new file mode 100644
index 000..990cbfd
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
@@ -0,0 +1,53 @@
+From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:16:13 +0200
+Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory. Since hash
+operation is read-only it is not considered to be exploitable
+beyond a DoS condition. Other ciphers were hardened.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+2198b3a55de681e1f3c23edb0586afe13f438051
+
+Upstream-status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_aes.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 1734a82..16dcd10 100644
+--- a/crypto/evp/e_aes.c
b/crypto/evp/e_aes.c
+@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type,
int arg, void *ptr)
+ {
+ unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+ /* Correct length for explicit IV */
++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ /* If decrypting correct for tag too */
+-if (!c->encrypt)
++if (!c->encrypt) {
++ if (len < EVP_GCM_TLS_TAG_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
++ }
+ c->buf[arg - 2] = len >> 8;
+ c->buf[arg - 1] = len & 0xff;
+ }
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
index f2aca
[OE-core] [PATCH v3][morty] openssl: CVE: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a
specific cipher is being used, then a truncated packet can cause that
server or client to perform an out-of-bounds read, usually resulting
in a crash.
Backported from:
https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d
https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051
* CVE: CVE-2017-3731
Upstream-status: Backport
Signed-off-by: Alexandru Moise
---
.../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++
.../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++
.../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 +
3 files changed, 101 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
create mode 100644
meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
new file mode 100644
index 000..b378c5e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
@@ -0,0 +1,46 @@
+From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:13:19 +0200
+Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+8e20499629b6bcf868d0072c7011e590b5c2294d
+
+Upstream status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855..3293419 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
new file mode 100644
index 000..990cbfd
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
@@ -0,0 +1,53 @@
+From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:16:13 +0200
+Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory. Since hash
+operation is read-only it is not considered to be exploitable
+beyond a DoS condition. Other ciphers were hardened.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+2198b3a55de681e1f3c23edb0586afe13f438051
+
+Upstream status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_aes.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 1734a82..16dcd10 100644
+--- a/crypto/evp/e_aes.c
b/crypto/evp/e_aes.c
+@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type,
int arg, void *ptr)
+ {
+ unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+ /* Correct length for explicit IV */
++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ /* If decrypting correct for tag too */
+-if (!c->encrypt)
++if (!c->encrypt) {
++ if (len < EVP_GCM_TLS_TAG_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
++ }
+ c->buf[arg - 2] = len >> 8;
+ c->buf[arg - 1] = len & 0xff;
+ }
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
index f2aca
[OE-core] [PATCH v2][morty] openssl: fix for CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a
specific cipher is being used, then a truncated packet can cause that
server or client to perform an out-of-bounds read, usually resulting
in a crash.
Backported from:
https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d
https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051
Upstream status: Backport
Signed-off-by: Alexandru Moise
---
.../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++
.../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++
.../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 +
3 files changed, 101 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
create mode 100644
meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
new file mode 100644
index 000..b378c5e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
@@ -0,0 +1,46 @@
+From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:13:19 +0200
+Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+8e20499629b6bcf868d0072c7011e590b5c2294d
+
+Upstream status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855..3293419 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
new file mode 100644
index 000..990cbfd
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
@@ -0,0 +1,53 @@
+From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:16:13 +0200
+Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory. Since hash
+operation is read-only it is not considered to be exploitable
+beyond a DoS condition. Other ciphers were hardened.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+2198b3a55de681e1f3c23edb0586afe13f438051
+
+Upstream status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_aes.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 1734a82..16dcd10 100644
+--- a/crypto/evp/e_aes.c
b/crypto/evp/e_aes.c
+@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type,
int arg, void *ptr)
+ {
+ unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+ /* Correct length for explicit IV */
++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ /* If decrypting correct for tag too */
+-if (!c->encrypt)
++if (!c->encrypt) {
++ if (len < EVP_GCM_TLS_TAG_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
++ }
+ c->buf[arg - 2] = len >> 8;
+ c->buf[arg - 1] = len & 0xff;
+ }
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
index f2aca36..9a7cded 100644
[OE-core] [morty][PATCH] openssl: CVE-2017-3731
If an SSL/TLS server or client is running on a 32-bit host, and a
specific cipher is being used, then a truncated packet can cause that
server or client to perform an out-of-bounds read, usually resulting
in a crash.
