[OE-core] [poky][master][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++
1 file changed, 34 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..cab41e0
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,34 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][sumo][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++
meta/recipes-extended/bzip2/bzip2_1.0.6.bb | 2 ++
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..cab41e0
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,34 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
index acbf80a..688e177 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
@@ -8,12 +8,14 @@ LICENSE = "bzip2"
LIC_FILES_CHKSUM =
"file://LICENSE;beginline=8;endline=37;md5=40d9d1eb05736d1bfc86cfdd9106e6b2"
PR = "r5"
+FILESEXTRAPATHS_prepend := "${THISDIR}/bzip2-1.0.6:"
SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch \
file://configure.ac;subdir=${BP} \
file://Makefile.am;subdir=${BP} \
file://run-ptest \
file://CVE-2016-3189.patch \
+ file://CVE-2019-12900.patch \
"
SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++
1 file changed, 34 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..cab41e0
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,34 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900
Hello Khem Raj,
We have tested the applicability for this patch on master as well and as per
analysis it is applicable.
I've sent the same patch for master branch as well in a separate mail.
Thanks & Regards,
Saloni
From: Khem Raj
Sent: Wednesday, January 15, 2020 10:36 PM
To: Saloni Jain
Cc: openembedded-core@lists.openembedded.org
; Nisha Parrakat
; Sana Kazi
Subject: Re: [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900
On Wed, Jan 15, 2020 at 7:51 AM Saloni Jain wrote:
>
> From: Sana Kazi
>
> Added patch for CVE-2019-12900 as backport from upstream.
> Fixes out of bound access discovered while fuzzying karchive.
>
is this fix already present in the bzip2 version we have in master ?
> Tested by: sana.k...@kpit.com
>
> Signed-off-by: Saloni Jain
> ---
> .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34
> ++
> 1 file changed, 34 insertions(+)
> create mode 100644
> meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
>
> diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> new file mode 100644
> index 000..cab41e0
> --- /dev/null
> +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> @@ -0,0 +1,34 @@
> +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid
> +Date: Tue, 28 May 2019 19:35:18 +0200
> +Subject: [PATCH] Make sure nSelectors is not out of range
> +
> +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
> +which is
> +UCharselectorMtf[BZ_MAX_SELECTORS];
> +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
> +access
> +Fixes out of bounds access discovered while fuzzying karchive
> +
> +Link:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Ffedericomenaquintero%2Fbzip2%2Fcommit%2F74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch&data=02%7C01%7CSaloni.Jain%40kpit.com%7C370b10dc1f7a4288166208d799dd5023%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637147048150016848&sdata=m%2B9a%2FxYEqAA7JLjimmgLtLfvvBV2WtyInZf9a7DCfQg%3D&reserved=0
> +
> +Upstream-Status: Backport
> +---
> + decompress.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/decompress.c b/decompress.c
> +index ab6a624..f3db91d 100644
> +--- a/decompress.c
> b/decompress.c
> +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> RETURN(BZ_DATA_ERROR);
> + for (i = 0; i < nSelectors; i++) {
> + j = 0;
> + while (True) {
> +--
> +2.22.0
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and
> is the property of the KPIT Technologies Ltd. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain copy, disseminate, distribute, or
> use this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][master][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 35 ++
1 file changed, 35 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..94ddd73
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,35 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][sumo][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 35 ++
meta/recipes-extended/bzip2/bzip2_1.0.6.bb | 2 ++
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..94ddd73
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,35 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
index acbf80a..688e177 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
@@ -8,12 +8,14 @@ LICENSE = "bzip2"
LIC_FILES_CHKSUM =
"file://LICENSE;beginline=8;endline=37;md5=40d9d1eb05736d1bfc86cfdd9106e6b2"
PR = "r5"
+FILESEXTRAPATHS_prepend := "${THISDIR}/bzip2-1.0.6:"
SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch \
file://configure.ac;subdir=${BP} \
file://Makefile.am;subdir=${BP} \
file://run-ptest \
file://CVE-2016-3189.patch \
+ file://CVE-2019-12900.patch \
"
SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 35 ++
1 file changed, 35 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..94ddd73
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,35 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [poky][master][PATCH] bzip2: Fix CVE-2019-12900
Hi Ross, I have added SOB details and sent another upstreaming request. For warrier and thud we can simply backport from the master release or we can additionally add the fix for both as well. Please suggest. Thanks & Regards, Saloni From: Ross Burton Sent: Wednesday, January 15, 2020 10:00 PM To: openembedded-core@lists.openembedded.org ; Saloni Jain Subject: Re: [OE-core] [poky][master][PATCH] bzip2: Fix CVE-2019-12900 On 15/01/2020 15:47, Saloni Jain wrote: > From: Sana Kazi > > Added patch for CVE-2019-12900 as backport from upstream. > Fixes out of bound access discovered while fuzzying karchive. > > Tested by: sana.k...@kpit.com > > Signed-off-by: Saloni Jain Need a S-o-b in the patch itself alongside a CVE tag, but also why not a backport for Warrior and Thud? Ross This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][master][PATCH] Added patch for CVE-2019-12900 as backport from upstream.
