[OE-core] add mets-security to Extensible SDK

[Sona Sarmadi]

Hi,
Does anyone know how can I add meta-security layer 
(https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/) to my Extensible 
SDK using devtool and build e.g.  nmap?

Thanks
//Sona

This message, including attachments, is CONFIDENTIAL. It may also be privileged 
or otherwise protected by law. If you received this email by mistake please let 
us know by reply and then delete it from your system; you should not copy it or 
disclose its contents to anyone. All messages sent to and from Enea may be 
monitored to ensure compliance with internal policies and to protect our 
business. Emails are not secure and cannot be guaranteed to be error free as 
they can be intercepted, a mended, lost or destroyed, or contain viruses. The 
sender therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of email transmission. Anyone 
who communicates with us by email accepts these risks.
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][morty] connman: Fix for CVE-2017-12865

[Sona Sarmadi]

dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().

[YOCTO #11959]

(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>

Conflicts:
meta/recipes-connectivity/connman/connman_1.33.bb
---
 .../connman/connman/CVE-2017-12865.patch   | 87 ++
 meta/recipes-connectivity/connman/connman_1.33.bb  |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 
meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch 
b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 000..45f78f1
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissa...@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ src/dnsproxy.c | 16 ++--
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
 b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, 
int *qtype, int proto)
+ static int get_name(int counter,
+   unsigned char *pkt, unsigned char *start, unsigned char *max,
+   unsigned char *output, int output_max, int *output_len,
+-  unsigned char **end, char *name, int *name_len)
++  unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+   unsigned char *p;
+ 
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+ 
+   return get_name(counter + 1, pkt, pkt + offset, max,
+   output, output_max, output_len, end,
+-  name, name_len);
++  name, max_name, name_len);
+   } else {
+   unsigned label_len = *p;
+ 
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+   if (*output_len > output_max)
+   return -ENOBUFS;
+ 
++  if ((*name_len + 1 + label_len + 1) > max_name)
++  return -ENOBUFS;
++
+   /*
+* We need the original name in order to check
+* if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char 
*start,
+   unsigned char *response, unsigned int *response_size,
+   uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+   unsigned char **end,
+-  char *name)
++  char *name, size_t max_name)
+ {
+   struct domain_rr *rr;
+   int err, offset;
+   int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+   err = get_name(0, buf, start, max, response, max_rsp,
+-  _len, end, name, _len);
++  _len, end, name, max_name, _len);
+   if (err < 0)
+   return err;
+ 
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+   memset(rsp, 0, sizeof(rsp));
+ 
+   ret = parse_rr(buf, ptr, buf + buflen, rsp, _len,
+-  type, class, ttl, , , name);
++  type, class, ttl, , , name,
++  sizeof(name) - 1);
+   if (ret != 0) {
+   err = ret;
+   goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+*/
+   ret = get_name(0, buf, next - rdlen, buf + buflen,
+   rsp, rsp_len, _len, ,
+-  name, _len);
++  name, sizeof(name) - 1, _len);
+   if (ret != 0) {
+   /* just ignore the error at this point */
+   ptr = next;
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.33.bb 
b/meta/recipes-connect

[OE-core] [PATCH][pyro] connman: Fix for CVE-2017-12865

[Sona Sarmadi]

dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().

[YOCTO #11959]