Backported from:
https://github.com/openssl/openssl/commit/8e20499629b6bcf868d0072c7011e590b5c2294d
https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23edb0586afe13f438051
Signed-off-by: Alexandru Moise
---
.../openssl/openssl/0001-CVE-2017-3731.patch | 46 +++
.../openssl/openssl/0002-CVE-2017-3731.patch | 53 ++
.../recipes-connectivity/openssl/openssl_1.0.2j.bb | 2 +
3 files changed, 101 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
create mode 100644
meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
new file mode 100644
index 000..b378c5e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
@@ -0,0 +1,46 @@
+From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:13:19 +0200
+Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+8e20499629b6bcf868d0072c7011e590b5c2294d
+
+Upstream status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855..3293419 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int
type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
new file mode 100644
index 000..990cbfd
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
@@ -0,0 +1,53 @@
+From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Tue, 7 Feb 2017 11:16:13 +0200
+Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory. Since hash
+operation is read-only it is not considered to be exploitable
+beyond a DoS condition. Other ciphers were hardened.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+2198b3a55de681e1f3c23edb0586afe13f438051
+
+Upstream status: Backport
+
+Reviewed-by: Rich Salz
+Signed-off-by: Alexandru Moise
+---
+ crypto/evp/e_aes.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 1734a82..16dcd10 100644
+--- a/crypto/evp/e_aes.c
b/crypto/evp/e_aes.c
+@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type,
int arg, void *ptr)
+ {
+ unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+ /* Correct length for explicit IV */
++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ /* If decrypting correct for tag too */
+-if (!c->encrypt)
++if (!c->encrypt) {
++ if (len < EVP_GCM_TLS_TAG_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
++ }
+ c->buf[arg - 2] = len >> 8;
+ c->buf[arg - 1] = len & 0xff;
+ }
+--
+2.10.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
b/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
index f2aca36..9a7cded 100644
--- a/meta/recipes
[OE-core] [PATCH] vim: split tools directory into vim-tools package
Normal install of vim packs with it also the /usr/share/vim/vim*/tools
directory that consist of a bunch of scripts such as "vim132" that
just starts up vim in 132 column mode for VT-100 terminals and
lookalikes.
Created the vim-tools separate package for the tools directory. If
anyone needs these scripts they can be added to the fs image together
with their dependencies.
Signed-off-by: Alexandru Moise
---
meta-oe/recipes-support/vim/vim_7.4.1689.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta-oe/recipes-support/vim/vim_7.4.1689.bb
b/meta-oe/recipes-support/vim/vim_7.4.1689.bb
index 5e6282b..f94a497 100644
--- a/meta-oe/recipes-support/vim/vim_7.4.1689.bb
+++ b/meta-oe/recipes-support/vim/vim_7.4.1689.bb
@@ -78,12 +78,13 @@ do_install() {
PARALLEL_MAKEINST = ""
-PACKAGES =+ "${PN}-common ${PN}-syntax ${PN}-help ${PN}-tutor ${PN}-vimrc"
+PACKAGES =+ "${PN}-common ${PN}-syntax ${PN}-help ${PN}-tutor ${PN}-vimrc
${PN}-tools"
FILES_${PN}-syntax = "${datadir}/${BPN}/${VIMDIR}/syntax"
FILES_${PN}-help = "${datadir}/${BPN}/${VIMDIR}/doc"
FILES_${PN}-tutor = "${datadir}/${BPN}/${VIMDIR}/tutor ${bindir}/${BPN}tutor"
FILES_${PN}-vimrc = "${datadir}/${BPN}/vimrc"
FILES_${PN}-data = "${datadir}/${BPN}"
+FILES_${PN}-tools = "${datadir}/${BPN}/${VIMDIR}/tools"
FILES_${PN}-common = " \
${datadir}/${BPN}/${VIMDIR}/*.vim \
${datadir}/${BPN}/${VIMDIR}/autoload \
@@ -97,7 +98,6 @@ FILES_${PN}-common = " \
${datadir}/${BPN}/${VIMDIR}/plugin \
${datadir}/${BPN}/${VIMDIR}/print \
${datadir}/${BPN}/${VIMDIR}/spell \
-${datadir}/${BPN}/${VIMDIR}/tools \
"
RDEPENDS_${PN} = "ncurses-terminfo-base"
--
1.9.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] Fix S4U2Self KDC crash when anon is restricted
This is CVE-2016-3120
The validate_as_request function in kdc_util.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before
1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect
client data structure, which allows remote authenticated users to cause
a denial of service (NULL pointer dereference and daemon crash) via an
S4U2Self request.
