Re: [OE-core] [kirkstone][PATCH 1/3] expat: fix CVE-2024-45490
> > expat/tests/basic_tests.c is not present in recipe version, will add these > changes to runtests.c and will send V2. > > - Yes, expat/tests/basic_tests.c seperated out from runtests.c from version 2.6.0. - Afaik, the patch will apply directly to runtests.c as not major change except seperation was done in expat. Thank-you for your work :) and sending V2 :) BR, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204305): https://lists.openembedded.org/g/openembedded-core/message/204305 Mute This Topic: https://lists.openembedded.org/mt/108304022/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH 1/3] expat: fix CVE-2024-45490
Hi Archana, The fix for this CVE consists of 3 commits (fix in file, test to check for issue and doc update) (ref-> https://github.com/libexpat/libexpat/pull/890/commits ) Out of which you have backported only 2 (Fix in file and doc update). the commit for "test to check len<0" is not added in the patch is there any specific reason to exclude it ? if not, could you send a v2 incorporting the missing commit too ? BR, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204293): https://lists.openembedded.org/g/openembedded-core/message/204293 Mute This Topic: https://lists.openembedded.org/mt/108304022/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] openssl: Upgrade 3.0.14 -> 3.0.15
From: Siddharth Doshi Updated SRC_URI link and format due to change in openssl website. CVE's Fixed by upgrade: CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto(). CVE-2024-6119: Fixed possible denial of service in X.509 name checks - Removed backports of CVE-2024-5535 as it is already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3014-and-3015-3-sep-2024 Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-5535_1.patch | 115 -- .../openssl/openssl/CVE-2024-5535_2.patch | 44 - .../openssl/openssl/CVE-2024-5535_3.patch | 84 -- .../openssl/openssl/CVE-2024-5535_4.patch | 178 --- .../openssl/openssl/CVE-2024-5535_5.patch | 1175 - .../openssl/openssl/CVE-2024-5535_6.patch | 45 - .../openssl/openssl/CVE-2024-5535_7.patch | 68 - .../openssl/openssl/CVE-2024-5535_8.patch | 273 .../openssl/openssl/CVE-2024-5535_9.patch | 205 --- .../{openssl_3.0.14.bb => openssl_3.0.15.bb} | 13 +- 10 files changed, 2 insertions(+), 2198 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch rename meta/recipes-connectivity/openssl/{openssl_3.0.14.bb => openssl_3.0.15.bb} (94%) diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch deleted file mode 100644 index a96af0ed13..00 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch +++ /dev/null @@ -1,115 +0,0 @@ -From e6190fc977f086428cc7880f95e8bcd5a11ac193 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH 1/9] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) - -(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi - ssl/ssl_lib.c | 63 --- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index cb4e006..e628140 100644 a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2952,37 +2952,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { --unsigned int i, j; --const unsigned char *result; --int status = OPENSSL_NPN_UNSUPPORTED; -+PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+if (!PACKET_buf_init(&cpkt, client, client_len) -+|| !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+|| PACKET_remaining(&csubpkt) == 0) { -+*out = NULL; -+*outlen = 0; -+return OPENSSL_NPN_NO_OVERLAP; -+} -+ -+/* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+*out = (unsigned char *)PACKET_data(&csubpkt); -+*outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ --for (i = 0; i < server_len;) { --for (j = 0; j < client_len;) { --if (server[i] == client[j] && --memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { --/* We found a match */ --result = &server[i]; --status = OPENSSL_NPN_NEGOTI
[OE-core][scarthgap][PATCH] openssl: Upgrade 3.2.2 -> 3.2.3
From: Siddharth Doshi Updated SRC_URI link and format due to change in openssl website. CVE's Fixed by upgrade: CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto(). CVE-2024-6119: Fixed possible denial of service in X.509 name checks - Removed backports of CVE-2024-5535 as it is already fixed. - Removed first hunk of 0001-Added-handshake-history-reporting-when-test-fails.patch as the copyright years are already updated in test/helpers/handshake.c file Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-322-and-323-3-sep-2024 Signed-off-by: Siddharth Doshi --- ...ke-history-reporting-when-test-fails.patch |8 +- .../openssl/openssl/CVE-2024-5535_1.patch | 113 -- .../openssl/openssl/CVE-2024-5535_10.patch| 203 --- .../openssl/openssl/CVE-2024-5535_2.patch | 43 - .../openssl/openssl/CVE-2024-5535_3.patch | 38 - .../openssl/openssl/CVE-2024-5535_4.patch | 82 -- .../openssl/openssl/CVE-2024-5535_5.patch | 176 --- .../openssl/openssl/CVE-2024-5535_6.patch | 1173 - .../openssl/openssl/CVE-2024-5535_7.patch | 43 - .../openssl/openssl/CVE-2024-5535_8.patch | 66 - .../openssl/openssl/CVE-2024-5535_9.patch | 271 .../{openssl_3.2.2.bb => openssl_3.2.3.bb}| 14 +- 12 files changed, 3 insertions(+), 2227 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.2.bb => openssl_3.2.3.bb} (94%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch index aa2e5bb800..9baa0c2d75 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -6,6 +6,7 @@ Subject: [PATCH] Added handshake history reporting when test fails Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] Signed-off-by: William Lyu +Signed-off-by: Siddharth Doshi --- test/helpers/handshake.c | 139 +-- test/helpers/handshake.h | 70 +++- @@ -16,13 +17,6 @@ diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index e0422469e4..ae2ad59dd4 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c -@@ -1,5 +1,5 @@ - /* -- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,102 @@ #include #endif diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch deleted file mode 100644 index d5c178eeab..00 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch +++ /dev/null @@ -1,113 +0,0 @@ -From b63b4db52e10677db4ab46b608aabd55a44668aa Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH 01/10] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/o
[OE-core][kirkstone][PATCH] vim: Upgrade 9.1.0114 -> 9.1.0698
From: Siddharth Doshi This includes CVE-fix for CVE-2024-41957, CVE-2024-41965, CVE-2024-43374, CVE-2024-43790 and CVE-2024-43802 Changes between 9.1.0114 -> 9.1.0698 https://github.com/vim/vim/compare/v9.1.0114...v9.1.0698 Note: Removed patch "vim-add-knob-whether-elf.h-are-checked.patch" as libelf checks are removed from configure.ac as per commit https://github.com/vim/vim/commit/1acc67ac4412aa9a75d1c58ebf93f2b29585a960 Signed-off-by: Siddharth Doshi --- ...m-add-knob-whether-elf.h-are-checked.patch | 39 --- meta/recipes-support/vim/vim.inc | 5 +-- 2 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch diff --git a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch deleted file mode 100644 index 5284ba45b6..00 --- a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 38de4bccdb8a861ffdd447f12fdab19d6d852c02 Mon Sep 17 00:00:00 2001 -From: Chong Lu -Date: Tue, 26 Jun 2018 17:34:15 +0800 -Subject: [PATCH] vim: add knob whether elf.h are checked - -Previously, it still was checked when there was no elf library in sysroots directory. -Add knob to decide whether elf.h are checked or not. - -Upstream-Status: Pending - -Signed-off-by: Chong Lu -Signed-off-by: Changqing Li - src/configure.ac | 7 +++ - 1 file changed, 7 insertions(+) - -Index: git/src/configure.ac -=== git.orig/src/configure.ac -+++ git/src/configure.ac -@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include ], [in - AC_MSG_RESULT(no)) - - dnl Checks for header files. -+AC_MSG_CHECKING(whether or not to look for elf.h) -+AC_ARG_ENABLE(elf-check, -+[ --enable-elf-check If elfutils, check for elf.h [default=no]], -+, enable_elf_check="no") -+AC_MSG_RESULT($enable_elf_check) -+if test "x$enable_elf_check" != "xno"; then - AC_CHECK_HEADER(elf.h, HAS_ELF=1) - dnl AC_CHECK_HEADER(dwarf.h, SVR4=1) - if test "$HAS_ELF" = 1; then - AC_CHECK_LIB(elf, main) - fi -+fi - - AC_HEADER_DIRENT - diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 071deed338..11daa900d2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -14,13 +14,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e" SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ - file://vim-add-knob-whether-elf.h-are-checked.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ " -PV .= ".0114" -SRCREV = "fcaed6a70faf73bff3e5405ada556d726024f866" +PV .= ".0698" +SRCREV = "d56c451e1c05310562c5282352d7bb287c16323c" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203851): https://lists.openembedded.org/g/openembedded-core/message/203851 Mute This Topic: https://lists.openembedded.org/mt/108126228/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][scarthgap][PATCH] vim: Upgrade 9.1.0682 -> 9.1.0698
From: Siddharth Doshi This includes CVE-fix for CVE-2024-43790 and CVE-2024-43802 Changes between 9.1.0682 -> 9.1.0698 https://github.com/vim/vim/compare/v9.1.0682...v9.1.0698 Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5225513d9d..f87f4dcbfa 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".0682" -SRCREV = "cb90ea9cba6f033fe141db0e466fb4117f28402b" +PV .= ".0698" +SRCREV = "d56c451e1c05310562c5282352d7bb287c16323c" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203849): https://lists.openembedded.org/g/openembedded-core/message/203849 Mute This Topic: https://lists.openembedded.org/mt/108125083/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
Hi Alex, Noted. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203706): https://lists.openembedded.org/g/openembedded-core/message/203706 Mute This Topic: https://lists.openembedded.org/mt/108040776/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
Hi Alex, For some unknown reason, Randy's message was filtered to spam and i missed it. Else, would have replied before submitting the patch for kirkstone. I did stat my own investigations and reasons for the upgrade -> https://lists.openembedded.org/g/openembedded-core/message/203703 However, if you still feel, i should be avoiding the upgrade for wpa-supplicant, let me know, i would submit CVE patch for the issues needed. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203705): https://lists.openembedded.org/g/openembedded-core/message/203705 Mute This Topic: https://lists.openembedded.org/mt/108052523/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
Hi Randy and Alex, I appreciate the feedback and your concern regarding upgrades in stable-branches. > > This update make sense for the master brnanch but likely not for scarthgap > unless you can show that > this is a bug fix only release. > - This release for sure is not a bug fix only release. It does include support to new feature and can never classify as bug fix only release. > > you'll have to backport any CVE fixes that you're interested in unless > someone explains why this is a sensible update for scarthgap. > > - I do the understand that upgrades are avoided in stable/LTS branches as it might break the compatibility and result in various compilation issues. - However, that would only take place if the backward compatibility of the new upgrade is questionable. - Generally every new releases will have API or ABI-symbols added but if API or ABI symbols are removed from shared libraries or binaries it a matter of concern as it would be the cause of breakdown. - For this release, there are no ABI-symbols or API removed from the binaries and shared libraries. you can cross-check it in different ways (there are open-source tools to check or can be checked by manually comparing the header files) - I have my own script to do so and i always check the backward compatibility before submitting any upgrades and since it was all clear for wpa-supplicant, i went ahead with the upgrade. However, if still the opinion is that upgrade should be avoided, let me know, i would submit the CVE-patch for the same. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203703): https://lists.openembedded.org/g/openembedded-core/message/203703 Mute This Topic: https://lists.openembedded.org/mt/108040776/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
From: Siddharth Doshi License-Update: === - README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af - wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af CVE's Fixed: === - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation - CVE-2023-52160 wpa_supplicant: potential authorization bypass Changes between 2.10 -> 2.11: https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Note: = Patche 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) is already fixed and hence removing it. Signed-off-by: Siddharth Doshi --- ...te-Phase-2-authentication-requiremen.patch | 213 -- ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 7 +- 2 files changed, 3 insertions(+), 217 deletions(-) delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (92%) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch deleted file mode 100644 index bc2db972c3..00 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch +++ /dev/null @@ -1,213 +0,0 @@ -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sat, 8 Jul 2023 19:55:32 +0300 -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements - -The previous PEAP client behavior allowed the server to skip Phase 2 -authentication with the expectation that the server was authenticated -during Phase 1 through TLS server certificate validation. Various PEAP -specifications are not exactly clear on what the behavior on this front -is supposed to be and as such, this ended up being more flexible than -the TTLS/FAST/TEAP cases. However, this is not really ideal when -unfortunately common misconfiguration of PEAP is used in deployed -devices where the server trust root (ca_cert) is not configured or the -user has an easy option for allowing this validation step to be skipped. - -Change the default PEAP client behavior to be to require Phase 2 -authentication to be successfully completed for cases where TLS session -resumption is not used and the client certificate has not been -configured. Those two exceptions are the main cases where a deployed -authentication server might skip Phase 2 and as such, where a more -strict default behavior could result in undesired interoperability -issues. Requiring Phase 2 authentication will end up disabling TLS -session resumption automatically to avoid interoperability issues. - -Allow Phase 2 authentication behavior to be configured with a new phase1 -configuration parameter option: -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -tunnel) behavior for PEAP: - * 0 = do not require Phase 2 authentication - * 1 = require Phase 2 authentication when client certificate - (private_key/client_cert) is no used and TLS session resumption was - not used (default) - * 2 = require Phase 2 authentication in all cases - -Signed-off-by: Jouni Malinen - -CVE: CVE-2023-52160 -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] - -Signed-off-by: Claus Stovgaard -Signed-off-by: Peter Marko - src/eap_peer/eap_config.h | 8 ++ - src/eap_peer/eap_peap.c| 40 +++--- - src/eap_peer/eap_tls_common.c | 6 + - src/eap_peer/eap_tls_common.h | 5 - wpa_supplicant/wpa_supplicant.conf | 7 ++ - 5 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h -index 3238f74..047eec2 100644 a/src/eap_peer/eap_config.h -+++ b/src/eap_peer/eap_config.h -@@ -469,6 +469,14 @@ struct eap_peer_config { -* 1 = use cryptobinding if server supports it -* 2 = require cryptobinding -* -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS -+ * tunnel) behavior for PEAP: -+ * 0 = do not require Phase 2 authentication -+ * 1 = require Phase 2 authentication when client certificate -+ * (private_key/client_cert) is no used and TLS session resumption was -+ * not used (default) -+ * 2 = require Phase 2 authentication in all cases -+ * -* EAP-WSC (WPS
[OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
From: Siddharth Doshi License-Update: === - README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af - wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af CVE's Fixed: === - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation - CVE-2023-52160 wpa_supplicant: potential authorization bypass Changes between 2.10 -> 2.11: https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Note: = Patches 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch, 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch, 0001-Install-wpa_passphrase-when-not-disabled.patch, 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) are already fixed and hence removing them. Signed-off-by: Siddharth Doshi --- ...all-wpa_passphrase-when-not-disabled.patch | 33 --- ...te-Phase-2-authentication-requiremen.patch | 213 -- ...options-for-libwpa_client.so-and-wpa.patch | 73 -- ...oval-of-wpa_passphrase-on-make-clean.patch | 26 --- ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +- 5 files changed, 3 insertions(+), 352 deletions(-) delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch deleted file mode 100644 index c04c608bde..00 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 -From: Alex Kiernan -Date: Thu, 21 Apr 2022 10:15:29 +0100 -Subject: [PATCH] Install wpa_passphrase when not disabled - -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets -built, its not installed during `make install`. - -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") -Signed-off-by: Alex Kiernan -Signed-off-by: Alex Kiernan -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] - wpa_supplicant/Makefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index 0bab313f2355..12787c0c7d0f 100644 a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % - - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) - $(MAKE) -C ../src install -+ifndef CONFIG_NO_WPA_PASSPHRASE -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase -+endif - ifdef CONFIG_BUILD_WPA_CLIENT_SO - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch deleted file mode 100644 index 620560d3c7..00 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch +++ /dev/null @@ -1,213 +0,0 @@ -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sat, 8 Jul 2023 19:55:32 +0300 -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements - -The previous PEAP client behavior allowed the server to skip Phase 2 -authentication with the expectation that the server was authenticated -during Phase 1 through TLS server certificate validation. Various PEAP -specifications are not exactly clear on what the behavior on this front -is supposed to be and as such, this ended up being more flexible than -the TTLS/FAST/TEAP cases. However, this is not really ideal when -unfortunately common misconfiguration of PEAP is used in deployed -devices whe
[OE-core][kirkstone][PATCH] curl: Security fix for CVE-2024-7264