From: Sana Kazi
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
1 file changed, 36 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..c2eb82a
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,36 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+CVE: CVE-2019-12900.patch
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][master][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
1 file changed, 36 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..c2eb82a
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,36 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+CVE: CVE-2019-12900.patch
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
1 file changed, 36 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..c2eb82a
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,36 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+CVE: CVE-2019-12900.patch
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [poky][sumo][PATCH] bzip2: Fix CVE-2019-12900
From: Sana Kazi
Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.
Tested by: sana.k...@kpit.com
Signed-off-by: Saloni Jain
---
.../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 36 ++
meta/recipes-extended/bzip2/bzip2_1.0.6.bb | 2 ++
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 000..c2eb82a
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,36 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UCharselectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+CVE: CVE-2019-12900.patch
+Signed-off-by: Saloni Jain
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
RETURN(BZ_DATA_ERROR);
+ for (i = 0; i < nSelectors; i++) {
+ j = 0;
+ while (True) {
+--
+2.22.0
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
index acbf80a..688e177 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
@@ -8,12 +8,14 @@ LICENSE = "bzip2"
LIC_FILES_CHKSUM =
"file://LICENSE;beginline=8;endline=37;md5=40d9d1eb05736d1bfc86cfdd9106e6b2"
PR = "r5"
+FILESEXTRAPATHS_prepend := "${THISDIR}/bzip2-1.0.6:"
SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch \
file://configure.ac;subdir=${BP} \
file://Makefile.am;subdir=${BP} \
file://run-ptest \
file://CVE-2016-3189.patch \
+ file://CVE-2019-12900.patch \
"
SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
--
2.7.4
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-oe][master][PATCH] strongswan: avoid charon crash
From: Anuj Chougule
This is a possible fix to charon that crashed early due to invalid
memory access.
Important frames from Backtraces :
8 0x7f607246e160 in memcpy (__len=1704, __src=,
__dest=)
at /usr/include/bits/string_fortified.h:34
No locals.
9 memcpy_noop (n=1704, src=, dst=)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/utils/memory.h:47
n = 1704
src =
dst =
10 chunk_create_clone (ptr=, chunk=...)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/chunk.c:48
clone =
11 0x7f606ebae810 in load_from_blob (blob=...,
type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1,
subject=subject@entry=0x0, flags=flags@entry=X509_NONE)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
x =
cred = 0x0
---Type to continue, or q to quit---
pgp = false
12 0x7f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0,
subtype=1, type=CRED_PRIVATE_KEY,
file=0x7f6069d21a20
"/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem")
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
cred =
chunk = 0x7f6054005430
13 pem_load (type=CRED_PRIVATE_KEY, subtype=1, args=)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:498
file = 0x7f6069d21a20
"/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem"
pem =
subject = 0x0
flags = 0
Problem lies in frame 12 & 11.
(gdb) f 12
12 0x7f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0,
subtype=1, type=CRED_PRIVATE_KEY,
file=0x7f6069d21a20
"/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem")
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
452 in
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
(gdb) info locals
cred =
chunk = 0x7f6054005430
(gdb) print *chunk
$21 = {ptr = 0x7f60728b7000 , len = 1704}
(gdb) f 11
11 0x7f606ebae810 in load_from_blob (blob=...,
type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1,
subject=subject@entry=0x0,
flags=flags@entry=X509_NONE) at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
399 in
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
(gdb) info args
blob = {ptr = 0x7f60728b7000 , len = 140052215328768}
type = CRED_PRIVATE_KEY
subtype = 1
subject = 0x0
flags = X509_NONE
(gdb) print blob
$22 = {ptr = 0x7f60728b7000 , len = 140052215328768}
Source code snippet :
static void *load_from_file(char *file, credential_type_t type, int subtype,
identification_t *subject, x509_flag_t
flags)
{
void *cred;
chunk_t *chunk;
chunk = chunk_map(file, FALSE);
if (!chunk)
{
DBG1(DBG_LIB, " opening '%s' failed: %s", file,
strerror(errno));
return NULL;
}
cred = load_from_blob(*chunk, type, subtype, subject, flags);
chunk_unmap(chunk);
return cred;
}
Local variable chunk is an uninitialised pointer in load_from_file()
(frame 12 above) which is expected to get initialised through
chunk_map() & then passed to load_from_blob() as a parameter.