Signed-off-by: Alexandru Moise
---
.../krb5/krb5/krb5-CVE-2016-3120.patch | 63 ++
meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644
meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
new file mode 100644
index 000..dbc46bb
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE-2016-3120.patch
@@ -0,0 +1,63 @@
+From 5b9b82d0696f1ffd4e693c1f8eafc0915b15e85b Mon Sep 17 00:00:00 2001
+From: Greg Hudson
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted
+
+cherry-picked from 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 upstream
+
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+
+CVE-2016-3120:
+
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+ticket: 8458 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+
+Upstream-Status: Backport
+
+Signed-off-by: Alexandru Moise
+---
+ src/kdc/kdc_util.c| 2 +-
+ src/tests/t_pkinit.py | 5 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 48be1ae..10daec4 100644
+--- a/src/kdc/kdc_util.c
b/src/kdc/kdc_util.c
+@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
+ return(KDC_ERR_MUST_USE_USER2USER);
+ }
+
+-if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
++if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+ *status = "ANONYMOUS NOT ALLOWED";
+ return(KDC_ERR_POLICY);
+ }
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index 762e322..d27d05b 100644
+--- a/src/tests/t_pkinit.py
b/src/tests/t_pkinit.py
+@@ -94,6 +94,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1)
+ if 'KDC policy rejects request' not in out:
+ fail('Wrong error for restricted anonymous PKINIT')
+
++# Regression test for #8458: S4U2Self requests crash the KDC if
++# anonymous is restricted.
++realm.kinit(realm.host_princ, flags=['-k'])
++realm.run([kvno, '-U', 'user', realm.host_princ])
++
+ # Go back to a normal KDC and disable anonymous PKINIT.
+ realm.stop_kdc()
+ realm.start_kdc()
+--
+2.5.0
+
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
index 500e194..776eed4 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb
@@ -36,6 +36,7 @@ SRC_URI =
"http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
file://krb5-admin-server.service \
file://krb5-CVE-2016-3119.patch;striplevel=2 \
file://0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch;striplevel=2 \
+ file://krb5-CVE-2016-3120.patch;striplevel=2 \
"
SRC_URI[md5sum] = "f7ebfa6c99c10b16979ebf9a98343189"
SRC_URI[sha256sum] =
"e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1"
--
2.7.4
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] squid: don't build squid-conf-tests binary
autotools ends up stripping this binary which ends up causing
QA Errors at do_package. Remove it.
Signed-off-by: Alexandru Moise
---
...squid-don-t-build-squid-conf-tests-binary.patch | 30 ++
.../recipes-daemons/squid/squid_3.5.7.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644
meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch
diff --git
a/meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch
b/meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch
new file mode 100644
index 000..82cd0b0
--- /dev/null
+++
b/meta-networking/recipes-daemons/squid/files/0001-squid-don-t-build-squid-conf-tests-binary.patch
@@ -0,0 +1,30 @@
+From 75f4072e6fc9704713629c87eec750ff708135c4 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Thu, 16 Jun 2016 10:01:41 +0300
+Subject: [PATCH] squid: don't build squid-conf-tests binary
+
+autotools ends up stripping this binary which ends up causing
+QA Errors at do_package. Remove it.