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519] CVE's Fixed: CVE-2024-7264 libcurl: ASN.1 date parser overread Signed-off-by: Siddharth Doshi --- .../curl/curl/CVE-2024-7264_1.patch | 66 .../curl/curl/CVE-2024-7264_2.patch | 320 ++ meta/recipes-support/curl/curl_7.82.0.bb | 2 + 3 files changed, 388 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2024-7264_1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2024-7264_2.patch diff --git a/meta/recipes-support/curl/curl/CVE-2024-7264_1.patch b/meta/recipes-support/curl/curl/CVE-2024-7264_1.patch new file mode 100644 index 00..2e1d8eeaaa --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-7264_1.patch @@ -0,0 +1,66 @@ +From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 30 Jul 2024 10:05:17 +0200 +Subject: [PATCH] x509asn1: clean up GTime2str + +Co-authored-by: Stefan Eissing +Reported-by: Dov Murik + +Closes #14307 + +Note: This patch is needed by the main patch to be backported. + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/3c914bc680155b32178f1f15ca8d47c7f4640afe] +CVE: CVE-2024-7264 +Signed-off-by: Siddharth Doshi +--- + lib/vtls/x509asn1.c | 23 ++- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +index f64acb8..b538bd9 100644 +--- a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +@@ -539,7 +539,7 @@ static const char *GTime2str(const char *beg, const char *end) + /* Convert an ASN.1 Generalized time to a printable string. + Return the dynamically allocated string, or NULL if an error occurs. */ + +- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++) ++ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++) + ; + + /* Get seconds digits. */ +@@ -558,17 +558,22 @@ static const char *GTime2str(const char *beg, const char *end) + return NULL; + } + +- /* Scan for timezone, measure fractional seconds. */ ++ /* timezone follows optional fractional seconds. */ + tzp = fracp; +- fracl = 0; ++ fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { +-fracp++; +-do ++/* Have fractional seconds, e.g. "[.,]\d+". How many? */ ++tzp = fracp++; /* should be a digit char or BAD ARGUMENT */ ++while(tzp < end && ISDIGIT(*tzp)) + tzp++; +-while(tzp < end && *tzp >= '0' && *tzp <= '9'); +-/* Strip leading zeroes in fractional seconds. */ +-for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) +- ; ++if(tzp == fracp) /* never looped, no digit after [.,] */ ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++fracl = tzp - fracp - 1; /* number of fractional sec digits */ ++DEBUGASSERT(fracl > 0); ++/* Strip trailing zeroes in fractional seconds. ++ * May reduce fracl to 0 if only '0's are present. */ ++while(fracl && fracp[fracl - 1] == '0') ++ fracl--; + } + + /* Process timezone. */ +-- +2.35.7 + diff --git a/meta/recipes-support/curl/curl/CVE-2024-7264_2.patch b/meta/recipes-support/curl/curl/CVE-2024-7264_2.patch new file mode 100644 index 00..e8853c1e0c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-7264_2.patch @@ -0,0 +1,320 @@ +From 27959ecce75cdb2809c0bdb3286e60e08fadb519 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 30 Jul 2024 16:40:48 +0200 +Subject: [PATCH] x509asn1: unittests and fixes for gtime2str + +Fix issues in GTime2str() and add unit test cases to verify correct +behaviour. + +Follow-up to 3c914bc6801 + +Closes #14316 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519] +CVE: CVE-2024-7264 +Signed-off-by: Siddharth Doshi +--- + lib/vtls/x509asn1.c | 32 +++--- + lib/vtls/x509asn1.h | 11 + tests/data/Makefile.inc | 2 +- + tests/data/test1656 | 22 +++ + tests/unit/Makefile.inc | 4 +- + tests/unit/unit1656.c | 133 + 6 files changed, 194 insertions(+), 10 deletions(-) + create mode 100644 tests/data/test1656 + create mode 100644 tests/unit/unit1656.c + +diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +index b538bd9..a25a6e6 100644 +--- a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +@@ -563,12 +563,13 @@ static const char *GTime2str(const char *beg, const char *end) + fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { +
[OE-core][master][scarthgap][PATCH] vim: Upgrade 9.1.0114 -> 9.1.0682
From: Siddharth Doshi This includes CVE-fix for CVE-2024-41957, CVE-2024-41965 and CVE-2024-43374 Changes between 9.1.0114 -> 9.1.0682 https://github.com/vim/vim/compare/v9.1.0114...v9.1.0682 Note: Removed patch "vim-add-knob-whether-elf.h-are-checked.patch" as libelf checks are removed from configure.ac as per commit https://github.com/vim/vim/commit/1acc67ac4412aa9a75d1c58ebf93f2b29585a960 Signed-off-by: Siddharth Doshi --- ...m-add-knob-whether-elf.h-are-checked.patch | 39 --- meta/recipes-support/vim/vim.inc | 5 +-- 2 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch diff --git a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch deleted file mode 100644 index 5284ba45b6..00 --- a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 38de4bccdb8a861ffdd447f12fdab19d6d852c02 Mon Sep 17 00:00:00 2001 -From: Chong Lu -Date: Tue, 26 Jun 2018 17:34:15 +0800 -Subject: [PATCH] vim: add knob whether elf.h are checked - -Previously, it still was checked when there was no elf library in sysroots directory. -Add knob to decide whether elf.h are checked or not. - -Upstream-Status: Pending - -Signed-off-by: Chong Lu -Signed-off-by: Changqing Li - src/configure.ac | 7 +++ - 1 file changed, 7 insertions(+) - -Index: git/src/configure.ac -=== git.orig/src/configure.ac -+++ git/src/configure.ac -@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include ], [in - AC_MSG_RESULT(no)) - - dnl Checks for header files. -+AC_MSG_CHECKING(whether or not to look for elf.h) -+AC_ARG_ENABLE(elf-check, -+[ --enable-elf-check If elfutils, check for elf.h [default=no]], -+, enable_elf_check="no") -+AC_MSG_RESULT($enable_elf_check) -+if test "x$enable_elf_check" != "xno"; then - AC_CHECK_HEADER(elf.h, HAS_ELF=1) - dnl AC_CHECK_HEADER(dwarf.h, SVR4=1) - if test "$HAS_ELF" = 1; then - AC_CHECK_LIB(elf, main) - fi -+fi - - AC_HEADER_DIRENT - diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index e5dcd00c96..5225513d9d 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -14,13 +14,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e" SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ - file://vim-add-knob-whether-elf.h-are-checked.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ " -PV .= ".0114" -SRCREV = "fcaed6a70faf73bff3e5405ada556d726024f866" +PV .= ".0682" +SRCREV = "cb90ea9cba6f033fe141db0e466fb4117f28402b" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203553): https://lists.openembedded.org/g/openembedded-core/message/203553 Mute This Topic: https://lists.openembedded.org/mt/107997688/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] Tiff: Security fix for CVE-2024-7006
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] CVE's Fixed: CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c Signed-off-by: Siddharth Doshi --- .../libtiff/tiff/CVE-2024-7006.patch | 64 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch new file mode 100644 index 00..217de0ea92 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch @@ -0,0 +1,64 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] +CVE: CVE-2024-7006 +Signed-off-by: Siddharth Doshi +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 15 ++- + 2 files changed, 7 insertions(+), 10 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index a212d01..95226a8 100644 +--- a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt) + fld = TIFFFindField(tif, tag, dt); + if (fld == NULL) { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 0e283fc..1781166 100644 +--- a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +@@ -3735,11 +3735,9 @@ TIFFReadDirectory(TIFF* tif) + dp->tdir_tag,dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields(tif, +- _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++const TIFFField *fld = _TIFFCreateAnonField( ++tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) { + TIFFWarningExt(tif->tif_clientdata, + module, + "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", +@@ -4502,10 +4500,9 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff, + TIFFWarningExt(tif->tif_clientdata, module, + "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++const TIFFField *fld = _TIFFCreateAnonField( ++tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) { + TIFFWarningExt(tif->tif_clientdata, module, + "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", + dp->tdir_tag, dp->tdir_tag); +-- +2.35.7 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index b4af179e76..209b38b8f2 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -53,6 +53,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-6277-2.patch \ file://CVE-2023-6277-3.patch \ file://CVE-2023-6277-4.patch \ + file://CVE-2024-7006.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203458): https://lists.openembedded.org/g/openembedded-core/message/203458 Mute This Topic: https://lists.openembedded.o
[OE-core][master][scarthgap][PATCH] Tiff: Security fix for CVE-2024-7006
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] CVE's Fixed: CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c Signed-off-by: Siddharth Doshi --- .../libtiff/tiff/CVE-2024-7006.patch | 65 +++ meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch new file mode 100644 index 00..785244bdea --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch @@ -0,0 +1,65 @@ +From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] +CVE: CVE-2024-7006 +Signed-off-by: Siddharth Doshi +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++-- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 0e705e8..4cfdaad 100644 +--- a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +-if (!_TIFFMergeFields(tif, fld, 1)) ++if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 58a4276..738df9f 100644 +--- a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the +anonymous field structure */ +-if (!_TIFFMergeFields( +-tif, +-_TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +-1)) ++const TIFFField *fld = _TIFFCreateAnonField( ++tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +-if (!_TIFFMergeFields( +-tif, +-_TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +-1)) ++const TIFFField *fld = _TIFFCreateAnonField( ++tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +2.44.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index d42ea6a6e5..89681be634 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-52355-0001.patch \ file://CVE-2023-52355-0002.patch \ file://CVE-2023-52356.patch \ + file://CVE-2024-7006.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203327): https://lists.openembedded.org/g/openembedded-core/message/203327 Mute This Topic: https://lists.openembedded.org/mt/107900232/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCHv3] lttng-modules: Upgrade 2.13.9 -> 2.13.14
From: Siddharth Doshi License-Update: Upstream cleaned stale file paths in License file and updated LICENSES/LGPL-2.1 and LICENSES/GPL-2.0 -> LICENSES/LGPL-2.1-only.txt and LICENSES/GPL-2.0-only.txt causing md5 to change. (ref commit -> https://github.com/lttng/lttng-modules/commit/b972ef5708a00718a081f0eb40205e25677e5e93 and https://github.com/lttng/lttng-modules/commit/61baff6e8de2462f45006662bc34bcbf5f645ba0#diff-c693279643b8cd5d248172d9c22cb7cf4ed163a3c98c8a3f69c2717edd3eacb7) Note: Upgrade lttng-modules to 2.13.14 to fix fcheck error which occurs with commit 782202de6478f68caaed4567017095ad906c4eef in kernel "file: Rename fcheck lookup_fd_rcu" which does replaces fcheck with lookup_fd_rcu. Signed-off-by: Armin Kuster Signed-off-by: Siddharth Doshi --- .../0009-Rename-genhd-wrapper-to-blkdev.patch | 19 +++ ...les_2.13.9.bb => lttng-modules_2.13.14.bb} | 4 ++-- 2 files changed, 13 insertions(+), 10 deletions(-) rename meta/recipes-kernel/lttng/{lttng-modules_2.13.9.bb => lttng-modules_2.13.14.bb} (89%) diff --git a/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch b/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch index 90fec9dc58..874e076675 100644 --- a/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch +++ b/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch @@ -8,9 +8,12 @@ to follow upstream. Upstream-Status: Backport +Note: Updated patch to cleanly apply to 2.13.14 + Change-Id: I4ec94fb94d11712dd20f0680aea1de77fbfa9d17 Signed-off-by: Michael Jeanson Signed-off-by: Mathieu Desnoyers +Signed-off-by: Siddharth Doshi --- include/wrapper/{genhd.h => blkdev.h} | 10 +- src/lttng-statedump-impl.c| 2 +- @@ -21,7 +24,7 @@ diff --git a/include/wrapper/genhd.h b/include/wrapper/blkdev.h similarity index 93% rename from include/wrapper/genhd.h rename to include/wrapper/blkdev.h -index 4a59b68e..0d5ad90f 100644 +index e32c7b6..76397f6 100644 --- a/include/wrapper/genhd.h +++ b/include/wrapper/blkdev.h @@ -1,6 +1,6 @@ @@ -41,9 +44,9 @@ index 4a59b68e..0d5ad90f 100644 +#ifndef _LTTNG_WRAPPER_BLKDEV_H +#define _LTTNG_WRAPPER_BLKDEV_H - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,18,0)) - #include -@@ -45,7 +45,7 @@ struct class *wrapper_get_block_class(void) + #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,18,0) \ + || LTTNG_RHEL_KERNEL_RANGE(5,14,0,162,0,0, 5,15,0,0,0,0)) +@@ -47,7 +47,7 @@ struct class *wrapper_get_block_class(void) /* * Canary function to check for 'block_class' at compile time. * @@ -52,17 +55,17 @@ index 4a59b68e..0d5ad90f 100644 * * extern struct class block_class; */ -@@ -104,4 +104,4 @@ struct device_type *wrapper_get_disk_type(void) +@@ -106,4 +106,4 @@ struct device_type *wrapper_get_disk_type(void) #endif -#endif /* _LTTNG_WRAPPER_GENHD_H */ +#endif /* _LTTNG_WRAPPER_BLKDEV_H */ diff --git a/src/lttng-statedump-impl.c b/src/lttng-statedump-impl.c -index 4d7b2921..0e753090 100644 +index 9d197ce..229517e 100644 --- a/src/lttng-statedump-impl.c +++ b/src/lttng-statedump-impl.c -@@ -41,7 +41,7 @@ +@@ -42,7 +42,7 @@ #include #include #include @@ -72,5 +75,5 @@ index 4d7b2921..0e753090 100644 #include #include -- -2.19.1 +2.35.7 diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb b/meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb similarity index 89% rename from meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb rename to meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb index a08386b053..a3e29ab7b7 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb @@ -3,7 +3,7 @@ SUMMARY = "Linux Trace Toolkit KERNEL MODULE" DESCRIPTION = "The lttng-modules 2.0 package contains the kernel tracer modules" HOMEPAGE = "https://lttng.org/"; LICENSE = "LGPL-2.1-only & GPL-2.0-only & MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0464cff101a009c403cd2ed65d01d4c4" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8d0d9f0046474772a5d745d89d6a" inherit module @@ -16,7 +16,7 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ # Use :append here so that the patch is applied also when using devupstream SRC_URI:append = " file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch" -SRC_URI[sha256sum] = "bf808b113544287cfe837a6382887fa66354ef5cc8216460cebbef3d27dc3581" +SRC_URI[sha256sum] = "c6449f7ff12ab644a630692a556304e51525ca37d98aebf826796918be0f5da6" export INSTALL_MOD_DIR="kernel/lttng-modules" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202909): https://lists.openembedded.org/g/opene
[OE-core][kirkstone][PATCHv2] lttng-modules: Upgrade 2.13.9 -> 2.13.14
From: Siddharth Doshi License-Update: Updated LIC_FILES_CHKSUM due to License file modification Note: Upgrade lttng-modules to 2.13.14 to fix fcheck error which occurs with commit 782202de6478f68caaed4567017095ad906c4eef in kernel "file: Rename fcheck lookup_fd_rcu" which does replaces fcheck with lookup_fd_rcu. Signed-off-by: Armin Kuster Signed-off-by: Siddharth Doshi --- .../0009-Rename-genhd-wrapper-to-blkdev.patch | 19 +++ ...les_2.13.9.bb => lttng-modules_2.13.14.bb} | 4 ++-- 2 files changed, 13 insertions(+), 10 deletions(-) rename meta/recipes-kernel/lttng/{lttng-modules_2.13.9.bb => lttng-modules_2.13.14.bb} (89%) diff --git a/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch b/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch index 90fec9dc58..874e076675 100644 --- a/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch +++ b/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch @@ -8,9 +8,12 @@ to follow upstream. Upstream-Status: Backport +Note: Updated patch to cleanly apply to 2.13.14 + Change-Id: I4ec94fb94d11712dd20f0680aea1de77fbfa9d17 Signed-off-by: Michael Jeanson Signed-off-by: Mathieu Desnoyers +Signed-off-by: Siddharth Doshi --- include/wrapper/{genhd.h => blkdev.h} | 10 +- src/lttng-statedump-impl.c| 2 +- @@ -21,7 +24,7 @@ diff --git a/include/wrapper/genhd.h b/include/wrapper/blkdev.h similarity index 93% rename from include/wrapper/genhd.h rename to include/wrapper/blkdev.h -index 4a59b68e..0d5ad90f 100644 +index e32c7b6..76397f6 100644 --- a/include/wrapper/genhd.h +++ b/include/wrapper/blkdev.h @@ -1,6 +1,6 @@ @@ -41,9 +44,9 @@ index 4a59b68e..0d5ad90f 100644 +#ifndef _LTTNG_WRAPPER_BLKDEV_H +#define _LTTNG_WRAPPER_BLKDEV_H - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,18,0)) - #include -@@ -45,7 +45,7 @@ struct class *wrapper_get_block_class(void) + #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,18,0) \ + || LTTNG_RHEL_KERNEL_RANGE(5,14,0,162,0,0, 5,15,0,0,0,0)) +@@ -47,7 +47,7 @@ struct class *wrapper_get_block_class(void) /* * Canary function to check for 'block_class' at compile time. * @@ -52,17 +55,17 @@ index 4a59b68e..0d5ad90f 100644 * * extern struct class block_class; */ -@@ -104,4 +104,4 @@ struct device_type *wrapper_get_disk_type(void) +@@ -106,4 +106,4 @@ struct device_type *wrapper_get_disk_type(void) #endif -#endif /* _LTTNG_WRAPPER_GENHD_H */ +#endif /* _LTTNG_WRAPPER_BLKDEV_H */ diff --git a/src/lttng-statedump-impl.c b/src/lttng-statedump-impl.c -index 4d7b2921..0e753090 100644 +index 9d197ce..229517e 100644 --- a/src/lttng-statedump-impl.c +++ b/src/lttng-statedump-impl.c -@@ -41,7 +41,7 @@ +@@ -42,7 +42,7 @@ #include #include #include @@ -72,5 +75,5 @@ index 4d7b2921..0e753090 100644 #include #include -- -2.19.1 +2.35.7 diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb b/meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb similarity index 89% rename from meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb rename to meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb index a08386b053..a3e29ab7b7 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb @@ -3,7 +3,7 @@ SUMMARY = "Linux Trace Toolkit KERNEL MODULE" DESCRIPTION = "The lttng-modules 2.0 package contains the kernel tracer modules" HOMEPAGE = "https://lttng.org/"; LICENSE = "LGPL-2.1-only & GPL-2.0-only & MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0464cff101a009c403cd2ed65d01d4c4" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8d0d9f0046474772a5d745d89d6a" inherit module @@ -16,7 +16,7 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ # Use :append here so that the patch is applied also when using devupstream SRC_URI:append = " file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch" -SRC_URI[sha256sum] = "bf808b113544287cfe837a6382887fa66354ef5cc8216460cebbef3d27dc3581" +SRC_URI[sha256sum] = "c6449f7ff12ab644a630692a556304e51525ca37d98aebf826796918be0f5da6" export INSTALL_MOD_DIR="kernel/lttng-modules" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202887): https://lists.openembedded.org/g/openembedded-core/message/202887 Mute This Topic: https://lists.openembedded.org/mt/107673130/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] lttng-modules: Upgrade 2.13.9 -> 2.13.14
From: Siddharth Doshi Update LIC_FILES_CHKSUM due to License file modification Note: Upgrade lttng-modules to 2.13.14 to fix fcheck error which occurs with commit 782202de6478f68caaed4567017095ad906c4eef in kernel "file: Rename fcheck lookup_fd_rcu" which does replaces fcheck with lookup_fd_rcu. Signed-off-by: Armin Kuster Signed-off-by: Siddharth Doshi --- .../0009-Rename-genhd-wrapper-to-blkdev.patch | 19 +++ ...les_2.13.9.bb => lttng-modules_2.13.14.bb} | 6 +++--- 2 files changed, 14 insertions(+), 11 deletions(-) rename meta/recipes-kernel/lttng/{lttng-modules_2.13.9.bb => lttng-modules_2.13.14.bb} (86%) diff --git a/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch b/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch index 90fec9dc58..874e076675 100644 --- a/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch +++ b/meta/recipes-kernel/lttng/lttng-modules/0009-Rename-genhd-wrapper-to-blkdev.patch @@ -8,9 +8,12 @@ to follow upstream. Upstream-Status: Backport +Note: Updated patch to cleanly apply to 2.13.14 + Change-Id: I4ec94fb94d11712dd20f0680aea1de77fbfa9d17 Signed-off-by: Michael Jeanson Signed-off-by: Mathieu Desnoyers +Signed-off-by: Siddharth Doshi --- include/wrapper/{genhd.h => blkdev.h} | 10 +- src/lttng-statedump-impl.c| 2 +- @@ -21,7 +24,7 @@ diff --git a/include/wrapper/genhd.h b/include/wrapper/blkdev.h similarity index 93% rename from include/wrapper/genhd.h rename to include/wrapper/blkdev.h -index 4a59b68e..0d5ad90f 100644 +index e32c7b6..76397f6 100644 --- a/include/wrapper/genhd.h +++ b/include/wrapper/blkdev.h @@ -1,6 +1,6 @@ @@ -41,9 +44,9 @@ index 4a59b68e..0d5ad90f 100644 +#ifndef _LTTNG_WRAPPER_BLKDEV_H +#define _LTTNG_WRAPPER_BLKDEV_H - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,18,0)) - #include -@@ -45,7 +45,7 @@ struct class *wrapper_get_block_class(void) + #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,18,0) \ + || LTTNG_RHEL_KERNEL_RANGE(5,14,0,162,0,0, 5,15,0,0,0,0)) +@@ -47,7 +47,7 @@ struct class *wrapper_get_block_class(void) /* * Canary function to check for 'block_class' at compile time. * @@ -52,17 +55,17 @@ index 4a59b68e..0d5ad90f 100644 * * extern struct class block_class; */ -@@ -104,4 +104,4 @@ struct device_type *wrapper_get_disk_type(void) +@@ -106,4 +106,4 @@ struct device_type *wrapper_get_disk_type(void) #endif -#endif /* _LTTNG_WRAPPER_GENHD_H */ +#endif /* _LTTNG_WRAPPER_BLKDEV_H */ diff --git a/src/lttng-statedump-impl.c b/src/lttng-statedump-impl.c -index 4d7b2921..0e753090 100644 +index 9d197ce..229517e 100644 --- a/src/lttng-statedump-impl.c +++ b/src/lttng-statedump-impl.c -@@ -41,7 +41,7 @@ +@@ -42,7 +42,7 @@ #include #include #include @@ -72,5 +75,5 @@ index 4d7b2921..0e753090 100644 #include #include -- -2.19.1 +2.35.7 diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb b/meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb similarity index 86% rename from meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb rename to meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb index a08386b053..5ab32188f2 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.13.14.bb @@ -3,20 +3,20 @@ SUMMARY = "Linux Trace Toolkit KERNEL MODULE" DESCRIPTION = "The lttng-modules 2.0 package contains the kernel tracer modules" HOMEPAGE = "https://lttng.org/"; LICENSE = "LGPL-2.1-only & GPL-2.0-only & MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0464cff101a009c403cd2ed65d01d4c4" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8d0d9f0046474772a5d745d89d6a" inherit module include lttng-platforms.inc SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ - file://0009-Rename-genhd-wrapper-to-blkdev.patch \ + file://0001-me.patch \ " # Use :append here so that the patch is applied also when using devupstream SRC_URI:append = " file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch" -SRC_URI[sha256sum] = "bf808b113544287cfe837a6382887fa66354ef5cc8216460cebbef3d27dc3581" +SRC_URI[sha256sum] = "c6449f7ff12ab644a630692a556304e51525ca37d98aebf826796918be0f5da6" export INSTALL_MOD_DIR="kernel/lttng-modules" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202720): https://lists.openembedded.org/g/openembedded-core/message/202720 Mute This Topic: https://lists.openembedded.org/mt/107659602/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [scarthgap][PATCH] OpenSSL: Security fix for CVE-2024-5535