But somehow, the chunk pointer has not got initialised &
got passed as it is to load_from_blob() in frame 11 above.
As this contains a garbage address, when method load_from_blob()
tried cloning the memory regions through chunk_clone() ->
chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with
SIGBUS (frames 10, 9, 8).
It could also be that chunk_map() has a bug which does not memmap()
the full or correct areas.
Upstream-Status: Pending
Tested By: Anuj Chougule
Signed-off-by: Anuj Chougule
Signed-off-by: Saloni Jain
---
.../strongswan/files/fix-charon-crash.patch| 23 ++
1 file changed, 23 insertions(+)
create mode 100644 recipes-support/strongswan/files/fix-charon-crash.patch
diff --git a/recipes-support/strongswan/files/fix-charon-crash.patch
b/recipes-support/strongswan/files/fix-charon-crash.patch
new file mode 100644
index 000..95e71a2
--- /dev/null
+++ b/recipes-support/strongswan/files/fix-charon-crash.patch
@@ -0,0 +1,23 @@
+strongswan: avoid charon crash
+
+Variable chunk is an uninitialised pointer,which
+is expected to get initialised through method chunk_map()
+& then passed to load_from_blob() as a parameter.
+But somehow, if the chunk pointer did not get initialised & gets
+passed as it is to load_from_blob(), it may
[OE-core] [meta-oe][sumo][PATCH] strongswan: avoid charon crash
From: Anuj Chougule
This is a possible fix to charon that crashed early due to invalid
memory access.
Important frames from Backtraces :
8 0x7f607246e160 in memcpy (__len=1704, __src=,
__dest=)
at /usr/include/bits/string_fortified.h:34
No locals.
9 memcpy_noop (n=1704, src=, dst=)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/utils/memory.h:47
n = 1704
src =
dst =
10 chunk_create_clone (ptr=, chunk=...)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/chunk.c:48
clone =
11 0x7f606ebae810 in load_from_blob (blob=...,
type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1,
subject=subject@entry=0x0, flags=flags@entry=X509_NONE)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
x =
cred = 0x0
---Type to continue, or q to quit---
pgp = false
12 0x7f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0,
subtype=1, type=CRED_PRIVATE_KEY,
file=0x7f6069d21a20
"/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem")
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
cred =
chunk = 0x7f6054005430
13 pem_load (type=CRED_PRIVATE_KEY, subtype=1, args=)
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:498
file = 0x7f6069d21a20
"/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem"
pem =
subject = 0x0
flags = 0
Problem lies in frame 12 & 11.
(gdb) f 12
12 0x7f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0,
subtype=1, type=CRED_PRIVATE_KEY,
file=0x7f6069d21a20
"/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem")
at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
452 in
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
(gdb) info locals
cred =
chunk = 0x7f6054005430
(gdb) print *chunk
$21 = {ptr = 0x7f60728b7000 , len = 1704}
(gdb) f 11
11 0x7f606ebae810 in load_from_blob (blob=...,
type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1,
subject=subject@entry=0x0,
flags=flags@entry=X509_NONE) at
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
399 in
/usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
(gdb) info args
blob = {ptr = 0x7f60728b7000 , len = 140052215328768}
type = CRED_PRIVATE_KEY
subtype = 1
subject = 0x0
flags = X509_NONE
(gdb) print blob
$22 = {ptr = 0x7f60728b7000 , len = 140052215328768}
Source code snippet :
static void *load_from_file(char *file, credential_type_t type, int subtype,
identification_t *subject, x509_flag_t
flags)
{
void *cred;
chunk_t *chunk;
chunk = chunk_map(file, FALSE);
if (!chunk)
{
DBG1(DBG_LIB, " opening '%s' failed: %s", file,
strerror(errno));
return NULL;
}
cred = load_from_blob(*chunk, type, subtype, subject, flags);
chunk_unmap(chunk);
return cred;
}
Local variable chunk is an uninitialised pointer in load_from_file()
(frame 12 above) which is expected to get initialised through
chunk_map() & then passed to load_from_blob() as a parameter.