+
+Signed-off-by: Alexandru Moise
+---
+ test-suite/Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/test-suite/Makefile.am b/test-suite/Makefile.am
+index b9c412d..0471bf0 100644
+--- a/test-suite/Makefile.am
b/test-suite/Makefile.am
+@@ -43,8 +43,7 @@ TESTS += debug \
+ MemPoolTest\
+ mem_node_test\
+ mem_hdr_test\
+- $(ESI_TESTS) \
+- squid-conf-tests
++ $(ESI_TESTS)
+
+ ## Sort by alpha - any build failures are significant.
+ check_PROGRAMS += debug \
+--
+2.7.4
+
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
index b571e29..2d243fb 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -21,6 +21,7 @@ SRC_URI =
"http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
file://volatiles.03_squid \
file://CVE-2016-3947.patch \
file://CVE-2016-4553.patch \
+ file://0001-squid-don-t-build-squid-conf-tests-binary.patch \
"
LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
--
2.7.4
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] STIG: The system default umask in /etc/login.defs must be 077
The umask value influences the permissions assigned to files when they
are created. A misconfigured umask value could result in files with
excessive permissions that can be read and/or written to by unauthorized
users.
Also modify /etc/profile in base-files because the /etc/profile file
overloads the behavior of /etc/login.defs, so if we desire the
functionality provided by setting umask to 077 we should set it in
login.defs to adhere to STIG but also set it in /etc/profile to have the
intended functionality.
Signed-off-by: Alexandru Moise
---
meta/recipes-core/base-files/base-files/profile| 2 +-
...stem-default-umask-in-etc-login.defs-to-0.patch | 29 ++
meta/recipes-extended/shadow/shadow.inc| 1 +
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
diff --git a/meta/recipes-core/base-files/base-files/profile
b/meta/recipes-core/base-files/base-files/profile
index 53c2680..f48a3c0 100644
--- a/meta/recipes-core/base-files/base-files/profile
+++ b/meta/recipes-core/base-files/base-files/profile
@@ -32,5 +32,5 @@ fi
export PATH PS1 OPIEDIR QPEDIR QTDIR EDITOR TERM
-umask 022
+umask 077
diff --git
a/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
new file mode 100644
index 000..c0d6ee7
--- /dev/null
+++
b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
@@ -0,0 +1,29 @@
+From dd2295715fabd823f01656cef0393cedc5a4bc34 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise
+Date: Wed, 6 Apr 2016 05:45:58 +
+Subject: [PATCH] STIG: set system default umask in /etc/login.defs to 077
+
+Conform to STIG standard:
+https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645
+
+Signed-off-by: Alexandru Moise
+---
+ etc/login.defs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc/login.defs b/etc/login.defs
+index 8dd7c44..e2a8a65 100644
+--- a/etc/login.defs
b/etc/login.defs
+@@ -190,7 +190,7 @@ KILLCHAR 025
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up his/her mind.
+-UMASK 022
++UMASK 077
+
+ #
+ # Password aging controls:
+--
+2.5.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc
b/meta/recipes-extended/shadow/shadow.inc
index 4313ffe..9337493 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -16,6 +16,7 @@ SRC_URI =
"http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://fix-installation-failure-with-subids-disabled.patch \
file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
+
file://0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '',
d)} \
"
--
2.7.4
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] libtool: fix contaminated path to lt_truncate_bin
lt_truncate_bin path is contaminated by the path from the sysroot
directory for the build host.