> > You're backporting the first 10. Are the remaining 6 needed? > - Essentially all 16 commits mentioned in https://github.com/openssl/openssl/pull/24717 are needed to solve the issue though 15 and 16th commit are just whitespace nit changes. - However, when Matt merged all those 16 commits mentioned in above link, in the openssl stable branches, he kind of incorporated the last 6 patches in the main 10 patches as they were being applied in the same files of first 10 patches which somewhere down the line makes sense. - So, the 10 patches i committed has content of all 16 patches (even the last 6) and i committed it in the same fashion as of openssl stable branches. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201462): https://lists.openembedded.org/g/openembedded-core/message/201462 Mute This Topic: https://lists.openembedded.org/mt/107004007/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] OpenSSL: Security fix for CVE-2024-5535
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c] CVE's Fixed: CVE-2024-5535 openssl: SSL_select_next_proto buffer overread Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-5535_1.patch | 115 ++ .../openssl/openssl/CVE-2024-5535_2.patch | 44 + .../openssl/openssl/CVE-2024-5535_3.patch | 84 ++ .../openssl/openssl/CVE-2024-5535_4.patch | 178 +++ .../openssl/openssl/CVE-2024-5535_5.patch | 1175 + .../openssl/openssl/CVE-2024-5535_6.patch | 45 + .../openssl/openssl/CVE-2024-5535_7.patch | 68 + .../openssl/openssl/CVE-2024-5535_8.patch | 273 .../openssl/openssl/CVE-2024-5535_9.patch | 205 +++ .../openssl/openssl_3.0.14.bb |9 + 10 files changed, 2196 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch new file mode 100644 index 00..a96af0ed13 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch @@ -0,0 +1,115 @@ +From e6190fc977f086428cc7880f95e8bcd5a11ac193 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH 1/9] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) + +(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c] +CVE: CVE-2024-5535 +Signed-off-by: Siddharth Doshi +--- + ssl/ssl_lib.c | 63 --- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index cb4e006..e628140 100644 +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -2952,37 +2952,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +-unsigned int i, j; +-const unsigned char *result; +-int status = OPENSSL_NPN_UNSUPPORTED; ++PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++if (!PACKET_buf_init(&cpkt, client, client_len) ++|| !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++|| PACKET_remaining(&csubpkt) == 0) { ++*out = NULL; ++*outlen = 0; ++return OPENSSL_NPN_NO_OVERLAP; ++} ++ ++/* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++*out = (unsigned char *)PACKET_data(&csubpkt); ++*outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +-for (i = 0; i < server_len;) { +-for (j = 0; j < client_len;) { +-if (server[i] == client[j] && +-memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +-/* We found a match */ +-result = &server[i]; +-status = OPENSSL_NPN_NEGOTIATED; +-goto found; ++if (PACKET_buf_init(&spkt, server, server_len)) { ++while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++if (PACKET_remaining(&ssubpkt) == 0) ++continue; /* Invalid - ignore it */ ++if (PACKET_buf_init(&cpkt, client, client_le
[OE-core][scarthgap][PATCH] OpenSSL: Security fix for CVE-2024-5535
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e] CVE's Fixed: CVE-2024-5535 openssl: SSL_select_next_proto buffer overread Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-5535_1.patch | 113 ++ .../openssl/openssl/CVE-2024-5535_10.patch| 203 +++ .../openssl/openssl/CVE-2024-5535_2.patch | 43 + .../openssl/openssl/CVE-2024-5535_3.patch | 38 + .../openssl/openssl/CVE-2024-5535_4.patch | 82 ++ .../openssl/openssl/CVE-2024-5535_5.patch | 176 +++ .../openssl/openssl/CVE-2024-5535_6.patch | 1173 + .../openssl/openssl/CVE-2024-5535_7.patch | 43 + .../openssl/openssl/CVE-2024-5535_8.patch | 66 + .../openssl/openssl/CVE-2024-5535_9.patch | 271 .../openssl/openssl_3.2.2.bb | 10 + 11 files changed, 2218 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch new file mode 100644 index 00..d5c178eeab --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch @@ -0,0 +1,113 @@ +From b63b4db52e10677db4ab46b608aabd55a44668aa Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH 01/10] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e] +CVE: CVE-2024-5535 +Signed-off-by: Siddharth Doshi +--- + ssl/ssl_lib.c | 63 --- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 016135f..cf52b31 100644 +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +-unsigned int i, j; +-const unsigned char *result; +-int status = OPENSSL_NPN_UNSUPPORTED; ++PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++if (!PACKET_buf_init(&cpkt, client, client_len) ++|| !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++|| PACKET_remaining(&csubpkt) == 0) { ++*out = NULL; ++*outlen = 0; ++return OPENSSL_NPN_NO_OVERLAP; ++} ++ ++/* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++*out = (unsigned char *)PACKET_data(&csubpkt); ++*outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +-for (i = 0; i < server_len;) { +-for (j = 0; j < client_len;) { +-if (server[i] == client[j] && +-memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +-/* We found a match */ +-result = &server[i]; +-status = OPENSSL_NPN_NEGOTIATED; +-goto found; ++if (PACKET_buf_init(&spkt, server, server_len)) { ++while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++if (PACKET_remaining(&ssubpkt) == 0) ++continue; /* Invalid - i
[OE-core][master][PATCH] libxml2: Upgrade 2.12.7 -> 2.12.8
From: Siddharth Doshi Changes between 2.12.7 -> 2.12.8 Regression Fixed: parser: Fix performance regression when parsing namespaces Signed-off-by: Siddharth Doshi --- .../libxml/{libxml2_2.12.7.bb => libxml2_2.12.8.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/libxml/{libxml2_2.12.7.bb => libxml2_2.12.8.bb} (97%) diff --git a/meta/recipes-core/libxml/libxml2_2.12.7.bb b/meta/recipes-core/libxml/libxml2_2.12.8.bb similarity index 97% rename from meta/recipes-core/libxml/libxml2_2.12.7.bb rename to meta/recipes-core/libxml/libxml2_2.12.8.bb index 84601c282f..fb103f0273 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.7.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.8.bb @@ -20,7 +20,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://install-tests.patch \ " -SRC_URI[archive.sha256sum] = "24ae78ff1363a973e6d8beba941a7945da2ac056e19b53956aeb6927fd6cfb56" +SRC_URI[archive.sha256sum] = "43ad877b018bc63deb2468d71f95219c2fac196876ef36d1bee51d226173ec93" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" # Disputed as a security issue, but fixed in d39f780 -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200846): https://lists.openembedded.org/g/openembedded-core/message/200846 Mute This Topic: https://lists.openembedded.org/mt/106722915/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][scarthgap][PATCH] libxml2: Upgrade 2.12.6 -> 2.12.8
From: Siddharth Doshi CVE's Fixed by upgrade: CVE-2024-34459 libxml2: buffer over-read in xmlHTMLPrintFileContext in xmllint.c Other Changes between 2.12.6 -> 2.12.8 == https://gitlab.gnome.org/GNOME/libxml2/-/blob/2.12/NEWS?ref_type=heads Signed-off-by: Siddharth Doshi --- .../libxml/{libxml2_2.12.6.bb => libxml2_2.12.8.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/libxml/{libxml2_2.12.6.bb => libxml2_2.12.8.bb} (97%) diff --git a/meta/recipes-core/libxml/libxml2_2.12.6.bb b/meta/recipes-core/libxml/libxml2_2.12.8.bb similarity index 97% rename from meta/recipes-core/libxml/libxml2_2.12.6.bb rename to meta/recipes-core/libxml/libxml2_2.12.8.bb index 14fcff7fa4..fb103f0273 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.6.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.8.bb @@ -20,7 +20,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://install-tests.patch \ " -SRC_URI[archive.sha256sum] = "889c593a881a3db5fdd96cc9318c87df34eb648edfc458272ad46fd607353fbb" +SRC_URI[archive.sha256sum] = "43ad877b018bc63deb2468d71f95219c2fac196876ef36d1bee51d226173ec93" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" # Disputed as a security issue, but fixed in d39f780 -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200845): https://lists.openembedded.org/g/openembedded-core/message/200845 Mute This Topic: https://lists.openembedded.org/mt/106722863/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] libxml2: Security fix for CVE-2024-34459
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac5392a4e891b81e40e592c3ac6cb46016ce] CVE's Fixed: CVE-2024-34459 libxml2: buffer over-read in xmlHTMLPrintFileContext in xmllint.c Signed-off-by: Siddharth Doshi --- .../libxml/libxml2/CVE-2024-34459.patch | 30 +++ meta/recipes-core/libxml/libxml2_2.9.14.bb| 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch new file mode 100644 index 00..96e3d3cfaf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch @@ -0,0 +1,30 @@ +From 78fce372041d53cfeaaf2c11c71d07eef55ecfd1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 8 May 2024 11:49:31 +0200 +Subject: [PATCH] Fix buffer overread with `xmllint --htmlout` + +Add a missing bounds check. + +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac5392a4e891b81e40e592c3ac6cb46016ce] +CVE: CVE-2024-34459 +Signed-off-by: Siddharth Doshi +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index ee6bfdc..2f792f1 100644 +--- a/xmllint.c b/xmllint.c +@@ -602,7 +602,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, "\n"); + cur = input->cur; +-while ((*cur == '\n') || (*cur == '\r')) ++while ((cur > base) && ((*cur == '\n') || (*cur == '\r'))) + cur--; + n = 0; + while ((cur != base) && (n++ < 80)) { +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 2b7ed9..94b3b510ae 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -32,6 +32,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2023-45322-1.patch \ file://CVE-2023-45322-2.patch \ file://CVE-2024-25062.patch \ + file://CVE-2024-34459.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200844): https://lists.openembedded.org/g/openembedded-core/message/200844 Mute This Topic: https://lists.openembedded.org/mt/106722845/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][scarthgap][PATCH] cups: Upgrade 2.4.7 -> 2.4.9
From: Siddharth Doshi CVE's Fixed by upgrade: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Other Changes between 2.4.7 -> 2.4.9 https://github.com/OpenPrinting/cups/blob/2.4.x/CHANGES.md Signed-off-by: Siddharth Doshi --- meta/recipes-extended/cups/{cups_2.4.7.bb => cups_2.4.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/cups/{cups_2.4.7.bb => cups_2.4.9.bb} (51%) diff --git a/meta/recipes-extended/cups/cups_2.4.7.bb b/meta/recipes-extended/cups/cups_2.4.9.bb similarity index 51% rename from meta/recipes-extended/cups/cups_2.4.7.bb rename to meta/recipes-extended/cups/cups_2.4.9.bb index f4b0282e4c..e0a3522004 100644 --- a/meta/recipes-extended/cups/cups_2.4.7.bb +++ b/meta/recipes-extended/cups/cups_2.4.9.bb @@ -2,4 +2,4 @@ require cups.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c" +SRC_URI[sha256sum] = "38fbf4535a10554113e013d54fedda03ee88007ea6a9761d626a04e1e4489e8c" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200585): https://lists.openembedded.org/g/openembedded-core/message/200585 Mute This Topic: https://lists.openembedded.org/mt/106644876/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] cups: Upgrade 2.4.8 -> 2.4.9
From: Siddharth Doshi CVE's Fixed by upgrade: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 Other Changes between 2.4.8 -> 2.4.9 https://github.com/OpenPrinting/cups/blob/2.4.x/CHANGES.md Signed-off-by: Siddharth Doshi --- meta/recipes-extended/cups/{cups_2.4.8.bb => cups_2.4.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/cups/{cups_2.4.8.bb => cups_2.4.9.bb} (51%) diff --git a/meta/recipes-extended/cups/cups_2.4.8.bb b/meta/recipes-extended/cups/cups_2.4.9.bb similarity index 51% rename from meta/recipes-extended/cups/cups_2.4.8.bb rename to meta/recipes-extended/cups/cups_2.4.9.bb index c0cddf7e99..e0a3522004 100644 --- a/meta/recipes-extended/cups/cups_2.4.8.bb +++ b/meta/recipes-extended/cups/cups_2.4.9.bb @@ -2,4 +2,4 @@ require cups.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0" +SRC_URI[sha256sum] = "38fbf4535a10554113e013d54fedda03ee88007ea6a9761d626a04e1e4489e8c" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200584): https://lists.openembedded.org/g/openembedded-core/message/200584 Mute This Topic: https://lists.openembedded.org/mt/106644856/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][scarthgap][PATCH] openssl: Upgrade 3.2.1 -> 3.2.2
CVE's Fixed by upgrade: CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3 Bugs Fixed by upgrade: #23560: Fixed bug where SSL_export_keying_material() could not be used with QUIC connections Removed backports of CVE-2024-2511, CVE-2024-4603 and bti.patch as they are already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-321-and-322-4-jun-2024 Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-2511.patch | 120 .../openssl/openssl/CVE-2024-4603.patch | 179 -- .../openssl/openssl/bti.patch | 58 -- .../{openssl_3.2.1.bb => openssl_3.2.2.bb}| 5 +- 4 files changed, 1 insertion(+), 361 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/bti.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.1.bb => openssl_3.2.2.bb} (97%) diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch deleted file mode 100644 index 8772f716d5..00 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch +++ /dev/null @@ -1,120 +0,0 @@ -From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 + -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24043) - -CVE: CVE-2024-2511 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08] -Signed-off-by: Peter Marko - ssl/ssl_lib.c| 5 +++-- - ssl/ssl_sess.c | 28 ++-- - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 4afb43bc86e54..c51529ddab5bb 100644 a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ --if (s->session->session_id_length == 0) -+if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index 3dcc4d81e5bc6..1fa6d17c46863 100644 a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ --return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be alre
[OE-core][kirkstone][PATCH] openssl: Upgrade 3.0.13 -> 3.0.14
CVE's Fixed by upgrade: CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3 Removed backports of CVE-2024-2511 and CVE-2024-4603 as they are already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024 Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-2511.patch | 122 .../openssl/openssl/CVE-2024-4603.patch | 180 -- .../{openssl_3.0.13.bb => openssl_3.0.14.bb} | 4 +- 3 files changed, 1 insertion(+), 305 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch rename meta/recipes-connectivity/openssl/{openssl_3.0.13.bb => openssl_3.0.14.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch deleted file mode 100644 index 8aea686205..00 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch +++ /dev/null @@ -1,122 +0,0 @@ -From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 + -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce) - -CVE: CVE-2024-2511 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d] -Signed-off-by: Peter Marko - ssl/ssl_lib.c| 5 +++-- - ssl/ssl_sess.c | 28 ++-- - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 2c8479eb5fc69..eed649c6fdee9 100644 a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ --if (s->session->session_id_length == 0) -+if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index d836b33ed0e81..75adbd9e52b40 100644 a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ --return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * res
[OE-core][scarthgap][PATCHv2] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac, https://github.com/openssl/openssl/commit/10171e5b511b700c5ecd4fd3e1086b19c34b1ae3, https://github.com/openssl/openssl/commit/ec87bc54c8ccc13caa29bc7f74ae84d78ffa1f5e, https://github.com/openssl/openssl/commit/d0f5a122ba271c9c848e16970249f61b3fc11b2b, https://github.com/openssl/openssl/commit/d03e6fdf54ea41fb35e0499134eb3a7f831b] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741_1.patch | 43 .../openssl/openssl/CVE-2024-4741_2.patch | 52 + .../openssl/openssl/CVE-2024-4741_3.patch | 137 .../openssl/openssl/CVE-2024-4741_4.patch | 124 +++ .../openssl/openssl/CVE-2024-4741_5.patch | 205 ++ .../openssl/openssl_3.2.1.bb | 5 + 6 files changed, 566 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_3.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_4.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_5.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch new file mode 100644 index 00..6987220c35 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch @@ -0,0 +1,43 @@ +From fe3eeaab1b2b5c9f9240a5ebafa5057a3211c3d0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 23 Apr 2024 16:34:46 +0100 +Subject: [PATCH 1/5] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/methods/tls_common.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index 08e519a..f46da0f 100644 +--- a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +@@ -2129,7 +2129,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl) + /* Read direction */ + + /* If we have pending data to be read then fail */ +-if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0) ++if (rl->curr_rec < rl->num_recs ++|| rl->curr_rec != rl->num_released ++|| TLS_BUFFER_get_left(&rl->rbuf) != 0 ++|| rl->rstate == SSL_ST_READ_BODY) + return 0; + + return tls_release_read_buffer(rl); +-- +2.44.0 + diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch new file mode 100644 index 00..6d455264ff --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch @@ -0,0 +1,52 @@ +From af2a2a9b4a6504891de7225ad12dba799cc2f1d3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 23 Apr 2024 16:36:11 +0100 +Subject: [PATCH 2/5] Set rl->packet to NULL after we've finished using it + +In order to ensure we do not have a UAF we reset the rl->packet pointer +to NULL after we free it. + +Follow on from CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit bfb8128190632092b3a66465838b87b469455cec) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/10171e5b511b700c5ecd4fd3e1086b19c34b1ae3] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/methods/tls_common.c | 8 + 1 file changed, 8 insertions(+) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index f46da0f..4cc432e 100644 +--- a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +@@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl) + OPENSSL_cleanse(b->buf, b->len); + OPENSSL_free(b->buf); + b->buf = NULL; ++rl->packet = NULL; ++rl->packet_length = 0; + return 1; + } + +@@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, + /* ...