But somehow, the chunk pointer has not got initialised &
got passed as it is to load_from_blob() in frame 11 above.
As this contains a garbage address, when method load_from_blob()
tried cloning the memory regions through chunk_clone() ->
chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with
SIGBUS (frames 10, 9, 8).
It could also be that chunk_map() has a bug which does not memmap()
the full or correct areas.
Upstream-Status: Pending
Tested By: Anuj Chougule
Signed-off-by: Anuj Chougule
Signed-off-by: Saloni Jain
---
.../strongswan/files/fix-charon-crash.patch| 23 ++
1 file changed, 23 insertions(+)
create mode 100644 recipes-support/strongswan/files/fix-charon-crash.patch
diff --git a/recipes-support/strongswan/files/fix-charon-crash.patch
b/recipes-support/strongswan/files/fix-charon-crash.patch
new file mode 100644
index 000..95e71a2
--- /dev/null
+++ b/recipes-support/strongswan/files/fix-charon-crash.patch
@@ -0,0 +1,23 @@
+strongswan: avoid charon crash
+
+Variable chunk is an uninitialised pointer,which
+is expected to get initialised through method chunk_map()
+& then passed to load_from_blob() as a parameter.
+But somehow, if the chunk pointer did not get initialised & gets
+passed as it is to load_from_blob(), it may
[OE-core] [poky][dunfell][PATCH] ffmpeg: Add fix for CVEs
From: Saloni
Add fix for below CVE:
CVE-2021-3566
Link:
[http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54ba793d7da99ea5157532]
CVE-2021-38291
Link:
[http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
Signed-off-by: Saloni Jain
---
.../ffmpeg/ffmpeg/CVE-2021-3566.patch | 61 +++
.../ffmpeg/ffmpeg/CVE-2021-38291.patch| 53
.../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 4 +-
3 files changed, 117 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
new file mode 100644
index 00..abfc024820
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
+From 3bce9e9b3ea35c54ba793d7da99ea5157532 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol
+Date: Mon, 27 Jan 2020 21:53:08 +0100
+Subject: [PATCH] avformat/tty: add probe function
+
+CVE: CVE-2021-3566
+Signed-off-by: Saloni Jain
+
+Upstream-Status: Backport
[http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54ba793d7da99ea5157532]
+Comment: No changes/refreshing done.
+---
+ libavformat/tty.c | 21 -
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/libavformat/tty.c b/libavformat/tty.c
+index 8d48f2c45c12..60f7e9f87ee7 100644
+--- a/libavformat/tty.c
b/libavformat/tty.c
+@@ -34,6 +34,13 @@
+ #include "internal.h"
+ #include "sauce.h"
+
++static int isansicode(int x)
++{
++return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
++}
++
++static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
++
+ typedef struct TtyDemuxContext {
+ AVClass *class;
+ int chars_per_frame;
+@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
+ AVRational framerate; /**< Set by a private option. */
+ } TtyDemuxContext;
+
++static int read_probe(const AVProbeData *p)
++{
++int cnt = 0;
++
++for (int i = 0; i < p->buf_size; i++)
++cnt += !!isansicode(p->buf[i]);
++
++return (cnt * 100LL / p->buf_size) * (cnt > 400) *
++!!av_match_ext(p->filename, tty_extensions);
++}
++
+ /**
+ * Parse EFI header
+ */
+@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
+ .name = "tty",
+ .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
+ .priv_data_size = sizeof(TtyDemuxContext),
++.read_probe = read_probe,
+ .read_header= read_header,
+ .read_packet= read_packet,
+-.extensions = "ans,art,asc,diz,ice,nfo,txt,vt",
++.extensions = tty_extensions,
+ .priv_class = &tty_demuxer_class,
+ };
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
new file mode 100644
index 00..e5be985fc3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
+From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
+From: James Almer
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+
+CVE: CVE-2021-3566
+Fixes ticket #9312
+Signed-off-by: James Almer
+Signed-off-by: Saloni Jain
+
+Upstream-Status: Backport
[http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
+Comment: No changes/refreshing done.