(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>

Conflicts:
meta/recipes-connectivity/connman/connman_1.33.bb
---
 .../connman/connman/CVE-2017-12865.patch   | 87 ++
 meta/recipes-connectivity/connman/connman_1.33.bb  |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 
meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch 
b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 000..45f78f1
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissa...@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ src/dnsproxy.c | 16 ++--
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
 b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, 
int *qtype, int proto)
+ static int get_name(int counter,
+   unsigned char *pkt, unsigned char *start, unsigned char *max,
+   unsigned char *output, int output_max, int *output_len,
+-  unsigned char **end, char *name, int *name_len)
++  unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+   unsigned char *p;
+ 
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+ 
+   return get_name(counter + 1, pkt, pkt + offset, max,
+   output, output_max, output_len, end,
+-  name, name_len);
++  name, max_name, name_len);
+   } else {
+   unsigned label_len = *p;
+ 
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+   if (*output_len > output_max)
+   return -ENOBUFS;
+ 
++  if ((*name_len + 1 + label_len + 1) > max_name)
++  return -ENOBUFS;
++
+   /*
+* We need the original name in order to check
+* if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char 
*start,
+   unsigned char *response, unsigned int *response_size,
+   uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+   unsigned char **end,
+-  char *name)
++  char *name, size_t max_name)
+ {
+   struct domain_rr *rr;
+   int err, offset;
+   int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+   err = get_name(0, buf, start, max, response, max_rsp,
+-  _len, end, name, _len);
++  _len, end, name, max_name, _len);
+   if (err < 0)
+   return err;
+ 
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+   memset(rsp, 0, sizeof(rsp));
+ 
+   ret = parse_rr(buf, ptr, buf + buflen, rsp, _len,
+-  type, class, ttl, , , name);
++  type, class, ttl, , , name,
++  sizeof(name) - 1);
+   if (ret != 0) {
+   err = ret;
+   goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+*/
+   ret = get_name(0, buf, next - rdlen, buf + buflen,
+   rsp, rsp_len, _len, ,
+-  name, _len);
++  name, sizeof(name) - 1, _len);
+   if (ret != 0) {
+   /* just ignore the error at this point */
+   ptr = next;
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.33.bb 
b/meta/recipes-connect

[OE-core] [PATCH] connman: Fix for CVE-2017-12865

[Sona Sarmadi]

dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().

[YOCTO #11959]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../connman/connman/CVE-2017-12865.patch   | 87 ++
 meta/recipes-connectivity/connman/connman_1.34.bb  |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 
meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch 
b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 000..45f78f1
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissa...@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ src/dnsproxy.c | 16 ++--
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
 b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, 
int *qtype, int proto)
+ static int get_name(int counter,
+   unsigned char *pkt, unsigned char *start, unsigned char *max,
+   unsigned char *output, int output_max, int *output_len,
+-  unsigned char **end, char *name, int *name_len)
++  unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+   unsigned char *p;
+ 
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+ 
+   return get_name(counter + 1, pkt, pkt + offset, max,
+   output, output_max, output_len, end,
+-  name, name_len);
++  name, max_name, name_len);
+   } else {
+   unsigned label_len = *p;
+ 
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+   if (*output_len > output_max)
+   return -ENOBUFS;
+ 
++  if ((*name_len + 1 + label_len + 1) > max_name)
++  return -ENOBUFS;
++
+   /*
+* We need the original name in order to check
+* if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char 
*start,
+   unsigned char *response, unsigned int *response_size,
+   uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+   unsigned char **end,
+-  char *name)
++  char *name, size_t max_name)
+ {
+   struct domain_rr *rr;
+   int err, offset;
+   int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+   err = get_name(0, buf, start, max, response, max_rsp,
+-  _len, end, name, _len);
++  _len, end, name, max_name, _len);
+   if (err < 0)
+   return err;
+ 
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+   memset(rsp, 0, sizeof(rsp));
+ 
+   ret = parse_rr(buf, ptr, buf + buflen, rsp, _len,
+-  type, class, ttl, , , name);
++  type, class, ttl, , , name,
++  sizeof(name) - 1);
+   if (ret != 0) {
+   err = ret;
+   goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+*/
+   ret = get_name(0, buf, next - rdlen, buf + buflen,
+   rsp, rsp_len, _len, ,
+-  name, _len);
++  name, sizeof(name) - 1, _len);
+   if (ret != 0) {
+   /* just ignore the error at this point */
+   ptr = next;
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb 
b/meta/recipes-connectivity/connman/connman_1.34.bb
index 868f940..dc2c688 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI  = 
"${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \

Re: [OE-core] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

[Sona Sarmadi]

Hi all,

Sorry that the fix/workaround for this vulnerability was not discussed 
publically. 
This vulnerability was reported by a user privately/encrypted. Yocto Security 
team; 
Sona, Michael Halstead and Richard handled this off-list. We decided that we 
provide
a quick fix/workaround before we make this vulnerability public and then change/
improve it later if necessary. 
 
> I suspect this has been missed by some people so I want to spell it out. We
> have our first CVE in OE-Core itself.

We have received a CVE from Mitre for this vulnerability, but they have changed 
our description of vulnerability of some unknown reason :) we have requested an
update/correction (see below) but they haven't changed the description yet: 
 

From: CVE Request [mailto:cve-requ...@mitre.org] 
Sent: Monday, June 19, 2017 12:09 PM
To: Sona Sarmadi <sona.sarm...@enea.com>
Subject: CVE Request 349461 for Update Published CVE 

Thank you for your submission. It will be reviewed by a CVE Assignment Team 
member.
 