[OE-core][kirkstone][PATCHv2] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d, https://github.com/openssl/openssl/commit/2d05959073c4bf8803401668b9df85931a08e020, https://github.com/openssl/openssl/commit/6fef334f914abfcd988e53a32d19f01d84529f74, https://github.com/openssl/openssl/commit/1359c00e683840154760b7ba9204bad1b13dc074, https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741_1.patch | 76 +++ .../openssl/openssl/CVE-2024-4741_2.patch | 56 + .../openssl/openssl/CVE-2024-4741_3.patch | 137 .../openssl/openssl/CVE-2024-4741_4.patch | 122 +++ .../openssl/openssl/CVE-2024-4741_5.patch | 205 ++ .../openssl/openssl_3.0.13.bb | 5 + 6 files changed, 601 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_3.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_4.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_5.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch new file mode 100644 index 00..0753fa222c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch @@ -0,0 +1,76 @@ +From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/rec_layer_s3.c | 9 + + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc..1569997 100644 +--- a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++if (rl->rstate == SSL_ST_READ_BODY) ++return 1; ++if (RECORD_LAYER_processed_read_pending(rl)) ++return 1; ++return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656b..b60f71c 100644 +--- a/ssl/record/record.h b/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index eed649c..d14c55a 100644 +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++if (RECORD_LAYER_data_present(rl)) ++return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch new file mode 100644 index 00..30a74c5ca4 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch @@ -0,0 +1,56 @@ +From 2d05959073c4bf8803401668b9df85931a08e020 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 24 Apr 2024 11:33:41 +0100 +Subject: [PATCH] Set rlayer.packet to NULL after we've finished using it + +In order to ensure we do not have a UAF we reset the rlayer.packet pointer +to NULL after we free it. + +CVE-2024-4741 + +Reviewed-by: Tomas M
Re: [OE-core] [kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
>> Nitpick : above commit link references commit for CVE-2024-4603 (copy+paste >> error). - Ahh, that's silly of me. Guess the cup of coffee didnt take away the drowsiness completely.. Thank-you for pointing it out. >> The main problem of this patch (and the same patch for scarthgap) is that >> it's picking only one out of 5 commits referencing this CVE. - That definately makes sense. I just followed the fix links from https://openssl.org/news/vulnerabilities.html and didnt dive deeper. - I will send a v2 by tomorrow. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200214): https://lists.openembedded.org/g/openembedded-core/message/200214 Mute This Topic: https://lists.openembedded.org/mt/106446509/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741.patch | 76 +++ .../openssl/openssl_3.0.13.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch new file mode 100644 index 00..2fbc55b48a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch @@ -0,0 +1,76 @@ +From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/rec_layer_s3.c | 9 + + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc..1569997 100644 +--- a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++if (rl->rstate == SSL_ST_READ_BODY) ++return 1; ++if (RECORD_LAYER_processed_read_pending(rl)) ++return 1; ++return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656b..b60f71c 100644 +--- a/ssl/record/record.h b/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 2c8479e..131eaac 100644 +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -5491,6 +5491,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++if (RECORD_LAYER_data_present(rl)) ++return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.35.7 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb index 87ab4047d9..46f02aa20a 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb @@ -14,6 +14,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://CVE-2024-2511.patch \ file://CVE-2024-4603.patch \ + file://CVE-2024-4741.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200212): https://lists.openembedded.org/g/openembedded-core/message/200212 Mute This Topic: https://lists.openembedded.org/mt/106446509/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][scarthgap][PATCH] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741.patch | 44 +++ .../openssl/openssl_3.2.1.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch new file mode 100644 index 00..4cb9806c75 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch @@ -0,0 +1,44 @@ +From 9c24e8a8e04d4bb6de5198bc40a0bdbd860aded0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 23 Apr 2024 16:34:46 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi + +--- + ssl/record/methods/tls_common.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index 08e519a..f46da0f 100644 +--- a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +@@ -2129,7 +2129,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl) + /* Read direction */ + + /* If we have pending data to be read then fail */ +-if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0) ++if (rl->curr_rec < rl->num_recs ++|| rl->curr_rec != rl->num_released ++|| TLS_BUFFER_get_left(&rl->rbuf) != 0 ++|| rl->rstate == SSL_ST_READ_BODY) + return 0; + + return tls_release_read_buffer(rl); +-- +2.44.0 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb index 9bdf7e1ec6..c1f5591f8e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb @@ -15,6 +15,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://bti.patch \ file://CVE-2024-2511.patch \ file://CVE-2024-4603.patch \ + file://CVE-2024-4741.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200211): https://lists.openembedded.org/g/openembedded-core/message/200211 Mute This Topic: https://lists.openembedded.org/mt/106446429/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] libx11: Security Fix for CVE-2023-43785, CVE-2023-43786 and CVE-2023-43787
From: Siddharth Doshi CVE's Fixed: CVE-2023-43785: libX11: out-of-bounds memory access in _XkbReadKeySyms() CVE-2023-43786: libX11: stack exhaustion from infinite recursion in PutSubImage() CVE-2023-43787: libX11: integer overflow in XCreateImage() leading to a heap overflow Signed-off-by: Siddharth Doshi --- .../xorg-lib/libx11/CVE-2023-43785.patch | 62 ++ .../xorg-lib/libx11/CVE-2023-43786-0001.patch | 41 .../xorg-lib/libx11/CVE-2023-43786-0002.patch | 45 + .../xorg-lib/libx11/CVE-2023-43786-0003.patch | 51 +++ .../xorg-lib/libx11/CVE-2023-43787.patch | 63 +++ .../xorg-lib/libx11_1.7.3.1.bb| 5 ++ 6 files changed, 267 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 00..64f8776cc9 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch @@ -0,0 +1,62 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] +CVE: CVE-2023-43785 +Signed-off-by: Siddharth Doshi +--- + src/xkb/XKBGetMap.c | 14 +- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21..31199e4 100644 +--- a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +-sz = map->size_syms + 128; ++sz = offset + newMap->nSyms; ++sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +-_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], +- newMap->nSyms); ++if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], ++ newMap->nSyms) == 0) ++return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +-if (newMap->nSyms > 0) +-_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++if (newMap->nSyms > 0) { ++if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++return BadLength; ++} + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch new file mode 100644 index 00..db5b7067aa --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch @@ -0,0 +1,41 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH] CVE-2023-43786: stack exhaustion from infinite recursion in + PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small eno
[OE-core][dunfell][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 51247cbe0a..d8e88af22e 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189426): https://lists.openembedded.org/g/openembedded-core/message/189426 Mute This Topic: https://lists.openembedded.org/mt/102054886/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189425): https://lists.openembedded.org/g/openembedded-core/message/189425 Mute This Topic: https://lists.openembedded.org/mt/102054453/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189424): https://lists.openembedded.org/g/openembedded-core/message/189424 Mute This Topic: https://lists.openembedded.org/mt/102054450/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189397): https://lists.openembedded.org/g/openembedded-core/message/189397 Mute This Topic: https://lists.openembedded.org/mt/102040997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] tiff: Security fix for CVE-2023-40745
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] CVE: CVE-2023-40745 Signed-off-by: Siddharth Doshi --- .../libtiff/tiff/CVE-2023-40745.patch | 34 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch new file mode 100644 index 00..cb4656fd46 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch @@ -0,0 +1,34 @@ +From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001 +From: Arie Haenel +Date: Wed, 19 Jul 2023 19:34:25 + +Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images + (fixes #591) + +Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] +CVE: CVE-2023-40745 +Signed-off-by: Siddharth Doshi +--- + tools/tiffcp.c | 7 +++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 57eef90..34b6ef2 100644 +--- a/tools/tiffcp.c b/tools/tiffcp.c +@@ -1577,6 +1577,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; + } ++ ++ if ( (imagew - tilew * spp) > INT_MAX ){ ++ TIFFError(TIFFFileName(in), ++"Error, image raster scan line size is too large"); ++ return 0; ++ } ++ + iskew = imagew - tilew*spp; + tilebuf = limitMalloc(tilesize); + if (tilebuf == 0) +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 61d8142e41..9071b407cf 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -43,6 +43,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-3618-1.patch \ file://CVE-2023-3618-2.patch \ file://CVE-2023-26966.patch \ + file://CVE-2023-40745.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189343): https://lists.openembedded.org/g/openembedded-core/message/189343 Mute This Topic: https://lists.openembedded.org/mt/102020787/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH 2/2] libxpm: upgrade to 3.5.17
From: Siddharth Doshi - This upgrade includes multiple security fixes. CVE-2022-4883 CVE-2022-44617 CVE-2022-46285 CVE-2022-44617 CVE-2023-43788 CVE-2023-43789 - Removed CVE-2022-46285 as it is already fixed by this upgrade. - License-update: additional copyright holders f0857c0 man pages: Correct Copyright/License notices Due to this commit LIC_FILES_CHKSUM is changed - Disable reading compressed files as that requires compress/uncompress executables. Following the approach in oe-core/master: 7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15 - Add XORG_EXT to specify tar.xz as upstream has switched from bz2 to xz compression. Signed-off-by: Siddharth Doshi --- .../xorg-lib/libxpm/CVE-2022-46285.patch | 40 --- .../{libxpm_3.5.13.bb => libxpm_3.5.17.bb}| 9 ++--- 2 files changed, 4 insertions(+), 45 deletions(-) delete mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.17.bb} (68%) diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch deleted file mode 100644 index e8b654dfb2..00 --- a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch +++ /dev/null @@ -1,40 +0,0 @@ -CVE: CVE-2022-46285 -Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ] -Signed-off-by: Lee Chee Yang - -From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 17 Dec 2022 12:23:45 -0800 -Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments - -When reading XPM images from a file with libXpm 3.5.14 or older, if a -comment in the file is not closed (i.e. a C-style comment starts with -"/*" and is missing the closing "*/"), the ParseComment() function will -loop forever calling getc() to try to read the rest of the comment, -failing to notice that it has returned EOF, which may cause a denial of -service to the calling program. - -Reported-by: Marco Ivaldi -Signed-off-by: Alan Coopersmith - src/data.c | 4 - 1 file changed, 4 insertions(+) - -diff --git a/src/data.c b/src/data.c -index 898889c..bfad4ff 100644 a/src/data.c -+++ b/src/data.c -@@ -174,6 +174,10 @@ ParseComment(xpmData *data) - notend = 0; - Ungetc(data, *s, file); - } -+ else if (c == EOF) { -+ /* hit end of file before the end of the comment */ -+ return XpmFileInvalid; -+ } - } - return 0; - } --- -GitLab - diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb similarity index 68% rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index 8937e61cb5..4694f911be 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb @@ -11,19 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \ protocol." LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" +LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff" DEPENDS += "libxext libsm libxt gettext-native" PE = "1" XORG_PN = "libXpm" +XORG_EXT = "tar.xz" +EXTRA_OECONF += "--disable-open-zfile" PACKAGES =+ "sxpm cxpm" FILES_cxpm = "${bindir}/cxpm" FILES_sxpm = "${bindir}/sxpm" -SRC_URI += " file://CVE-2022-46285.patch" - -SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" -SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" +SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" BBCLASSEXTEND = "native" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189296): https://lists.openembedded.org/g/openembedded-core/message/189296 Mute This Topic: https://lists.openembedded.org/mt/101996977/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH 1/2] xorg-lib-common: Add variable to set tarball type
From: Siddharth Doshi Upstream has switched some new releases from bz2 to xz compression. Add an XORG_EXT variable so recipes can set the file name extension needed for the compression type. Following the approach in oe-core/master: 6a8068e036b4b2a40b38896275b936916b4db76e xorg-lib-common: Add variable to set tarball type use a variable for the tarball suffix/compression format. Signed-off-by: Robert Joslyn Signed-off-by: Alexandre Belloni Signed-off-by: Siddharth Doshi --- meta/recipes-graphics/xorg-lib/xorg-lib-common.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc index a566eaa45e..1e8525d874 100644 --- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc +++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc @@ -6,8 +6,9 @@ LICENSE = "MIT-X" DEPENDS = "util-macros" XORG_PN = "${BPN}" +XORG_EXT ?= "tar.bz2" -SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2" +SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}" S = "${WORKDIR}/${XORG_PN}-${PV}" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189295): https://lists.openembedded.org/g/openembedded-core/message/189295 Mute This Topic: https://lists.openembedded.org/mt/101996976/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] libxpm: upgrade to 3.5.17
From: Siddharth Doshi This release fixes the following CVEs: - CVE-2023-43788 - CVE-2023-43789 Signed-off-by: Ross Burton Signed-off-by: Siddharth Doshi --- .../xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} (88%) diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb similarity index 88% rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index 28a775c5f4..7bc494a690 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb @@ -23,6 +23,6 @@ PACKAGES =+ "sxpm cxpm" FILES:cxpm = "${bindir}/cxpm" FILES:sxpm = "${bindir}/sxpm" -SRC_URI[sha256sum] = "e6bc5da7a69dbd9bcc67e87c93d4904fe2f5177a0711c56e71fa2f6eff649f51" +SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" BBCLASSEXTEND = "native" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189294): https://lists.openembedded.org/g/openembedded-core/message/189294 Mute This Topic: https://lists.openembedded.org/mt/101996754/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] glib-2.0: Fix multiple vulnerabilities
From: Siddharth Doshi CVE's Fixed: CVE-2023-29499: glib: GVariant offset table entry size is not checked in is_normal() CVE-2023-32611: glib: g_variant_byteswap() can take a long time with some non-normal inputs CVE-2023-32636: glib: Timeout in fuzz_variant_text CVE-2023-32643: glib: Heap-buffer-overflow in g_variant_serialised_get_child CVE-2023-32665: glib: GVariant deserialisation does not match spec for non-normal data Signed-off-by: Siddharth Doshi --- .../glib-2.0/glib-2.0/CVE-2023-29499.patch| 290 .../glib-2.0/CVE-2023-32611-0001.patch| 89 .../glib-2.0/CVE-2023-32611-0002.patch| 255 +++ .../glib-2.0/glib-2.0/CVE-2023-32636.patch| 49 ++ .../glib-2.0/glib-2.0/CVE-2023-32643.patch| 154 +++ .../glib-2.0/CVE-2023-32665-0001.patch| 103 + .../glib-2.0/CVE-2023-32665-0002.patch| 210 + .../glib-2.0/CVE-2023-32665-0003.patch| 417 ++ .../glib-2.0/CVE-2023-32665-0004.patch| 113 + .../glib-2.0/CVE-2023-32665-0005.patch| 80 .../glib-2.0/CVE-2023-32665-0006.patch| 396 + .../glib-2.0/CVE-2023-32665-0007.patch| 49 ++ .../glib-2.0/CVE-2023-32665-0008.patch| 394 + .../glib-2.0/CVE-2023-32665-0009.patch| 97 meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb | 14 + 15 files changed, 2710 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch new file mode 100644 index 00..ce90586290 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch @@ -0,0 +1,290 @@ +From 5f4485c4ff57fdefb1661531788def7ca5a47328 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 17 Aug 2023 04:19:44 + +Subject: [PATCH] gvariant-serialiser: Check offset table entry size is minimal + +The entries in an offset table (which is used for variable sized arrays +and tuples containing variable sized members) are sized so that they can +address every byte in the overall variant. + +The specification requires that for a variant to be in normal form, its +offset table entries must be the minimum width such that they can +address every byte in the variant. + +That minimality requirement was not checked in +`g_variant_is_normal_form()`, leading to two different byte arrays being +interpreted as the normal form of a given variant tree. That kind of +confusion could potentially be exploited, and is certainly a bug. + +Fix it by adding the necessary checks on offset table entry width, and +unit tests. + +Spotted by William Manley. + +Signed-off-by: Philip Withnall + +Fixes: #2794 + +CVE: CVE-2023-29499 +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/5f4485c4ff57fdefb1661531788def7ca5a47328] +Signed-off-by: Siddharth Doshi +--- + glib/gvariant-serialiser.c | 19 +++- + glib/tests/gvariant.c | 176 + + 2 files changed, 194 insertions(+), 1 deletion(-) + +diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +index 0bf7243..5aa2cbc 100644 +--- a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +@@ -694,6 +694,10 @@ gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value) + out.data_size = last_end; + out.array = value.data + last_end; + out.length = offsets_array_size / out.offset_size; ++ ++ if (out.length > 0 && gvs_calculate_total_size (last_end, out.length) != value.size) ++return out; /* offset size not minimal */ ++ + out.is_normal = TRUE; + + return out; +@@ -1201,6 +1205,7 @@ gvs_tuple_is_normal (GVariantSerialised value) + gsize length; + gsize offset; + gsize i; ++ gsize offset_table_size; + + /* as per the comment in gvs
[OE-core][dunfell][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 73e639d7b1..51247cbe0a 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188986): https://lists.openembedded.org/g/openembedded-core/message/188986 Mute This Topic: https://lists.openembedded.org/mt/101913473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f55f590e6..5e06866692 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188982): https://lists.openembedded.org/g/openembedded-core/message/188982 Mute This Topic: https://lists.openembedded.org/mt/101913301/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch
Please ignore the above message. Sent by mistake . -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188981): https://lists.openembedded.org/g/openembedded-core/message/188981 Mute This Topic: https://lists.openembedded.org/mt/101805676/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch
From: Peter Marko Adresses CVE-2023-4911. Single commit bump: * c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-core/glibc/glibc-version.inc | 2 +- meta/recipes-core/glibc/glibc_2.35.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index c23a43576c..e0d47f283b 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.35/master" PV = "2.35" -SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9" +SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index b4bad5b7ac..271520f76b 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb @@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" CVE_CHECK_IGNORE += "CVE-2019-1010025" # To avoid these in cve-check reports since the recipe version did not change -CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156" +CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156" DEPENDS += "gperf-native bison-native" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188980): https://lists.openembedded.org/g/openembedded-core/message/188980 Mute This Topic: https://lists.openembedded.org/mt/101805676/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f55f590e6..5e06866692 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188979): https://lists.openembedded.org/g/openembedded-core/message/188979 Mute This Topic: https://lists.openembedded.org/mt/101913251/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f55f590e6..5e06866692 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188978): https://lists.openembedded.org/g/openembedded-core/message/188978 Mute This Topic: https://lists.openembedded.org/mt/101913244/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] go: Fix CVE-2023-39318 and CVE-2023-39319