+---
+ libavcodec/utils.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5fad782f5a..cfc07cbcb8 100644
+--- a/libavcodec/utils.c
b/libavcodec/utils.c
+@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id,
int sr, int ch, int ba,
+
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
++int duration = get_audio_frame_duration(avctx->codec_id,
avctx->sample_rate,
+ avctx->channels, avctx->block_align,
+ avctx->codec_tag,
avctx->bits_per_coded_sample,
+ avctx->bit_rate, avctx->extradata,
avctx->frame_size,
+ frame_bytes);
++return FFMAX(0, duration);
+ }
+
+ int av_get_audio_frame_du
[OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs
From: Saloni Jain Below CVE affects only Oracle Berkeley DB as per upstream. Hence, whitelisted them. 1. CVE-2015-2583 Link: https://security-tracker.debian.org/tracker/CVE-2015-2583 2. CVE-2015-2624 Link: https://security-tracker.debian.org/tracker/CVE-2015-2624 3. CVE-2015-2626 Link: https://security-tracker.debian.org/tracker/CVE-2015-2626 4. CVE-2015-2640 Link: https://security-tracker.debian.org/tracker/CVE-2015-2640 5. CVE-2015-2654 Link: https://security-tracker.debian.org/tracker/CVE-2015-2654 6. CVE-2015-2656 Link: https://security-tracker.debian.org/tracker/CVE-2015-2656 7. CVE-2015-4754 Link: https://security-tracker.debian.org/tracker/CVE-2015-4754 8. CVE-2015-4764 Link: https://security-tracker.debian.org/tracker/CVE-2015-4764 9. CVE-2015-4774 Link: https://security-tracker.debian.org/tracker/CVE-2015-4774 10. CVE-2015-4775 Link: https://security-tracker.debian.org/tracker/CVE-2015-4775 11. CVE-2015-4776 Link: https://security-tracker.debian.org/tracker/CVE-2015-4776 12. CVE-2015-4777 Link: https://security-tracker.debian.org/tracker/CVE-2015-4777 13. CVE-2015-4778 Link: https://security-tracker.debian.org/tracker/CVE-2015-4778 14. CVE-2015-4779 Link: https://security-tracker.debian.org/tracker/CVE-2015-4779 15. CVE-2015-4780 Link: https://security-tracker.debian.org/tracker/CVE-2015-4780 16. CVE-2015-4781 Link: https://security-tracker.debian.org/tracker/CVE-2015-4781 17. CVE-2015-4782 Link: https://security-tracker.debian.org/tracker/CVE-2015-4782 18. CVE-2015-4783 Link: https://security-tracker.debian.org/tracker/CVE-2015-4783 19. CVE-2015-4784 Link: https://security-tracker.debian.org/tracker/CVE-2015-4784 20. CVE-2015-4785 Link: https://security-tracker.debian.org/tracker/CVE-2015-4785 21. CVE-2015-4786 Link: https://security-tracker.debian.org/tracker/CVE-2015-4786 22. CVE-2015-4787 Link: https://security-tracker.debian.org/tracker/CVE-2015-4787 23. CVE-2015-4788 Link: https://security-tracker.debian.org/tracker/CVE-2015-4788 24. CVE-2015-4789 Link: https://security-tracker.debian.org/tracker/CVE-2015-4789 25. CVE-2015-4790 Link: https://security-tracker.debian.org/tracker/CVE-2015-4790 26. CVE-2016-0682 Link: https://security-tracker.debian.org/tracker/CVE-2016-0682 27. CVE-2016-0689 Link: https://security-tracker.debian.org/tracker/CVE-2016-0689 28. CVE-2016-0692 Link: https://security-tracker.debian.org/tracker/CVE-2016-0692 29. CVE-2016-0694 Link: https://security-tracker.debian.org/tracker/CVE-2016-0694 30. CVE-2016-3418 Link: https://security-tracker.debian.org/tracker/CVE-2016-3418 31. CVE-2017-3604 Link: https://security-tracker.debian.org/tracker/CVE-2017-3604 32. CVE-2017-3605 Link: https://security-tracker.debian.org/tracker/CVE-2017-3605 33. CVE-2017-3606 Link: https://security-tracker.debian.org/tracker/CVE-2017-3606 34. CVE-2017-3607 Link: https://security-tracker.debian.org/tracker/CVE-2017-3607 35. CVE-2017-3608 Link: https://security-tracker.debian.org/tracker/CVE-2017-3608 36. CVE-2017-3609 Link: https://security-tracker.debian.org/tracker/CVE-2017-3609 37. CVE-2017-3610 Link: https://security-tracker.debian.org/tracker/CVE-2017-3610 38. CVE-2017-3611 Link: https://security-tracker.debian.org/tracker/CVE-2017-3611 39. CVE-2017-3612 Link: https://security-tracker.debian.org/tracker/CVE-2017-3612 40. CVE-2017-3613 Link: https://security-tracker.debian.org/tracker/CVE-2017-3613 41. CVE-2017-3614 Link: https://security-tracker.debian.org/tracker/CVE-2017-3614 42. CVE-2017-3615 Link: https://security-tracker.debian.org/tracker/CVE-2017-3615 43. CVE-2017-3616 Link: https://security-tracker.debian.org/tracker/CVE-2017-3616 44. CVE-2017-3617 Link: https://security-tracker.debian.org/tracker/CVE-2017-3617 45. CVE-2020-2981 Link: https://security-tracker.debian.org/tracker/CVE-2020-2981 Signed-off-by: Saloni --- meta/recipes-support/db/db_5.3.28.bb | 92 1 file changed, 92 insertions(+) diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb index b2ae98f05c..000e9ef468 100644 --- a/meta/recipes-support/db/db_5.3.28.bb +++ b/meta/recipes-support/db/db_5.3.28.bb @@ -39,6 +39,98 @@ SRC_URI[sha256sum] = "e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317 LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955" +# Below CVEs affects only Oracle Berkeley DB as per upstream. +# https://security-tracker.debian.org/tracker/CVE-2015-2583 +CVE_CHECK_WHITELIST += "CVE-2015-2583" +# https://security-tracker.debian.org/tracker/CVE-2015-2624 +CVE_CHECK_WHITELIST += "CVE-2015-2624" +# https://security-tracker.debian.org/tracker/CVE-2015-2626 +CVE_CHECK_WHITELIST += "CVE-2015-2626" +# https://security-tracker.debian.org/tracker/CVE-2015-2640 +CVE_CHECK_WHITELIST += "CVE-2015-2640" +# https://security-tracker.debian.org/tracker/CVE-2015-2654 +CVE_CHECK_WHITELIST += "CVE-2015-2654" +# https://security-tracker.debian.org/track
[OE-core] [poky][dunfell][PATCH] libxcrypt: Add fix for CVE-2021-33560
From: Saloni Jain
Add fix for below CVE:
CVE-2021-33560
Link:
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
Signed-off-by: Saloni Jain
---
.../libgcrypt/files/CVE-2021-33560.patch | 108 ++
.../libgcrypt/libgcrypt_1.8.5.bb | 1 +
2 files changed, 109 insertions(+)
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 00..ba51af46b3
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,108 @@
+From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+ 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+ 74386120dad6b3da62db37f7044267c8ef34689b
+ 78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+"On the (in)security of ElGamal in OpenPGP";
+in the proceedings of CCS'2021.
+
+CVE: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka
+Signed-off-by: Saloni Jain
+
+Upstream-Status: Backport
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
+Comment: No changes/refreshing done.
+---
+ cipher/elgamal.c | 24 ++--
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 9835122f..eead4502 100644
+--- a/cipher/elgamal.c
b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+
+
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+ gcry_mpi_t **factors);
+ static int check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int
nodie )
+
+ /
+ * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1. With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+ */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+ gcry_mpi_t k = mpi_alloc_secure( 0 );
+ gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+ unsigned int nbits, nbytes;
+ char *rndbuf = NULL;
+
+- if (small_k)
+-{
+- /* Using a k much lesser than p is sufficient for encryption and
+- * it greatly improves the encryption performance. We use
+- * Wiener's table and add a large safety margin. */
+- nbits = wiener_map( orig_nbits ) * 3 / 2;
+- if( nbits >= orig_nbits )
+-BUG();
+-}
+- else
+-nbits = orig_nbits;
+-
++ nbits = orig_nbits;
+
+ nbytes = (nbits+7)/8;
+ if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
ELG_public_key *pkey )
+* error code.
+*/
+
+- k = gen_k( pkey->p, 1 );
++ k = gen_k( pkey->p );
+ mpi_powm (a, pkey->g, k, pkey->p);
+
+ /* b = (y^k * input) mod p
+@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
ELG_secret_key *skey )
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+-k = gen_k( skey->p, 0 /* no small K ! */ );
++k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+--
+2.11.0
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 16a58ad9b8..174b087b24 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
file://determinism.patch \