Steps to reproduce this issue:
$ bitbake -c cleanall libtool
$ bitbake coreutils-native
$ bitbake libtool
$ grep -in "lt_truncate_bin=" tmp/work/*/libtool/*/image/usr/bin/libtool
Signed-off-by: Alexandru Moise
---
meta/recipes-devtools/libtool/libtool_2.4.6.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/libtool/libtool_2.4.6.bb
b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
index 45f1b2f..3851ec7 100644
--- a/meta/recipes-devtools/libtool/libtool_2.4.6.bb
+++ b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
@@ -10,6 +10,7 @@ SYSROOT_PREPROCESS_FUNCS += "libtool_sysroot_preprocess"
do_install_append () {
sed -e 's@--sysroot=${STAGING_DIR_HOST}@@g' \
-e 's@${STAGING_DIR_HOST}@@g' \
+-e 's@${STAGING_DIR_NATIVE}@@g' \
-e 's@^\(sys_lib_search_path_spec="\).*@\1${libdir}
${base_libdir}"@' \
-e 's@^\(compiler_lib_search_dirs="\).*@\1${libdir}
${base_libdir}"@' \
-e 's@^\(compiler_lib_search_path="\).*@\1${libdir}
${base_libdir}"@' \
--
2.7.4
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] dhcpd: create dhcpd user for dhcp dameon
This patch enables the functionality for dhcpd service to be started
with dhcp uid and gid.
Test steps:
Step 1: Assign ip to interface
ifconfig eth0 192.168.1.1
Step 2: Edit /etc/dhcp/dhcpd.conf:
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
subnet 192.168.1.0 netmask 255.255.255.0 {
option broadcast-address 192.168.1.255;
range 192.168.1.88 192.168.1.88;
option routers 192.168.1.0;
}
Step 3: Edit /etc/default/dhcp-server:
INTERFACES="eth0"
Step 4: Check uid and gid of running dhcpd process
$ ps -eo user:19,group:19,cmd | grep dhcpd
dhcpdhcp/usr/sbin/dhcpd eth0 -user dhcp -group dhcp
Signed-off-by: Alexandru Moise
---
meta/recipes-connectivity/dhcp/dhcp.inc | 6 +-
meta/recipes-connectivity/dhcp/files/init-server | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-connectivity/dhcp/dhcp.inc
b/meta/recipes-connectivity/dhcp/dhcp.inc
index 9c4233b..5703f1e 100644
--- a/meta/recipes-connectivity/dhcp/dhcp.inc
+++ b/meta/recipes-connectivity/dhcp/dhcp.inc
@@ -24,7 +24,10 @@ SRC_URI =
"ftp://ftp.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/dhcp/";
UPSTREAM_CHECK_REGEX = "(?P\d+\.\d+\.(\d+?))/"
-inherit autotools systemd
+inherit autotools systemd useradd
+
+USERADD_PACKAGES = "${PN}-server"
+USERADD_PARAM_${PN}-server = "--system --no-create-home --home-dir
/var/run/${PN} --shell /bin/false --user-group ${PN}"
SYSTEMD_PACKAGES = "${PN}-server ${PN}-relay"
SYSTEMD_SERVICE_${PN}-server = "dhcpd.service dhcpd6.service"
@@ -39,6 +42,7 @@ EXTRA_OECONF =
"--with-srv-lease-file=${localstatedir}/lib/dhcp/dhcpd.leases \
--with-cli-lease-file=${localstatedir}/lib/dhcp/dhclient.leases \
--with-cli6-lease-file=${localstatedir}/lib/dhcp/dhclient6.leases \
--with-libbind=${STAGING_LIBDIR}/ \
+ --enable-paranoia \
"
do_install_append () {
diff --git a/meta/recipes-connectivity/dhcp/files/init-server
b/meta/recipes-connectivity/dhcp/files/init-server
index 34c2085..5e693ad 100644
--- a/meta/recipes-connectivity/dhcp/files/init-server
+++ b/meta/recipes-connectivity/dhcp/files/init-server
@@ -20,7 +20,7 @@ case "$1" in
echo -n "Starting DHCP server: "
test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/
test -f /var/lib/dhcp/dhcpd.leases || touch
/var/lib/dhcp/dhcpd.leases
- start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES
+ start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES -user
dhcp -group dhcp
echo "."
;;
stop)
--
1.9.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