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5] CVE: CVE-2023-39319 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2023-39318.patch | 238 ++ .../go/go-1.14/CVE-2023-39319.patch | 230 + 3 files changed, 470 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 20377e095b..9fc5eb130f 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -70,6 +70,8 @@ SRC_URI += "\ file://CVE-2023-29400.patch \ file://CVE-2023-29406.patch \ file://CVE-2023-29409.patch \ +file://CVE-2023-39318.patch \ +file://CVE-2023-39319.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch new file mode 100644 index 00..20e70c0485 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 --- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 0b65313..4eb7891 100644 +--- a/src/html/template/context.go b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a
[OE-core][kirkstone][PATCHv2] go: Fix CVE-2023-39318
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2023-39318.patch | 238 ++ 2 files changed, 239 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c753a26a7e..ed2645bc12 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2023-24531_2.patch \ file://CVE-2023-29409.patch \ file://CVE-2023-39319.patch \ +file://CVE-2023-39318.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 00..85c6ec97c8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 --- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f5f44a1..feb6517 100644 +--- a/src/html/template/context.go b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a
[OE-core][kirkstone][PATCH] go: Fix CVE-2023-39318
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2023-39318.patch | 238 ++ 2 files changed, 239 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 119ae112af..df7d5d235a 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2023-24531_2.patch \ file://CVE-2023-29409.patch \ file://CVE-2023-39319.patch \ +file://CVE-2023-39318.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 00..942af323e0 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 --- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 0b65313..4eb7891 100644 +--- a/src/html/template/context.go b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a
[OE-core][dunfell][PATCH] libxml2: Fix CVE-2023-39615
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9, https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129] CVE: CVE-2023-39615 Signed-off-by: Siddharth Doshi --- .../libxml/libxml2/CVE-2023-39615-0001.patch | 36 ++ .../libxml/libxml2/CVE-2023-39615-0002.patch | 71 +++ .../libxml/libxml2/CVE-2023-39615-pre.patch | 44 meta/recipes-core/libxml/libxml2_2.9.10.bb| 3 + 4 files changed, 154 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch new file mode 100644 index 00..9689cec67d --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch @@ -0,0 +1,36 @@ +From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 May 2023 17:47:37 +0200 +Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks + +For some reason, xmlCtxtUseOptionsInternal set the start and end element +SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 +was specified. This means that custom SAX handlers could never work with +that flag because these functions would receive the wrong user data +argument and crash immediately. + +Fixes #535. + +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9] +CVE: CVE-2023-39615 +Signed-off-by: Siddharth Doshi +--- + parser.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 6e09208..7814e6e 100644 +--- a/parser.c b/parser.c +@@ -15156,8 +15156,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + } + #ifdef LIBXML_SAX1_ENABLED + if (options & XML_PARSE_SAX1) { +-ctxt->sax->startElement = xmlSAX2StartElement; +-ctxt->sax->endElement = xmlSAX2EndElement; + ctxt->sax->startElementNs = NULL; + ctxt->sax->endElementNs = NULL; + ctxt->sax->initialized = 1; +-- +2.24.4 + diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch new file mode 100644 index 00..ebd9868fac --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch @@ -0,0 +1,71 @@ +From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 8 May 2023 17:58:02 +0200 +Subject: [PATCH] SAX: Always initialize SAX1 element handlers + +Follow-up to commit d0c3f01e. A parser context will be initialized to +SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, +so we must initialize the SAX1 element handlers as well. + +Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so +we don't switch to SAX1 if the SAX2 element handlers are NULL. + +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129] +CVE: CVE-2023-39615 +Signed-off-by: Siddharth Doshi +--- + SAX2.c | 11 +++ + parser.c | 5 + + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 5f141f9..902d34d 100644 +--- a/SAX2.c b/SAX2.c +@@ -2869,20 +2869,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version) + { + if (hdlr == NULL) return(-1); + if (version == 2) { +- hdlr->startElement = NULL; +- hdlr->endElement = NULL; + hdlr->startElementNs = xmlSAX2StartElementNs; + hdlr->endElementNs = xmlSAX2EndElementNs; + hdlr->serror = NULL; + hdlr->initialized = XML_SAX2_MAGIC; + #ifdef LIBXML_SAX1_ENABLED + } else if (version == 1) { +- hdlr->startElement = xmlSAX2StartElement; +- hdlr->endElement = xmlSAX2EndElement; + hdlr->initialized = 1; + #endif /* LIBXML_SAX1_ENABLED */ + } else + return(-1); ++#ifdef LIBXML_SAX1_ENABLED ++hdlr->startElement = xmlSAX2StartElement; ++hdlr->endElement = xmlSAX2EndElement; ++#else ++hdlr->startElement = NULL; ++hdlr->endElement = NULL; ++#endif /* LIBXML_SAX1_ENABLED */ + hdlr->internalSubset = xmlSAX2InternalSubset; + hdlr->externalSubset = xmlSAX2ExternalSubset; + hdlr->isStandalone = xmlSAX2IsStandalone; +diff --git a/parser.c b/parser.c +index 7814e6e..cf0fb38 100644 +--- a/parser.c b/parser.c +@@ -1102,10 +1102,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) return; + sax = ctxt->sax; + #ifdef LIBXML_SAX1_ENABLED +-if ((sax) && (
[OE-core][dunfell][PATCH] gdb: Fix CVE-2023-39128
From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/gdb/gdb-9.1.inc | 1 + .../gdb/gdb/0012-CVE-2023-39128.patch | 75 +++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb-9.1.inc b/meta/recipes-devtools/gdb/gdb-9.1.inc index d019e6b384..212c554cf1 100644 --- a/meta/recipes-devtools/gdb/gdb-9.1.inc +++ b/meta/recipes-devtools/gdb/gdb-9.1.inc @@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0009-resolve-restrict-keyword-conflict.patch \ file://0010-Fix-invalid-sigprocmask-call.patch \ file://0011-gdbserver-ctrl-c-handling.patch \ + file://0012-CVE-2023-39128.patch \ " SRC_URI[md5sum] = "f7e9f6236c425097d9e5f18a6ac40655" SRC_URI[sha256sum] = "699e0ec832fdd2f21c8266171ea5bf44024bd05164fdf064e4d10cc4cf0d1737" diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch new file mode 100644 index 00..6445455bde --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 0c2d4fc..40852b6 100644 +--- a/gdb/ada-lang.c b/gdb/ada-lang.c +@@ -56,6 +56,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + + /* Define whether or not the C operator '/' truncates towards zero for +@@ -1184,7 +1185,7 @@ ada_decode (const char *encoded) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1350,6 +1351,18 @@ Suppress: + + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once +allocated, names in this table are never released. While this is a +storage leak, it should not be significant unless there are massive +@@ -14345,4 +14358,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer); + gdb::observers::free_objfile.attach (ada_free_objfile_observer); + gdb::observers::inferior_exit.attach (ada_inferior_exit); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.24.4 + -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187498): https://lists.openembedded.org/g/openembedded-core/message/187498 Mute This Topic: https://lists.openembedded.org/mt/101310159/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] gdb: Fix CVE-2023-39128
From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0011-CVE-2023-39128.patch | 75 +++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 649ee28727..099bd2d8f5 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -14,5 +14,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0008-resolve-restrict-keyword-conflict.patch \ file://0009-Fix-invalid-sigprocmask-call.patch \ file://0010-gdbserver-ctrl-c-handling.patch \ + file://0011-CVE-2023-39128.patch \ " SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" diff --git a/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch new file mode 100644 index 00..53b49cb21d --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 70a2b44..f682302 100644 +--- a/gdb/ada-lang.c b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + #include "ada-exp.h" + +@@ -1057,7 +1058,7 @@ ada_decode (const char *encoded, bool wrap) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1225,6 +1226,18 @@ ada_decode (const char *encoded, bool wrap) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once +allocated, names in this table are never released. While this is a +storage leak, it should not be significant unless there are massive +@@ -13497,4 +13510,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.35.7 + -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187482): https://lists.openembedded.org/g/openembedded-core/message/187482 Mute This Topic: https://lists.openembedded.org/mt/101288329/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] sysklogd: fix integration with systemd-journald
opps. Please ignore this. Sent by mistake. Apologies for the error. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187481): https://lists.openembedded.org/g/openembedded-core/message/187481 Mute This Topic: https://lists.openembedded.org/mt/101288296/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] sysklogd: fix integration with systemd-journald
From: Changqing Li Fix an issue with early log messages being lost when running in systemd. Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- ...KillMode-process-is-not-recommended-.patch | 33 ...-messages-lost-when-running-in-syste.patch | 75 +++ .../sysklogd/sysklogd_2.3.0.bb| 2 + 3 files changed, 110 insertions(+) create mode 100644 meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch create mode 100644 meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch diff --git a/meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch b/meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch new file mode 100644 index 00..6c7e7cea44 --- /dev/null +++ b/meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch @@ -0,0 +1,33 @@ +From b732dd0001c66f3ff1e0aef919c84ca9f0f81252 Mon Sep 17 00:00:00 2001 +From: Joachim Wiberg +Date: Sat, 22 Apr 2023 07:40:24 +0200 +Subject: [PATCH 1/2] syslogd.service: KillMode=process is not recommended, + drop + +The default 'control-group' ensures all processes started by sysklogd +are stopped when the service is stopped, this is what we want. + +Signed-off-by: Joachim Wiberg + +Upstream-Status: Backport [https://github.com/troglobit/sysklogd/commit/c82c004de7e25e770039cba5d6a34c30dd548533] + +Signed-off-by: Changqing Li +--- + syslogd.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/syslogd.service.in b/syslogd.service.in +index 91e080a..d614c5f 100644 +--- a/syslogd.service.in b/syslogd.service.in +@@ -9,7 +9,6 @@ EnvironmentFile=-@SYSCONFDIR@/default/syslogd + ExecStart=@SBINDIR@/syslogd -F -p /run/systemd/journal/syslog $SYSLOGD_OPTS + StandardOutput=null + Restart=on-failure +-KillMode=process + + [Install] + WantedBy=multi-user.target +-- +2.25.1 + diff --git a/meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch b/meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch new file mode 100644 index 00..78ae57eeeb --- /dev/null +++ b/meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch @@ -0,0 +1,75 @@ +From ba8156eab79784ef816958327e701923890e98f7 Mon Sep 17 00:00:00 2001 +From: Joachim Wiberg +Date: Sat, 22 Apr 2023 08:27:57 +0200 +Subject: [PATCH 2/2] Fix #62: early log messages lost when running in systemd + +This is a follow-up to d7576c7 which initially added support for running +in systemd based systems. Since the unit file sources the syslog.socket +we have /run/systemd/journal/syslog open already on descriptor 3. All +we need to do is verify that's the mode syslogd runs in. + +Signed-off-by: Joachim Wiberg + +Upstream-Status: Backport [https://github.com/troglobit/sysklogd/commit/7ec64e5f9c1bc284792d028647fb36ef3e64dff7] + +Signed-off-by: Changqing Li +--- + src/syslogd.c | 21 +++-- + syslogd.service.in | 2 +- + 2 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/src/syslogd.c b/src/syslogd.c +index fa4303f..e96ca9a 100644 +--- a/src/syslogd.c b/src/syslogd.c +@@ -162,6 +162,7 @@ voiduntty(void); + static void parsemsg(const char *from, char *msg); + static int opensys(const char *file); + static void printsys(char *msg); ++static void unix_cb(int sd, void *arg); + static void logmsg(struct buf_msg *buffer); + static void fprintlog_first(struct filed *f, struct buf_msg *buffer); + static void fprintlog_successive(struct filed *f, int flags); +@@ -436,12 +437,20 @@ int main(int argc, char *argv[]) + .pe_serv = "syslog", + }); + +- /* Default to _PATH_LOG for the UNIX domain socket */ +- if (!pflag) +- addpeer(&(struct peer) { +- .pe_name = _PATH_LOG, +- .pe_mode = 0666, +- }); ++ /* Figure out where to read system log messages from */ ++ if (!pflag) { ++ /* Do we run under systemd-journald (Requires=syslog.socket)? */ ++ if (fcntl(3, F_GETFD) != -1) { ++ if (socket_register(3, NULL, unix_cb, NULL) == -1) ++ err(1, "failed registering syslog.socket (3)"); ++ } else { ++ /* Default to _PATH_LOG for the UNIX domain socket */ ++ addpeer(&(struct peer) { ++ .pe_name = _PATH_LOG, ++ .pe_mode = 0666, ++ }); ++ } ++ } + + if (!Foreground && !Debug) { + ppid = waitdaemon(30); +diff --git a/syslogd.service.in b/syslogd.ser
[OE-core][mickledore][PATCH] gdb: Fix CVE-2023-39128
From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0009-CVE-2023-39128.patch | 75 +++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index e986b1a1f9..2437a96ae7 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -14,6 +14,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0007-Fix-invalid-sigprocmask-call.patch \ file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://add-missing-ldflags.patch \ + file://0009-CVE-2023-39128.patch \ " SRC_URI[sha256sum] = "fd5bebb7be1833abdb6e023c2f498a354498281df9d05523d8915babeb893f0a" diff --git a/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch new file mode 100644 index 00..88e39eaa59 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 40f8591..06ac46b 100644 +--- a/gdb/ada-lang.c b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + #include "ada-exp.h" + #include "charset.h" +@@ -1388,7 +1389,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1585,6 +1586,18 @@ ada_decode (const char *encoded, bool wrap, bool operators) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once +allocated, names in this table are never released. While this is a +storage leak, it should not be significant unless there are massive +@@ -14084,4 +14097,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.25.1 + -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187479): https://lists.openembedded.org/g/openembedded-core/message/187479 Mute This Topic: https://lists.openembedded.org/mt/101288288/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [mickledore][PATCH] binutils: Fix CVE-2023-39128
Hi Sanjana, Thank-you for this patch. But, i feel this is not the right way to patch this vulnerability. No doubts the patch is released for binutils-gdb, but that is because the sources are merged. However, in our systems, the command gdb comes from gdb package and not from bintuils-gdb. Additional confirmation can also be obtained from bintuils configuration where we are disabling gdb from bintuils. So even after patching the vulnerability will exists as it not patched in gdb and where it is patched, the gdb is diasbled. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187478): https://lists.openembedded.org/g/openembedded-core/message/187478 Mute This Topic: https://lists.openembedded.org/mt/101235381/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
I guess i missed the patch status. Apologies for that. Thank-you for updating me on the status. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187477): https://lists.openembedded.org/g/openembedded-core/message/187477 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
Hi Team, Any updates for this patch? Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187399): https://lists.openembedded.org/g/openembedded-core/message/187399 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] inetutils: Security fix for CVE-2023-40303
ooopps...my bad. I just checked in https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-kirkstone.txt ( https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-kirkstone.txt ) and submitted a patch without checking if its already submitted or not. Thanks for the update. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187287): https://lists.openembedded.org/g/openembedded-core/message/187287 Mute This Topic: https://lists.openembedded.org/mt/101188627/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] inetutils: Security fix for CVE-2023-40303
From: Siddharth Doshi Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] CVE: CVE-2023-40303 Signed-off-by: Siddharth Doshi --- .../inetutils/inetutils/CVE-2023-40303.patch | 283 ++ .../inetutils/inetutils_2.2.bb| 1 + 2 files changed, 284 insertions(+) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch new file mode 100644 index 00..06f7f2fc00 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch @@ -0,0 +1,283 @@ +From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux +Date: Fri, 30 Jun 2023 19:02:45 +0200 +Subject: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check set*id() return values + +Several setuid(), setgid(), seteuid() and setguid() return values +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially +leading to potential security issues. + +Signed-off-by: Jeffrey Bencteux +Signed-off-by: Simon Josefsson + +Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] +CVE: CVE-2023-40303 +Signed-off-by: Siddharth Doshi + +--- + ftpd/ftpd.c | 10 +++--- + src/rcp.c| 39 +-- + src/rlogin.c | 11 +-- + src/rsh.c| 25 + + src/rshd.c | 20 +--- + src/uucpd.c | 15 +-- + 6 files changed, 100 insertions(+), 20 deletions(-) + +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c +index 68d41fd..703fbbc 100644 +--- a/ftpd/ftpd.c b/ftpd/ftpd.c +@@ -865,7 +865,9 @@ end_login (struct credentials *pcred) + char *remotehost = pcred->remotehost; + int atype = pcred->auth_type; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++_exit (EXIT_FAILURE); ++ + if (pcred->logged_in) + { + logwtmp_keep_open (ttyline, "", ""); +@@ -1154,7 +1156,8 @@ getdatasock (const char *mode) + + if (data >= 0) + return fdopen (data, mode); +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++_exit (EXIT_FAILURE); + s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); + if (s < 0) + goto bad; +@@ -1981,7 +1984,8 @@ passive (int epsv, int af) + else/* !AF_INET6 */ + ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++_exit (EXIT_FAILURE); + if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) + { + if (seteuid ((uid_t) cred.uid)) +diff --git a/src/rcp.c b/src/rcp.c +index 476cbaa..cd84570 100644 +--- a/src/rcp.c b/src/rcp.c +@@ -348,14 +348,23 @@ main (int argc, char *argv[]) + if (from_option) + { /* Follow "protocol", send data. */ + response (); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + source (argc, argv); + exit (errs); + } + + if (to_option) + { /* Receive data. */ +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + sink (argc, argv); + exit (errs); + } +@@ -540,7 +549,11 @@ toremote (char *targ, int argc, char *argv[]) + if (response () < 0) + exit (EXIT_FAILURE); + free (bp); +-setuid (userid); ++ ++if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -633,7 +646,12 @@ tolocal (int argc, char *argv[]) + ++errs; + continue; + } +- seteuid (userid); ++ ++ if (seteuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); + (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); +@@ -646,7 +664,12 @@ tolocal (int argc, char *argv[]) + #endif + vect[0] = target; + sink (1, vect); +- seteuid (effuid); ++ ++ if (seteuid (effuid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + close (rem); + rem = -1; + #ifdef SHISHI +@@ -1444,7 +1467,11 @@ susystem (char *s, int userid) + return (127);
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
Hi Steve, Please find the detailed error log: {{{ | [629/6213] Compiling C object libqemuutil.a.p/stubs_win32-kbd-hook.c.o | [630/6213] Compiling C object libqemuutil.a.p/stubs_replay-tools.c.o | [631/6213] Compiling C object fsdev/virtfs-proxy-helper.p/9p-marshal.c.o | [632/6213] Compiling C object libqemuutil.a.p/stubs_xen-hw-stub.c.o | [633/6213] Compiling C object fsdev/virtfs-proxy-helper.p/9p-iov-marshal.c.o | [634/6213] Linking static target libqemuutil.a | [635/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/qos_external.c.o | [636/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/fw_cfg.c.o | [637/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/pci.c.o | [638/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/qgraph.c.o | [639/6213] Compiling C object fsdev/virtfs-proxy-helper.p/virtfs-proxy-helper.c.o | In file included from ../qemu-6.2.0/fsdev/virtfs-proxy-helper.c:29: | /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h: In function 'close_if_special_file': | /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h:46:9: warning: implicit declaration of function 'qemu_fstat' [-Wimplicit-function-declaration] | 46 | if (qemu_fstat(fd, &stbuf) < 0) { | | ^~ | /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h:46:9: warning: nested extern declaration of 'qemu_fstat' [-Wnested-externs] | [640/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/malloc-pc.c.o | [641/6213] Linking target fsdev/virtfs-proxy-helper | FAILED: fsdev/virtfs-proxy-helper }}} > > The fix patch mentions that the issue leads to "undefined symbol error > on certain architectures", but doesn't identify which architectures > specifically. > > - I am facing this on x86_64 and riscv architectures. Atleast these are the two which i tried on and got the same error. - Logically looking at the code, it should ideally fail on any machine it is compiled on regardless of the architecture as the wrapper "qemu_fstat" is not defined anywhere in the code and is called. - However, since i had not tested on all architectures, i couldn't tell about all the architectures. - It definately made me confuse more since it had passed autobuilder test, so i explicitly mentioned in certain architectures and not fails everywhere. - Just building qemu with `PACKAGECONFIG:append = " libusb virtfs" ` is enough to re-produce the error. Atleast that's what i am building it with. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#186816): https://lists.openembedded.org/g/openembedded-core/message/186816 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
The commit [https://github.com/openembedded/openembedded-core/commit/9bd4ddeb4b5efc65b0514d50d6991211271924c1] backports fix for CVE-2023-2861 for version 6.2.0. The 'qemu_fstat' in `do_create_others' is not defined which leads to the undefined symbol error on certain architectures. Also, the commit message says "(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)". So either the wrapper has to be dropped or it has to be defined. Hence, backported the main patch rather than the cherry picked one. Signed-off-by: Siddharth Doshi --- .../qemu/qemu/CVE-2023-2861.patch | 66 +++ 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch index 48f51f5d03..a86413fbad 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -1,14 +1,16 @@ -From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001 +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 From: Christian Schoenebeck -Date: Wed Jun 7 18:29:33 2023 +0200 -Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p - protocol does not specifically define how server shall behave when client - tries to open a special file, however from security POV it does make sense - for 9p server to prohibit opening any special file on host side in general. A - sane Linux 9p client for instance would never attempt to open a special file - on host side, it would always handle those exclusively on its guest side. A - malicious client however could potentially escape from the exported 9p tree - by creating and opening a device file on host side. +Date: Wed, 7 Jun 2023 18:29:33 +0200 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. With QEMU this could only be exploited in the following unsafe setups: @@ -32,19 +34,16 @@ Signed-off-by: Christian Schoenebeck Reviewed-by: Greg Kurz Reviewed-by: Michael Tokarev Message-Id: -(cherry picked from commit f6b0de5) -Signed-off-by: Michael Tokarev -(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used) - -Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] +Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] CVE: CVE-2023-2861 Signed-off-by: Archana Polampalli +Signed-off-by: Siddharth Doshi --- - fsdev/virtfs-proxy-helper.c | 27 -- - hw/9pfs/9p-util.h | 38 + - 2 files changed, 63 insertions(+), 2 deletions(-) + fsdev/virtfs-proxy-helper.c | 27 +++-- + hw/9pfs/9p-util.h | 40 + + 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c index 15c0e79b0..f9e4669a5 100644 @@ -56,12 +55,12 @@ index 15c0e79b0..f9e4669a5 100644 #include "hw/9pfs/9p-proxy.h" +#include "hw/9pfs/9p-util.h" #include "fsdev/9p-iov-marshal.h" - + #define PROGNAME "virtfs-proxy-helper" @@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) } } - + +/* + * Open regular file or directory. Attempts to open any special file are + * rejected. @@ -106,22 +105,30 @@ index 15c0e79b0..f9e4669a5 100644 ret = -errno; } diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h -index 546f46dc7..54e270ac6 100644 +index 546f46dc7..23000e917 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h -@@ -13,6 +13,8 @@ +@@ -13,12 +13,16 @@ #ifndef QEMU_9P_UTIL_H #define QEMU_9P_UTIL_H - + +#include "qemu/error-report.h" + #ifdef O_PATH #define O_PATH_9P_UTIL O_PATH #else -@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd) + #define O_PATH_9P_UTIL 0 + #endif + ++#define qemu_fstat fstat ++ + static inline void close_preserve_errno(int fd) + { + int serrno = errno; +@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) errno = serrno; } - + +/** + * close_if_special_file() - Close @fd if neither regular file nor directory. + * @@ -157,10 +164,10 @@ index 546f46dc7..54e270ac6 100644 static inline int openat_dir(int dirfd, const
Re: [OE-core] [master][PATCH] tiff: Security fix for CVE-2023-25434 and CVE-2023-26965
True that, Version ups are always better IMO. I guess i missed out that a new version was released. Regardless, thanks for the update. I will backport these fixes for LTS version soon. Thanks, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183812): https://lists.openembedded.org/g/openembedded-core/message/183812 Mute This Topic: https://lists.openembedded.org/mt/99784097/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [mickledore][PATCH] tiff: backport a fix for CVE-2023-26965
CVE-fix for CVE-2023-25434 and CVE-2023-26965 for 4.5.0 was submitted for master which could directly be backported to mickledore too as it has the same version -> https://lists.openembedded.org/g/openembedded-core/message/183408 However, it increases Steve's task to patch if we submit single CVE's. So, better to club and send them. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183607): https://lists.openembedded.org/g/openembedded-core/message/183607 Mute This Topic: https://lists.openembedded.org/mt/99835604/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH] tiff: Security fix for CVE-2023-25434 and CVE-2023-26965
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38, https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf] Signed-off-by: Siddharth Doshi --- .../libtiff/files/CVE-2023-25434.patch| 159 ++ .../libtiff/files/CVE-2023-26965.patch| 99 +++ meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 2 + 3 files changed, 260 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch new file mode 100644 index 00..a78c9709f9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch @@ -0,0 +1,159 @@ +From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 29 Jan 2023 11:09:26 +0100 +Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) + image width and length parameters when only cropped image sections are + rotated. Remove buffptr from region structure because never used. + +Closes #492 #493 #494 #495 #499 #518 #519 + +Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] +CVE: CVE-2023-25434 + +Signed-off-by: Siddharth Doshi +--- + tools/tiffcrop.c | 51 + 1 file changed, 30 insertions(+), 21 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index fc5b34b..6e1acc4 100644 +--- a/tools/tiffcrop.c b/tools/tiffcrop.c +@@ -296,7 +296,6 @@ struct region + uint32_t width;/* width in pixels */ + uint32_t length; /* length in pixels */ + uint32_t buffsize; /* size of buffer needed to hold the cropped region */ +-unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, int); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps) + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +-cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image, + return (-1); + } + +-if (rotateImage(rotation, image, &image->width, &image->length, +-work_buff_ptr)) ++/* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++uint32_t width = image->width; ++uint32_t length = image->length; ++if (rotateImage(rotation, image, &width, &length, work_buff_ptr, ++TRUE)) + { + TIFFError("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image, + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +-crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image, + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +-crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image, + reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +-&crop->combined_length, &crop_buff)) ++&crop->combined_length, &crop_buff, FALSE)) +
[OE-core][master][PATCHv4] Flac: upgrade 1.4.2 -> 1.4.3
From: Siddharth Doshi License-Update: URL fix Remove PowerPC related options no longer supported upstream. Signed-off-by: Siddharth Doshi --- .../flac/{flac_1.4.2.bb => flac_1.4.3.bb} | 11 --- 1 file changed, 4 insertions(+), 7 deletions(-) rename meta/recipes-multimedia/flac/{flac_1.4.2.bb => flac_1.4.3.bb} (76%) diff --git a/meta/recipes-multimedia/flac/flac_1.4.2.bb b/meta/recipes-multimedia/flac/flac_1.4.3.bb similarity index 76% rename from meta/recipes-multimedia/flac/flac_1.4.2.bb rename to meta/recipes-multimedia/flac/flac_1.4.3.bb index d3ece3f3cf..d4e463cda5 100644 --- a/meta/recipes-multimedia/flac/flac_1.4.2.bb +++ b/meta/recipes-multimedia/flac/flac_1.4.3.bb @@ -5,15 +5,15 @@ BUGTRACKER = "https://github.com/xiph/flac/issues"; SECTION = "libs" LICENSE = "GFDL-1.2 & GPL-2.0-or-later & LGPL-2.1-or-later & BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ - file://src/Makefile.am;beginline=1;endline=17;md5=146d2c8c2fd287545cc1bd81f31e8758 \ + file://src/Makefile.am;beginline=1;endline=17;md5=b1dab2704be7f01bfbd9b7f6d5f000a9 \ file://COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://src/flac/main.c;beginline=1;endline=18;md5=893456854ce6bf14a1a7ea77266eebab \ + file://src/flac/main.c;beginline=1;endline=18;md5=23099119c034d894bd1bf7ef5bd22101 \ file://COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24 \ -file://COPYING.Xiph;md5=3d6da238b5b57a0965d6730291119f65 \ +file://COPYING.Xiph;md5=0c90e41ab2fa7e69ca9391330d870221 \ file://include/FLAC/all.h;beginline=65;endline=70;md5=39aaf5e03c7364363884c8b8ddda8eea" SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz"; -SRC_URI[sha256sum] = "e322d58a1f48d23d9dd38f432672865f6f79e73a6f9cc5a5f57fcaa83eb5a8e4" +SRC_URI[sha256sum] = "6c58e69cd22348f441b861092b825e591d0b822e106de6eb0ee4d05d27205b70" CVE_PRODUCT = "libflac flac" @@ -25,11 +25,8 @@ EXTRA_OECONF = "--disable-oggtest \ " PACKAGECONFIG ??= " \ -${@bb.utils.filter("TUNE_FEATURES", "altivec vsx", d)} \ ogg \ " -PACKAGECONFIG[altivec] = "--enable-altivec,--disable-altivec" -PACKAGECONFIG[vsx] = "--enable-vsx,--disable-vsx" PACKAGECONFIG[avx] = "--enable-avx,--disable-avx" PACKAGECONFIG[ogg] = "--enable-ogg --with-ogg-libraries=${STAGING_LIBDIR} --with-ogg-includes=${STAGING_INCDIR},--disable-ogg,libogg" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183552): https://lists.openembedded.org/g/openembedded-core/message/183552 Mute This Topic: https://lists.openembedded.org/mt/99830046/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCHv3] Flac: upgrade 1.4.2 -> 1.4.3
From: Siddharth Doshi License-Update: URL fix Remove PowerPC related options no longer supported upstream. Signed-off-by: Siddharth Doshi --- .../flac/{flac_1.4.2.bb => flac_1.4.3.bb}| 12 +--- 1 file changed, 5 insertions(+), 7 deletions(-) rename meta/recipes-multimedia/flac/{flac_1.4.2.bb => flac_1.4.3.bb} (76%) diff --git a/meta/recipes-multimedia/flac/flac_1.4.2.bb b/meta/recipes-multimedia/flac/flac_1.4.3.bb similarity index 76% rename from meta/recipes-multimedia/flac/flac_1.4.2.bb rename to meta/recipes-multimedia/flac/flac_1.4.3.bb index d3ece3f3cf..badb43db89 100644 --- a/meta/recipes-multimedia/flac/flac_1.4.2.bb +++ b/meta/recipes-multimedia/flac/flac_1.4.3.bb @@ -5,15 +5,15 @@ BUGTRACKER = "https://github.com/xiph/flac/issues"; SECTION = "libs" LICENSE = "GFDL-1.2 & GPL-2.0-or-later & LGPL-2.1-or-later & BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ - file://src/Makefile.am;beginline=1;endline=17;md5=146d2c8c2fd287545cc1bd81f31e8758 \ + file://src/Makefile.am;beginline=1;endline=17;md5=b1dab2704be7f01bfbd9b7f6d5f000a9 \ file://COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://src/flac/main.c;beginline=1;endline=18;md5=893456854ce6bf14a1a7ea77266eebab \ + file://src/flac/main.c;beginline=1;endline=18;md5=23099119c034d894bd1bf7ef5bd22101 \ file://COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24 \ -file://COPYING.Xiph;md5=3d6da238b5b57a0965d6730291119f65 \ +file://COPYING.Xiph;md5=0c90e41ab2fa7e69ca9391330d870221 \ file://include/FLAC/all.h;beginline=65;endline=70;md5=39aaf5e03c7364363884c8b8ddda8eea" SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz"; -SRC_URI[sha256sum] = "e322d58a1f48d23d9dd38f432672865f6f79e73a6f9cc5a5f57fcaa83eb5a8e4" +SRC_URI[sha256sum] = "6c58e69cd22348f441b861092b825e591d0b822e106de6eb0ee4d05d27205b70" CVE_PRODUCT = "libflac flac" @@ -25,11 +25,9 @@ EXTRA_OECONF = "--disable-oggtest \ " PACKAGECONFIG ??= " \ -${@bb.utils.filter("TUNE_FEATURES", "altivec vsx", d)} \ +${@bb.utils.filter("TUNE_FEATURES", " ", d)} \ ogg \ " -PACKAGECONFIG[altivec] = "--enable-altivec,--disable-altivec" -PACKAGECONFIG[vsx] = "--enable-vsx,--disable-vsx" PACKAGECONFIG[avx] = "--enable-avx,--disable-avx" PACKAGECONFIG[ogg] = "--enable-ogg --with-ogg-libraries=${STAGING_LIBDIR} --with-ogg-includes=${STAGING_INCDIR},--disable-ogg,libogg" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183547): https://lists.openembedded.org/g/openembedded-core/message/183547 Mute This Topic: https://lists.openembedded.org/mt/99826072/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master][PATCHv2] Upgrade flac 1.4.2 -> 1.4.3
That's quite strange as I didn't came across any warnings in my build environment. However, i have removed from Packageconfig (which ideally i should have noticed while submitting the first version itself) in v3 and we should be all set to go. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183546): https://lists.openembedded.org/g/openembedded-core/message/183546 Mute This Topic: https://lists.openembedded.org/mt/99803775/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] bind: Upgrade 9.18.15 -> 9.18.16
From: Siddharth Doshi - Remove configure options no longer supported online. Changelog: = [security] A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for 'named' to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) [GL #4089] [security] Improve the overmem cleaning process to prevent the cache going over the configured limit. (CVE-2023-2828) [GL #4055] [performance] Reduce memory consumption by allocating properly sized send buffers for stream-based transports. [GL #4038] [bug] Fix a 'clients-per-query' miscalculation bug. When the 'stale-answer-enable' options was enabled and the 'stale-answer-client-timeout' option was enabled and larger than 0, named was taking two places from the 'clients-per-query' limit for each client and was failing to gradually auto-tune its value, as configured. [GL #4074] [func] Add "ClientQuota" statistics channel counter, which indicates the number of the resolver's spilled queries due to reaching the clients per query quota. [GL !7978] [bug] Fix a serve-stale bug where a delegation from cache could be returned to the client. [GL #3950] [cleanup] Remove configure checks for epoll, kqueue and /dev/poll. [GL #4098] [func] The "tkey-dhkey" option has been deprecated; a warning will be logged when it is used. In a future release, Diffie-Hellman TKEY mode will be removed. [GL #3905] [bug] The session key object could be incorrectly added to multiple different views' keyrings. [GL #4079] [bug] Fix an interfacemgr use-after-free error in zoneconf.c:isself(). [GL #3765] [test] Add support for using pytest & pytest-xdist to execute the system test suite. [GL #3978] [bug] BIND could get stuck on reconfiguration when a 'listen' statement for HTTP is removed from the configuration. That has been fixed. [GL #4071] [bug] Properly process extra "nameserver" lines in resolv.conf otherwise the next line is not properly processed. [GL #4066] [bug] named could crash when deleting inline-signing zones with "rndc delzone". [GL #4054] [bug] Fix a logic error in dighost.c which could call the dighost_shutdown() callback twice and cause problems if the callback function was not idempotent. [GL #4039] Signed-off-by: Siddharth Doshi --- .../0001-avoid-start-failure-with-bind-user.patch | 0 ...0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0 ...bind-ensure-searching-for-json-headers-searches-sysr.patch | 0 .../bind/{bind-9.18.15 => bind-9.18.16}/bind9 | 0 .../bind/{bind-9.18.15 => bind-9.18.16}/conf.patch| 0 .../bind/{bind-9.18.15 => bind-9.18.16}/generate-rndc-key.sh | 0 .../init.d-add-support-for-read-only-rootfs.patch | 0 .../make-etc-initd-bind-stop-work.patch | 0 .../bind/{bind-9.18.15 => bind-9.18.16}/named.service | 0 .../bind/{bind_9.18.15.bb => bind_9.18.16.bb} | 4 ++-- 10 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/0001-avoid-start-failure-with-bind-user.patch (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/bind9 (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/conf.patch (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/generate-rndc-key.sh (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/init.d-add-support-for-read-only-rootfs.patch (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/make-etc-initd-bind-stop-work.patch (100%) rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/named.service (100%) rename meta/recipes-connectivity/bind/{bind_9.18.15.bb => bind_9.18.16.bb} (96%) dif
[OE-core][master][PATCHv2] Upgrade flac 1.4.2 -> 1.4.3
From: Siddharth Doshi License-Update: URL fix Remove PowerPC related options no longer supported upstream. Signed-off-by: Siddharth Doshi --- .../flac/{flac_1.4.2.bb => flac_1.4.3.bb} | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) rename meta/recipes-multimedia/flac/{flac_1.4.2.bb => flac_1.4.3.bb} (80%) diff --git a/meta/recipes-multimedia/flac/flac_1.4.2.bb b/meta/recipes-multimedia/flac/flac_1.4.3.bb similarity index 80% rename from meta/recipes-multimedia/flac/flac_1.4.2.bb rename to meta/recipes-multimedia/flac/flac_1.4.3.bb index d3ece3f3cf..9ef9ca75ef 100644 --- a/meta/recipes-multimedia/flac/flac_1.4.2.bb +++ b/meta/recipes-multimedia/flac/flac_1.4.3.bb @@ -5,15 +5,15 @@ BUGTRACKER = "https://github.com/xiph/flac/issues"; SECTION = "libs" LICENSE = "GFDL-1.2 & GPL-2.0-or-later & LGPL-2.1-or-later & BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ - file://src/Makefile.am;beginline=1;endline=17;md5=146d2c8c2fd287545cc1bd81f31e8758 \ + file://src/Makefile.am;beginline=1;endline=17;md5=b1dab2704be7f01bfbd9b7f6d5f000a9 \ file://COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://src/flac/main.c;beginline=1;endline=18;md5=893456854ce6bf14a1a7ea77266eebab \ + file://src/flac/main.c;beginline=1;endline=18;md5=23099119c034d894bd1bf7ef5bd22101 \ file://COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24 \ -file://COPYING.Xiph;md5=3d6da238b5b57a0965d6730291119f65 \ +file://COPYING.Xiph;md5=0c90e41ab2fa7e69ca9391330d870221 \ file://include/FLAC/all.h;beginline=65;endline=70;md5=39aaf5e03c7364363884c8b8ddda8eea" SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz"; -SRC_URI[sha256sum] = "e322d58a1f48d23d9dd38f432672865f6f79e73a6f9cc5a5f57fcaa83eb5a8e4" +SRC_URI[sha256sum] = "6c58e69cd22348f441b861092b825e591d0b822e106de6eb0ee4d05d27205b70" CVE_PRODUCT = "libflac flac" @@ -28,8 +28,6 @@ PACKAGECONFIG ??= " \ ${@bb.utils.filter("TUNE_FEATURES", "altivec vsx", d)} \ ogg \ " -PACKAGECONFIG[altivec] = "--enable-altivec,--disable-altivec" -PACKAGECONFIG[vsx] = "--enable-vsx,--disable-vsx" PACKAGECONFIG[avx] = "--enable-avx,--disable-avx" PACKAGECONFIG[ogg] = "--enable-ogg --with-ogg-libraries=${STAGING_LIBDIR} --with-ogg-includes=${STAGING_INCDIR},--disable-ogg,libogg" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183437): https://lists.openembedded.org/g/openembedded-core/message/183437 Mute This Topic: https://lists.openembedded.org/mt/99803775/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] Upgrade flac 1.4.2 => 1.4.3
From: Siddharth Doshi Changes: As there have been additions to the libFLAC interfaces, the libFLAC version number is incremented to 13. The libFLAC++ version number stays at 10. * General * All PowerPC-specific code has been removed, as it turned out those improvements didn't actually improve anything * Large improvements in encoder speed for all presets. The largest change is for the fastest presets and for 24-bit and 32-bit inputs. * Small improvement in decoder speed for BMI2-capable CPUs * Various documentation fixes and cleanups (Mark Grassi, Jake Schmidt) * Various fixes (Ozkan Sezer, Zhipeng Xue, orbea, Sam James, Harish Mahendrakar) * Fix building on Universal Windows Platform (Dmitry Kostjučenko) * flac * A lot of small fixes for bugs found by fuzzing * Various improvements to the --keep-foreign-metadata and --keep-foreign-metadata-if-present options on decoding * The output format (WAV/AIFF/RF64 etc.) is now automatically selected based on what kind of foreign metadata is stored * Decoded file is checked afterwards, to see whether stored foreign format data agrees with FLAC audio properties * AIFF-C sowt data can now be restored * Add --force-legacy-wave-format option, to decode to WAV with WAVEFORMATPCM where WAVE_FORMAT_EXTENSIBLE would be more appropriate * Add --force-aiff-c-none-format and --force-aiff-c-sowt-format to decode to AIFF-C * The storage of WAVEFORMATEXTENSIBLE_CHANNEL_MASK is no longer restricted to known channel orderings * Throw an error when WAV or AIFF files are over 4GiB in length and the --ignore-chunk-sizes option is not set * Warn on testing files when ID3v2 tags are found * Warn when data trails the audio data of a WAV/AIFF/RF64/W64 file * Fix output file not being deleted after error on Windows * Removal of the --sector--align option * metaflac * A lot of small fixes for bugs found by fuzzing * Added options --append and --data-format, which makes it possible to copy metadata blocks from one FLAC file to another * Added option --remove-all-tags-except * Added option --show-all-tags (harridu, Martijn van Beurden) * libFLAC * No longer write seektables to Ogg, even when specifically asked for. Seektables in Ogg are not defined * Add functions FLAC__metadata_object_set_raw and FLAC__metadata_object_get_raw to convert between blob and FLAC__StreamMetadata * Build system * Autoconf (configure) * The option --enable-64-bit-words is now on by default * CMake * The option ENABLE_64_BIT_WORDS is now on by default * Testing/validation * Fuzzers were added for the flac and metaflac command line tools * Fuzzer coverage was improved Signed-off-by: Siddharth Doshi --- .../flac/{flac_1.4.2.bb => flac_1.4.3.bb} | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) rename meta/recipes-multimedia/flac/{flac_1.4.2.bb => flac_1.4.3.bb} (80%) diff --git a/meta/recipes-multimedia/flac/flac_1.4.2.bb b/meta/recipes-multimedia/flac/flac_1.4.3.bb similarity index 80% rename from meta/recipes-multimedia/flac/flac_1.4.2.bb rename to meta/recipes-multimedia/flac/flac_1.4.3.bb index d3ece3f3cf..9ef9ca75ef 100644 --- a/meta/recipes-multimedia/flac/flac_1.4.2.bb +++ b/meta/recipes-multimedia/flac/flac_1.4.3.bb @@ -5,15 +5,15 @@ BUGTRACKER = "https://github.com/xiph/flac/issues"; SECTION = "libs" LICENSE = "GFDL-1.2 & GPL-2.0-or-later & LGPL-2.1-or-later & BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ - file://src/Makefile.am;beginline=1;endline=17;md5=146d2c8c2fd287545cc1bd81f31e8758 \ + file://src/Makefile.am;beginline=1;endline=17;md5=b1dab2704be7f01bfbd9b7f6d5f000a9 \ file://COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://src/flac/main.c;beginline=1;endline=18;md5=893456854ce6bf14a1a7ea77266eebab \ + file://src/flac/main.c;beginline=1;endline=18;md5=23099119c034d894bd1bf7ef5bd22101 \ file://COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24 \ -file://COPYING.Xiph;md5=3d6da238b5b57a0965d6730291119f65 \ +file://COPYING.Xiph;md5=0c90e41ab2fa7e69ca9391330d870221 \ file://include/FLAC/all.h;beginline=65;endline=70;md5=39aaf5e03c7364363884c8b8ddda8eea" SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz"; -SRC_URI[sha256sum] = "e322d58a1f48d23d9dd38f432672865f6f79e73a6f9cc5a5f57fcaa83eb5a8e4" +SRC_URI[sha256sum] = "6c58e69cd22348f441b861092b825e591d0b822e106de6eb0ee4d05d27205b70" CVE_PRODUCT = "libflac flac&qu
[OE-core][master][PATCH] tiff: Security fix for CVE-2023-25434 and CVE-2023-26965
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38, https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf] Signed-off-by: Siddharth Doshi --- .../libtiff/files/CVE-2023-25434.patch| 159 ++ .../libtiff/files/CVE-2023-26965.patch| 99 +++ meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 2 + 3 files changed, 260 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch new file mode 100644 index 00..a78c9709f9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434.patch @@ -0,0 +1,159 @@ +From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 29 Jan 2023 11:09:26 +0100 +Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) + image width and length parameters when only cropped image sections are + rotated. Remove buffptr from region structure because never used. + +Closes #492 #493 #494 #495 #499 #518 #519 + +Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] +CVE: CVE-2023-25434 + +Signed-off-by: Siddharth Doshi +--- + tools/tiffcrop.c | 51 + 1 file changed, 30 insertions(+), 21 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index fc5b34b..6e1acc4 100644 +--- a/tools/tiffcrop.c b/tools/tiffcrop.c +@@ -296,7 +296,6 @@ struct region + uint32_t width;/* width in pixels */ + uint32_t length; /* length in pixels */ + uint32_t buffsize; /* size of buffer needed to hold the cropped region */ +-unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, int); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_mask *cps) + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +-cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -7221,8 +7219,13 @@ static int correct_orientation(struct image_data *image, + return (-1); + } + +-if (rotateImage(rotation, image, &image->width, &image->length, +-work_buff_ptr)) ++/* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++uint32_t width = image->width; ++uint32_t length = image->length; ++if (rotateImage(rotation, image, &width, &length, work_buff_ptr, ++TRUE)) + { + TIFFError("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7291,7 +7294,6 @@ static int extractCompositeRegions(struct image_data *image, + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +-crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -7552,7 +7554,6 @@ static int extractSeparateRegion(struct image_data *image, + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +-crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -8543,7 +8544,7 @@ static int processCropSelections(struct image_data *image, + reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +-&crop->combined_length, &crop_buff)) ++&crop->combined_length, &crop_buff, FALSE)) +
Re: [OE-core] [PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
Hi Sanjay, I feel the that the proposal by Andrej is a simpler one and makes me more inclined towards using it as compared to going to VEX status. I do agree that VEX is something which can be mapped but at the end of the day its always "simpler the better" and easy to maintain. Definately, as mentioned by Richard there would be a bit of copy/paste going way forward but will be easier to maintain and understand rather than leaving confusing trails at some points down the line. 2 status having one similar adoption can also add to confusion going forward. the proposal by andrej inline with https://lists.openembedded.org/g/openembedded-core/message/182855 and is better suited to avoid confusion. Cheers, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183170): https://lists.openembedded.org/g/openembedded-core/message/183170 Mute This Topic: https://lists.openembedded.org/mt/99644855/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [dunfell][PATCHv2] curl: Security fix for CVE-2023-27534
Hi Steve, Thank-you for the feedback. I have added a better log to explain the reason for this additional patch and have sent v3. Please let me know if it works according to you. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181161): https://lists.openembedded.org/g/openembedded-core/message/181161 Mute This Topic: https://lists.openembedded.org/mt/98837360/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCHv3] curl: Security fix for CVE-2023-27534
Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati Signed-off-by: Siddharth Doshi --- .../curl/curl/CVE-2023-27534-pre1.patch | 51 .../curl/curl/CVE-2023-27534.patch| 122 +++--- meta/recipes-support/curl/curl_7.69.1.bb | 1 + 3 files changed, 68 insertions(+), 106 deletions(-) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 00..46c57afb73 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch @@ -0,0 +1,51 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +CVE: CVE-2023-27534 +Note: +- The upstream patch for CVE-2023-27534 does three things: +1) creates new path with dynbuf(dynamic buffer) +2) solves the tilde error which causes CVE-2023-27534 +3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. +- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. +- This patch completes the 3rd task of the patch which was implemented without using dynbuf +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] + +Signed-off-by: Hitendra Prajapati +Signed-off-by: Siddharth Doshi +--- + lib/curl_path.c | 10 +++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..40b92ee 100644 +--- a/lib/curl_path.c b/lib/curl_path.c +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++real_path[homelen] = '/'; ++homelen++; ++real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +-memcpy(real_path + homelen + 1, working_path + 3, ++memcpy(real_path + homelen, working_path + 3, +1 + working_path_len -3); + } + } +-- +2.24.4 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -3,121 +3,31 @@ From: Daniel Stenberg Date: Thu, 9 Mar 2023 16:22:11 +0100 Subject: [PATCH] curl_path: create the new path with dynbuf +Closes #10729 + CVE: CVE-2023-27534 -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati +Signed-off-by: Siddharth Doshi --- - lib/curl_path.c | 71 - - 1 file changed, 35 insertions(+), 36 deletions(-) + lib/curl_path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/curl_path.c b/lib/curl_path.c -index f429634..e17db4b 100644 +index 40b92ee..598c5dd 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c -@@ -30,6 +30,8 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 10 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct connectdata *conn, - char *homedir, /* when SFTP is used */ -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, - real path to work with */ - { - struct Curl_easy *data = conn->data; -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data, data->state.up.path, 0, &working_path, -&working_path_len, FALSE); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+
Re: [OE-core] [dunfell][PATCH] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
Hi Steve, I have committed modified patch on behalf of Hitendra as he is away for few days. please find the patch at -> https://lists.openembedded.org/g/openembedded-core/message/181154 I have verified that this builds fine with adding "--with-libssh2" option also. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181155): https://lists.openembedded.org/g/openembedded-core/message/181155 Mute This Topic: https://lists.openembedded.org/mt/98259554/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCHv2] curl: Security fix for CVE-2023-27534
Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati Signed-off-by: Siddharth Doshi --- .../curl/curl/CVE-2023-27534-pre1.patch | 44 +++ .../curl/curl/CVE-2023-27534.patch| 122 +++--- meta/recipes-support/curl/curl_7.69.1.bb | 1 + 3 files changed, 61 insertions(+), 106 deletions(-) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 00..98b25a2fe5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch @@ -0,0 +1,44 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +CVE: CVE-2023-27534 +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] + +Signed-off-by: Siddharth Doshi +--- + lib/curl_path.c | 10 +++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..40b92ee 100644 +--- a/lib/curl_path.c b/lib/curl_path.c +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++real_path[homelen] = '/'; ++homelen++; ++real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +-memcpy(real_path + homelen + 1, working_path + 3, ++memcpy(real_path + homelen, working_path + 3, +1 + working_path_len -3); + } + } +-- +2.24.4 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -3,121 +3,31 @@ From: Daniel Stenberg Date: Thu, 9 Mar 2023 16:22:11 +0100 Subject: [PATCH] curl_path: create the new path with dynbuf +Closes #10729 + CVE: CVE-2023-27534 -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati +Signed-off-by: Siddharth Doshi --- - lib/curl_path.c | 71 - - 1 file changed, 35 insertions(+), 36 deletions(-) + lib/curl_path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/curl_path.c b/lib/curl_path.c -index f429634..e17db4b 100644 +index 40b92ee..598c5dd 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c -@@ -30,6 +30,8 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 10 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct connectdata *conn, - char *homedir, /* when SFTP is used */ -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, - real path to work with */ - { - struct Curl_easy *data = conn->data; -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data, data->state.up.path, 0, &working_path, -&working_path_len, FALSE); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); -+ - /* Check for /~/, indicating relative to the user's home directory */ -- if(conn->handler->protocol & CURLPROTO_SCP) { --real_path = malloc(working_path_len + 1); --if(real_path == NULL) { -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { -+/* It is referenced to the home directory, so strip the leading '/~/' */ -+if(Curl_dyn_addn(&npa
[OE-core][kirkstone][PATCH] curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878, https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] Signed-off-by: Siddharth Doshi --- .../curl/curl/CVE-2023-27535-pre1.patch | 196 ++ .../CVE-2023-27535_and_CVE-2023-27538.patch | 170 +++ .../curl/curl/CVE-2023-27536.patch| 52 + meta/recipes-support/curl/curl_7.82.0.bb | 3 + 4 files changed, 421 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 00..57e1cb9e13 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch @@ -0,0 +1,196 @@ +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH] strcase: add and use Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878] +Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. +Signed-off-by: Siddharth Doshi +--- + lib/netrc.c | 6 +++--- + lib/strcase.c | 22 ++ + lib/strcase.h | 1 + + lib/url.c | 33 + + lib/vauth/digest_sspi.c | 4 ++-- + lib/vtls/vtls.c | 4 ++-- + 6 files changed, 43 insertions(+), 27 deletions(-) + +diff --git a/lib/netrc.c b/lib/netrc.c +index 0a4ae2c..b771b60 100644 +--- a/lib/netrc.c b/lib/netrc.c +@@ -140,9 +140,9 @@ static int parsenetrc(const char *host, + /* we are now parsing sub-keywords concerning "our" host */ + if(state_login) { + if(specific_login) { +- state_our_login = strcasecompare(login, tok); ++ state_our_login = !Curl_timestrcmp(login, tok); + } +-else if(!login || strcmp(login, tok)) { ++else if(!login || Curl_timestrcmp(login, tok)) { + if(login_alloc) { + free(login); + login_alloc = FALSE; +@@ -158,7 +158,7 @@ static int parsenetrc(const char *host, + } + else if(state_password) { + if((state_our_login || !specific_login) +-&& (!password || strcmp(password, tok))) { ++ && (!password || Curl_timestrcmp(password, tok))) { + if(password_alloc) { + free(password); + password_alloc = FALSE; +diff --git a/lib/strcase.c b/lib/strcase.c +index 692a3f1..be085b3 100644 +--- a/lib/strcase.c b/lib/strcase.c +@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++break; ++ i++; ++} ++ } ++ else ++return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index 382b80a..c6979da 100644 +--- a/lib/strcase.h b/lib/strcase.h +@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index df4377d..c397b57 100644 +--- a/lib/url.c b/lib/url.c +@@ -930,19 +930,10 @@ socks_proxy_info_matches(const struct proxy_info *data, + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ +- if(!data->user != !needle->user) +-return FALSE; +- /* curl_s
Re: [OE-core] [dunfell][PATCH] openssl: Fix CVE-2023-0464
Hi Nikhil, is this any different than https://lists.openembedded.org/g/openembedded-core/message/179335 ? upon checking i didn't find any difference. However, if there is any difference or you feel that previously sent patch was wrong, please re-name the patch you sent as v2. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179392): https://lists.openembedded.org/g/openembedded-core/message/179392 Mute This Topic: https://lists.openembedded.org/mt/97967374/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] openssl: Security fix for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
From: Siddharth Doshi Upstream-Status: - CVE-2023-0464: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b] - CVE-2023-0465: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95] - CVE-2023-0466: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a] Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2023-0464.patch | 226 ++ .../openssl/openssl/CVE-2023-0465.patch | 58 + .../openssl/openssl/CVE-2023-0466.patch | 50 .../openssl/openssl_1.1.1t.bb | 3 + 4 files changed, 337 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 00..04dbb40a39 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,226 @@ +From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20569) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi +--- + crypto/x509v3/pcy_local.h | 8 +++- + crypto/x509v3/pcy_node.c | 12 +--- + crypto/x509v3/pcy_tree.c | 37 +++-- + 3 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h +index 5daf78d..344aa06 100644 +--- a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void policy_node_free(X509_POLICY_NODE *node); + int policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c +index e2d7b15..d574fb9 100644 +--- a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + }
[OE-core][langdale][PATCHv2] openssl: Security fix for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
From: Siddharth Doshi Upstream-Status: - CVE-2023-0464: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] - CVE-2023-0465: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb] - CVE-2023-0466: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908] Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2023-0464.patch | 225 ++ .../openssl/openssl/CVE-2023-0465.patch | 56 + .../openssl/openssl/CVE-2023-0466.patch | 50 .../openssl/openssl_3.0.8.bb | 3 + 4 files changed, 334 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 00..3b94c48e8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,225 @@ +From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20568) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi +--- + crypto/x509/pcy_local.h | 8 +++- + crypto/x509/pcy_node.c | 12 +--- + crypto/x509/pcy_tree.c | 36 ++-- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_a
[OE-core][kirkstone][PATCHv2] openssl: Security fix for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
From: Siddharth Doshi Upstream-Status: - CVE-2023-0464: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] - CVE-2023-0465: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb] - CVE-2023-0466: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908] Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2023-0464.patch | 225 ++ .../openssl/openssl/CVE-2023-0465.patch | 56 + .../openssl/openssl/CVE-2023-0466.patch | 50 .../openssl/openssl_3.0.8.bb | 3 + 4 files changed, 334 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 00..3b94c48e8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,225 @@ +From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20568) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi +--- + crypto/x509/pcy_local.h | 8 +++- + crypto/x509/pcy_node.c | 12 +--- + crypto/x509/pcy_tree.c | 36 ++-- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_a
[OE-core][master][PATCH] openssh: upgrade 9.2p1 -> 9.3p1
From: Siddharth Doshi OpenSSH 9.3p1 fixes 1 HIGH level security vulnerability. Upgrade the recipe to point to 9.3p1. CVEs Fixed: 1) CVE-2023-28531 - ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. Signed-off-by: Siddharth Doshi --- .../openssh/{openssh_9.2p1.bb => openssh_9.3p1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssh/{openssh_9.2p1.bb => openssh_9.3p1.bb} (98%) diff --git a/meta/recipes-connectivity/openssh/openssh_9.2p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb similarity index 98% rename from meta/recipes-connectivity/openssh/openssh_9.2p1.bb rename to meta/recipes-connectivity/openssh/openssh_9.3p1.bb index 4666237d68..d3dedd1a5a 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb @@ -25,7 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ " -SRC_URI[sha256sum] = "3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46" +SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" # This CVE is specific to OpenSSH with the pam opie which we don't build/use here CVE_CHECK_IGNORE += "CVE-2007-2768" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179147): https://lists.openembedded.org/g/openembedded-core/message/179147 Mute This Topic: https://lists.openembedded.org/mt/97877563/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] OpenSSL: Security fix for CVE-2023-0464
Hi Tim, > > Rather than backport, we should instead upgrade to 3.0.9 > https://www.cve.org/CVERecord?id=CVE-2023-0464 > - Yes, upgrade is the ideal scenario we would be looking at. Even as per openssl.org the issue is solved in 3.0.9, 1.1.1u and 3.1.1, but those versions of OpenSSL (3.0.9, 3.1.1, 1.1.1u) are still under development and not yet released. - I will definately be keeping an eye out for those versions to be released and submit the version up patches as soon as its released after checking API compatability(which I feel wont be an issue). - But, till the time those versions aren't released, this backport helps to patch of a known CVE and hence submitted it. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179078): https://lists.openembedded.org/g/openembedded-core/message/179078 Mute This Topic: https://lists.openembedded.org/mt/97820339/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] OpenSSL: Security fix for CVE-2023-0464
From: Siddharth Doshi Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545] Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2023-0464.patch | 226 ++ .../openssl/openssl_3.1.0.bb | 1 + 2 files changed, 227 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 00..33b0bb6c79 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,226 @@ +From 2017771e2db3e2b96f89bbe8766c3209f6a99545 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20570) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi + +--- + crypto/x509/pcy_local.h | 8 +++- + crypto/x509/pcy_node.c | 12 +--- + crypto/x509/pcy_tree.c | 36 ++-- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +-if (tree) { ++if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++tree->node_count++; + if (parent) + parent-&g
[OE-core][langdale][PATCH] OpenSSL: Security fix for CVE-2023-0464
From: Siddharth Doshi Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2023-0464.patch | 226 ++ .../openssl/openssl_3.0.8.bb | 1 + 2 files changed, 227 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 00..69c7e2af67 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,226 @@ +From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20568) + +Upstream-Status: Backport from +[https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi +--- + crypto/x509/pcy_local.h | 8 +++- + crypto/x509/pcy_node.c | 12 +--- + crypto/x509/pcy_tree.c | 36 ++-- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +-if (tree) { ++if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++tree->node_count++; + if (parent) + parent-&g
[OE-core][kirkstone][PATCH] OpenSSL: Security fix for CVE-2023-0464
From: Siddharth Doshi Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2023-0464.patch | 226 ++ .../openssl/openssl_3.0.8.bb | 1 + 2 files changed, 227 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 00..69c7e2af67 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,226 @@ +From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20568) + +Upstream-Status: Backport from +[https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi +--- + crypto/x509/pcy_local.h | 8 +++- + crypto/x509/pcy_node.c | 12 +--- + crypto/x509/pcy_tree.c | 36 ++-- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +-if (tree) { ++if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++tree->node_count++; + if (parent) + parent-&g
[OE-core][langdale][PATCHv2] harfbuzz: Security fix for CVE-2023-25193
Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] Signed-off-by: Siddharth Doshi --- .../harfbuzz/CVE-2023-25193-pre1.patch| 135 .../harfbuzz/harfbuzz/CVE-2023-25193.patch| 192 ++ .../harfbuzz/harfbuzz_5.1.0.bb| 2 + 3 files changed, 329 insertions(+) create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch new file mode 100644 index 00..47d2d7c270 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch @@ -0,0 +1,135 @@ +From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Mon, 6 Feb 2023 13:08:52 -0700 +Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match() + +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324] +Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP. +Signed-off-by: Siddharth Doshi +--- + src/hb-ot-layout-gsubgpos.hh | 94 +--- + 1 file changed, 54 insertions(+), 40 deletions(-) + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index c77ec12..04b823e 100644 +--- a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +@@ -532,33 +532,52 @@ struct hb_ot_apply_context_t : + may_skip (const hb_glyph_info_t &info) const + { return matcher.may_skip (c, info); } + ++enum match_t { ++ MATCH, ++ NOT_MATCH, ++ SKIP ++}; ++ ++match_t match (hb_glyph_info_t &info) ++{ ++ matcher_t::may_skip_t skip = matcher.may_skip (c, info); ++ if (unlikely (skip == matcher_t::SKIP_YES)) ++ return SKIP; ++ ++ matcher_t::may_match_t match = matcher.may_match (info, get_glyph_data ()); ++ if (match == matcher_t::MATCH_YES || ++(match == matcher_t::MATCH_MAYBE && ++ skip == matcher_t::SKIP_NO)) ++ return MATCH; ++ ++ if (skip == matcher_t::SKIP_NO) ++return NOT_MATCH; ++ ++ return SKIP; ++ } ++ + bool next (unsigned *unsafe_to = nullptr) + { + assert (num_items > 0); + while (idx + num_items < end) + { + idx++; +- hb_glyph_info_t &info = c->buffer->info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +-continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, get_glyph_data ()); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +-num_items--; +-advance_glyph_data (); +-return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->info[idx])) + { +-if (unsafe_to) +- *unsafe_to = idx + 1; +-return false; ++case MATCH: ++{ ++ num_items--; ++ advance_glyph_data (); ++ return true; ++} ++case NOT_MATCH: ++{ ++ if (unsafe_to) ++*unsafe_to = idx + 1; ++ return false; ++} ++case SKIP: ++ continue; + } + } + if (unsafe_to) +@@ -571,27 +590,22 @@ struct hb_ot_apply_context_t : + while (idx > num_items - 1) + { + idx--; +- hb_glyph_info_t &info = c->buffer->out_info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +-continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, get_glyph_data ()); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +-num_items--; +-advance_glyph_data (); +-return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->out_info[idx])) + { +-if (unsafe_from) +- *unsafe_from = hb_max (1u, idx) - 1u; +-return false; ++case MATCH: ++{ ++ num_items--; ++ advance_glyph_data (); ++ return true; ++} ++case NOT_MATCH: ++{ ++ if (unsafe_from) ++*unsafe_from = hb_max (1u, idx) - 1u; ++ return false; ++} ++case SKIP: ++ continue; + } + } + if (unsafe_from) +-- +2.25.1 + diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/har
[OE-core][langdale][PATCH] harfbuzz: Security fix for CVE-2023-25193
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] Signed-off-by: Siddharth Doshi --- .../harfbuzz/harfbuzz/CVE-2023-25193.patch| 191 ++ .../harfbuzz/harfbuzz_5.1.0.bb| 1 + 2 files changed, 192 insertions(+) create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch new file mode 100644 index 00..b72e23aa83 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch @@ -0,0 +1,191 @@ +From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Mon, 6 Feb 2023 14:51:25 -0700 +Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment + +Better implementation; avoids arbitrary limit on look-back. +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] +CVE: CVE-2023-25193 +Signed-off-by: Siddharth Doshi +--- + src/OT/Layout/GPOS/MarkBasePosFormat1.hh | 76 +++- + src/OT/Layout/GPOS/MarkLigPosFormat1.hh | 24 ++-- + src/hb-ot-layout-gsubgpos.hh | 5 +- + 3 files changed, 69 insertions(+), 36 deletions(-) + +diff --git a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh +index ebb8c31..73839a4 100644 +--- a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh +@@ -90,6 +90,25 @@ struct MarkBasePosFormat1_2 + + const Coverage &get_coverage () const { return this+markCoverage; } + ++ static inline bool accept (hb_buffer_t *buffer, unsigned idx) ++ { ++/* We only want to attach to the first of a MultipleSubst sequence. ++ * https://github.com/harfbuzz/harfbuzz/issues/740 ++ * Reject others... ++ * ...but stop if we find a mark in the MultipleSubst sequence: ++ * https://github.com/harfbuzz/harfbuzz/issues/1020 */ ++return !_hb_glyph_info_multiplied (&buffer->info[idx]) || ++ 0 == _hb_glyph_info_get_lig_comp (&buffer->info[idx]) || ++ (idx == 0 || ++ _hb_glyph_info_is_mark (&buffer->info[idx - 1]) || ++ !_hb_glyph_info_multiplied (&buffer->info[idx - 1]) || ++ _hb_glyph_info_get_lig_id (&buffer->info[idx]) != ++ _hb_glyph_info_get_lig_id (&buffer->info[idx - 1]) || ++ _hb_glyph_info_get_lig_comp (&buffer->info[idx]) != ++ _hb_glyph_info_get_lig_comp (&buffer->info[idx - 1]) + 1 ++ ); ++ } ++ + bool apply (hb_ot_apply_context_t *c) const + { + TRACE_APPLY (this); +@@ -97,48 +116,47 @@ struct MarkBasePosFormat1_2 + unsigned int mark_index = (this+markCoverage).get_coverage (buffer->cur().codepoint); + if (likely (mark_index == NOT_COVERED)) return_trace (false); + +-/* Now we search backwards for a non-mark glyph */ ++/* Now we search backwards for a non-mark glyph. ++ * We don't use skippy_iter.prev() to avoid O(n^2) behavior. */ ++ + hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; +-skippy_iter.reset (buffer->idx, 1); + skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); +-do { +- unsigned unsafe_from; +- if (!skippy_iter.prev (&unsafe_from)) ++ ++unsigned j; ++for (j = buffer->idx; j > c->last_base_until; j--) ++{ ++ auto match = skippy_iter.match (buffer->info[j - 1]); ++ if (match == skippy_iter.MATCH) + { +-buffer->unsafe_to_concat_from_outbuffer (unsafe_from, buffer->idx + 1); +-return_trace (false); ++ if (!accept (buffer, j - 1)) ++match = skippy_iter.SKIP; + } ++ if (match == skippy_iter.MATCH) ++ { ++ c->last_base = (signed) j - 1; ++ break; ++ } ++} ++c->last_base_until = buffer->idx; ++if (c->last_base == -1) ++{ ++ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); ++ return_trace (false); ++} + +- /* We only want to attach to the first of a MultipleSubst sequence. +- * https://github.com/harfbuzz/harfbuzz/issues/740 +- * Reject others... +- * ...but stop if we find a mark in the MultipleSubst sequence: +- * https://github.com/harfbuzz/harfbuzz/issues/1020 */ +- if (!_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx]) || +- 0 == _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) || +- (skippy_iter.idx == 0 || +- _hb_glyph_info_is_mark (&buffer->info[skippy_iter.idx - 1]) || +- !_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx - 1]) || +- _hb_glyph_info_get_lig_id (&buffer->info[sk
[OE-core][dunfell][PATCH] harfbuzz: Security fix for CVE-2023-25193
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] Signed-off-by: Siddharth Doshi --- .../harfbuzz/CVE-2023-25193-pre0.patch| 335 ++ .../harfbuzz/CVE-2023-25193-pre1.patch| 135 +++ .../harfbuzz/harfbuzz/CVE-2023-25193.patch| 179 ++ .../harfbuzz/harfbuzz_2.6.4.bb| 5 +- 4 files changed, 653 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch new file mode 100644 index 00..90d4cfefb4 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch @@ -0,0 +1,335 @@ +From 3122c2cdc45a964efedad8953a2df67205c3e3a8 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Sat, 4 Dec 2021 19:50:33 -0800 +Subject: [PATCH] [buffer] Add HB_GLYPH_FLAG_UNSAFE_TO_CONCAT + +Fixes https://github.com/harfbuzz/harfbuzz/issues/1463 +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/3122c2cdc45a964efedad8953a2df67205c3e3a8] +Comment1: To backport the fix for CVE-2023-25193, add defination for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT. This patch is needed along with CVE-2023-25193-pre1.patch for sucessfull porting. +Signed-off-by: Siddharth Doshi +--- + src/hb-buffer.cc | 10 ++--- + src/hb-buffer.h | 76 ++-- + src/hb-buffer.hh | 33 ++-- + src/hb-ot-layout-gsubgpos.hh | 39 +++--- + src/hb-ot-shape.cc | 8 +--- + 5 files changed, 124 insertions(+), 42 deletions(-) + +diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc +index 6131c86..bba5eae 100644 +--- a/src/hb-buffer.cc b/src/hb-buffer.cc +@@ -610,14 +610,14 @@ done: + } + + void +-hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end) ++hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end, hb_mask_t mask) + { + unsigned int cluster = (unsigned int) -1; + cluster = _unsafe_to_break_find_min_cluster (info, start, end, cluster); +- _unsafe_to_break_set_mask (info, start, end, cluster); ++ _unsafe_to_break_set_mask (info, start, end, cluster, mask); + } + void +-hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end) ++hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, hb_mask_t mask) + { + if (!have_output) + { +@@ -631,8 +631,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int en + unsigned int cluster = (unsigned int) -1; + cluster = _unsafe_to_break_find_min_cluster (out_info, start, out_len, cluster); + cluster = _unsafe_to_break_find_min_cluster (info, idx, end, cluster); +- _unsafe_to_break_set_mask (out_info, start, out_len, cluster); +- _unsafe_to_break_set_mask (info, idx, end, cluster); ++ _unsafe_to_break_set_mask (out_info, start, out_len, cluster, mask); ++ _unsafe_to_break_set_mask (info, idx, end, cluster, mask); + } + + void +diff --git a/src/hb-buffer.h b/src/hb-buffer.h +index d5cb746..42dc92a 100644 +--- a/src/hb-buffer.h b/src/hb-buffer.h +@@ -77,26 +77,76 @@ typedef struct hb_glyph_info_t + * @HB_GLYPH_FLAG_UNSAFE_TO_BREAK: Indicates that if input text is broken at the + * beginning of the cluster this glyph is part of, + * then both sides need to be re-shaped, as the +- * result might be different. On the flip side, +- * it means that when this flag is not present, +- * then it's safe to break the glyph-run at the +- * beginning of this cluster, and the two sides +- * represent the exact same result one would get +- * if breaking input text at the beginning of +- * this cluster and shaping the two sides +- * separately. This can be used to optimize +- * paragraph layout, by avoiding re-shaping +- * of each line after line-breaking, or limiting +- * the reshaping to a small piece around the +- * breaking point only. ++ * result might be different. ++ * ++ * On the flip side, it means that when this ++ * flag is not present, then it is safe to break ++ * the glyph-run a
Re: [OE-core] [kirkstone][dunfell] CVE-2023-25193 fix request
The Backport was a bit tricky but i feel its done. I have submitted for kirkstone branch and the all the tests passed on my end. Will be submitting it for dunfell soon too. Let me know incase if the problem still persists. If it passes, i am happy to help :) Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178312): https://lists.openembedded.org/g/openembedded-core/message/178312 Mute This Topic: https://lists.openembedded.org/mt/97514967/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] harfbuzz: Security fix for CVE-2023-25193
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] Signed-off-by: Siddharth Doshi --- .../harfbuzz/CVE-2023-25193-pre1.patch| 135 + .../harfbuzz/harfbuzz/CVE-2023-25193.patch| 185 ++ .../harfbuzz/harfbuzz_4.0.1.bb| 4 +- 3 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch new file mode 100644 index 00..6721b1bd70 --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch @@ -0,0 +1,135 @@ +From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Mon, 6 Feb 2023 13:08:52 -0700 +Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match() + +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324] +Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP. +Signed-off-by: Siddharth +--- + src/hb-ot-layout-gsubgpos.hh | 94 +--- + 1 file changed, 54 insertions(+), 40 deletions(-) + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index d9a068c..d17a4da 100644 +--- a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +@@ -522,33 +522,52 @@ struct hb_ot_apply_context_t : + may_skip (const hb_glyph_info_t &info) const + { return matcher.may_skip (c, info); } + ++enum match_t { ++ MATCH, ++ NOT_MATCH, ++ SKIP ++}; ++ ++match_t match (hb_glyph_info_t &info) ++{ ++ matcher_t::may_skip_t skip = matcher.may_skip (c, info); ++ if (unlikely (skip == matcher_t::SKIP_YES)) ++ return SKIP; ++ ++ matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); ++ if (match == matcher_t::MATCH_YES || ++(match == matcher_t::MATCH_MAYBE && ++ skip == matcher_t::SKIP_NO)) ++ return MATCH; ++ ++ if (skip == matcher_t::SKIP_NO) ++return NOT_MATCH; ++ ++ return SKIP; ++ } ++ + bool next (unsigned *unsafe_to = nullptr) + { + assert (num_items > 0); + while (idx + num_items < end) + { + idx++; +- const hb_glyph_info_t &info = c->buffer->info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +-continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +-num_items--; +-if (match_glyph_data) match_glyph_data++; +-return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->info[idx])) + { +-if (unsafe_to) +- *unsafe_to = idx + 1; +-return false; ++case MATCH: ++{ ++ num_items--; ++ if (match_glyph_data) match_glyph_data++; ++ return true; ++} ++case NOT_MATCH: ++{ ++ if (unsafe_to) ++*unsafe_to = idx + 1; ++ return false; ++} ++case SKIP: ++ continue; + } + } + if (unsafe_to) +@@ -561,27 +580,22 @@ struct hb_ot_apply_context_t : + while (idx > num_items - 1) + { + idx--; +- const hb_glyph_info_t &info = c->buffer->out_info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +-continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +-num_items--; +-if (match_glyph_data) match_glyph_data++; +-return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->out_info[idx])) + { +-if (unsafe_from) +- *unsafe_from = hb_max (1u, idx) - 1u; +-return false; ++case MATCH: ++{ ++ num_items--; ++ if (match_glyph_data) match_glyph_data++; ++ return true; ++} ++case NOT_MATCH: ++{ ++ if (unsafe_from) ++*unsafe_from = hb_max (1u, idx) - 1u; ++ return false; ++} ++case SKIP: ++ continue; + } + } + if (unsafe_from) +--
[OE-core][langdale][PATCH] epiphany: Security fix for CVE-2023-26081
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] Signed-off-by: Siddharth Doshi --- meta/recipes-gnome/epiphany/epiphany_42.4.bb | 1 + .../epiphany/files/CVE-2023-26081.patch | 90 +++ 2 files changed, 91 insertions(+) create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch diff --git a/meta/recipes-gnome/epiphany/epiphany_42.4.bb b/meta/recipes-gnome/epiphany/epiphany_42.4.bb index 9efd2800da..98923a3bdc 100644 --- a/meta/recipes-gnome/epiphany/epiphany_42.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_42.4.bb @@ -27,6 +27,7 @@ SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@oe.utils.trim_version("${PV}", 1)}/${GN file://0002-help-meson.build-disable-the-use-of-yelp.patch \ file://migrator.patch \ file://distributor.patch \ + file://CVE-2023-26081.patch \ " SRC_URI[archive.sha256sum] = "370938ad2920eeb28bc2435944776b7ba55a0e2ede65836f79818cfb7e8f0860" diff --git a/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch new file mode 100644 index 00..af1e20bd8f --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch @@ -0,0 +1,90 @@ +From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Fri, 3 Feb 2023 13:07:15 -0600 +Subject: [PATCH] Don't autofill passwords in sandboxed contexts + +If using the sandbox CSP or iframe tag, the web content is supposed to +be not trusted by the main resource origin. Therefore, we'd better +disable the password manager entirely so the untrusted web content +cannot exfiltrate passwords. + +https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x + +Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275> + +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] +CVE: CVE-2023-26081 +Signed-off-by: Siddharth Doshi +--- + .../resources/js/ephy.js | 26 +++ + 1 file changed, 26 insertions(+) + +diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js +index 38b806f..44d1792 100644 +--- a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js +@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function() + } + }; + ++Ephy.isSandboxedWebContent = function() ++{ ++// https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x ++return self.origin === null || self.origin === 'null'; ++}; ++ + Ephy.PasswordManager = class PasswordManager + { + constructor(pageID, frameID) +@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager + + query(origin, targetOrigin, username, usernameField, passwordField) + { ++if (Ephy.isSandboxedWebContent()) { ++Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`); ++return Promise.resolve(null); ++} ++ + Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`); + + return new Promise((resolver, reject) => { +@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager + + save(origin, targetOrigin, username, password, usernameField, passwordField, isNew) + { ++if (Ephy.isSandboxedWebContent()) { ++Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`); ++return; ++} ++ + Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); + + window.webkit.messageHandlers.passwordManagerSave.postMessage({ +@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager + // FIXME: Why is pageID a parameter here? + requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID) + { ++if (Ephy.isSandboxedWebContent()) { ++Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`); ++return; ++} ++ + Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); + + window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({ +@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager + + queryUsernames(origin) + { ++if (Ephy.isSa
[OE-core][kirkstone][PATCH] epiphany: Security fix for CVE-2023-26081
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] Signed-off-by: Siddharth Doshi --- meta/recipes-gnome/epiphany/epiphany_42.4.bb | 1 + .../epiphany/files/CVE-2023-26081.patch | 90 +++ 2 files changed, 91 insertions(+) create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch diff --git a/meta/recipes-gnome/epiphany/epiphany_42.4.bb b/meta/recipes-gnome/epiphany/epiphany_42.4.bb index 9efd2800da..98923a3bdc 100644 --- a/meta/recipes-gnome/epiphany/epiphany_42.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_42.4.bb @@ -27,6 +27,7 @@ SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@oe.utils.trim_version("${PV}", 1)}/${GN file://0002-help-meson.build-disable-the-use-of-yelp.patch \ file://migrator.patch \ file://distributor.patch \ + file://CVE-2023-26081.patch \ " SRC_URI[archive.sha256sum] = "370938ad2920eeb28bc2435944776b7ba55a0e2ede65836f79818cfb7e8f0860" diff --git a/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch new file mode 100644 index 00..af1e20bd8f --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch @@ -0,0 +1,90 @@ +From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Fri, 3 Feb 2023 13:07:15 -0600 +Subject: [PATCH] Don't autofill passwords in sandboxed contexts + +If using the sandbox CSP or iframe tag, the web content is supposed to +be not trusted by the main resource origin. Therefore, we'd better +disable the password manager entirely so the untrusted web content +cannot exfiltrate passwords. + +https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x + +Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275> + +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] +CVE: CVE-2023-26081 +Signed-off-by: Siddharth Doshi +--- + .../resources/js/ephy.js | 26 +++ + 1 file changed, 26 insertions(+) + +diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js +index 38b806f..44d1792 100644 +--- a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js +@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function() + } + }; + ++Ephy.isSandboxedWebContent = function() ++{ ++// https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x ++return self.origin === null || self.origin === 'null'; ++}; ++ + Ephy.PasswordManager = class PasswordManager + { + constructor(pageID, frameID) +@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager + + query(origin, targetOrigin, username, usernameField, passwordField) + { ++if (Ephy.isSandboxedWebContent()) { ++Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`); ++return Promise.resolve(null); ++} ++ + Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`); + + return new Promise((resolver, reject) => { +@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager + + save(origin, targetOrigin, username, password, usernameField, passwordField, isNew) + { ++if (Ephy.isSandboxedWebContent()) { ++Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`); ++return; ++} ++ + Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); + + window.webkit.messageHandlers.passwordManagerSave.postMessage({ +@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager + // FIXME: Why is pageID a parameter here? + requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID) + { ++if (Ephy.isSandboxedWebContent()) { ++Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`); ++return; ++} ++ + Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); + + window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({ +@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager + + queryUsernames(origin) + { ++if (Ephy.isSa