You have requested an update to the following published CVE:  CVE-2017-9731
 
 
Changes, additions, or updates to your request can be sent to the CVE Team by 
replying directly to this email.
 
Please do not change the subject line, which allows us to effectively track 
your request.
 
CVE Assignment Team 
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA 
[A PGP key is available for encrypted communications at 
http://cve.mitre.org/cve/request_id.html]

Thanks all for your help with this vulnerability.
//Sona

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] Qemu: update to 2.8.1.1

[Sona Sarmadi]

Fixed CVE:

 - CVE-2017-2620 (Severity = High)
display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo

Reference
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html

Removed patches (already in upstream):

- target-ppc-fix-user-mode.patch

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-devtools/qemu/{qemu_2.8.0.bb => qemu_2.8.1.1.bb} | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)
 rename meta/recipes-devtools/qemu/{qemu_2.8.0.bb => qemu_2.8.1.1.bb} (87%)

diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb 
b/meta/recipes-devtools/qemu/qemu_2.8.1.1.bb
similarity index 87%
rename from meta/recipes-devtools/qemu/qemu_2.8.0.bb
rename to meta/recipes-devtools/qemu/qemu_2.8.1.1.bb
index 19d7e8f..1d5bcf9 100644
--- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.8.1.1.bb
@@ -19,7 +19,6 @@ SRC_URI += " \
 file://no-valgrind.patch \
 file://pathlimit.patch \
 file://qemu-2.5.0-cflags.patch \
-file://target-ppc-fix-user-mode.patch \
 file://glibc-2.25.patch \
 "
 
@@ -28,8 +27,6 @@ SRC_URI += " \
 
file://0002-Introduce-condition-to-notify-waiters-of-completed-c.patch \
 
file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \
 file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch \
-file://CVE-2016-9908.patch \
-file://CVE-2016-9912.patch \
 "
 
 SRC_URI_append_class-native = " \
@@ -39,8 +36,8 @@ SRC_URI_append_class-native = " \
 
 SRC_URI =+ "http://wiki.qemu-project.org/download/${BP}.tar.bz2;
 
-SRC_URI[md5sum] = "17940dce063b6ce450a12e719a6c9c43"
-SRC_URI[sha256sum] = 
"dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62"
+SRC_URI[md5sum] = "a6a23a0c59fd0f8ec564b0fb89a79954"
+SRC_URI[sha256sum] = 
"f62ab18a1fb9ff5b4c81ed44becc945b11581eff777618141bdb787da55d3638"
 
 COMPATIBLE_HOST_mipsarchn32 = "null"
 COMPATIBLE_HOST_mipsarchn64 = "null"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] Use-SHA256-not-MD5-as-default-digest.patch file is not added to the openssl_1.0.2k.bb

[Sona Sarmadi]

Hi guys,

Does anyone know why "Use-SHA256-not-MD5-as-default-digest.patch" is in the 
openssl directory but has not been added to the openssl recipes? (both in 
master and morty branches):

http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl
Use-SHA256-not-MD5-as-default-digest.patch

But this file is not added to the recipes:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb?h=morty

Thanks
//Sona



-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 2/2] Qemu: display: CVE-2016-9912

[Sona Sarmadi]

virtio-gpu: memory leakage when destroying gpu resource

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9912

Reference to upstream patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=b8e23926c568f2e963af39028b71c472e3023793

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-9912.patch | 45 ++
 meta/recipes-devtools/qemu/qemu_2.8.0.bb   |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch
new file mode 100644
index 000..c009ffd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-9912.patch
@@ -0,0 +1,45 @@
+From b8e23926c568f2e963af39028b71c472e3023793 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq...@gmail.com>
+Date: Mon, 28 Nov 2016 21:29:25 -0500
+Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
+
+If the guest destroy the resource before detach banking, the 'iov'
+and 'addrs' field in resource is not freed thus leading memory
+leak issue. This patch avoid this.
+
+CVE: CVE-2016-9912
+Upstream-Status: Backport
+
+Signed-off-by: Li Qiang <liq...@gmail.com>
+Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
+Message-id: 1480386565-10077-1-git-send-email-liq...@gmail.com
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ hw/display/virtio-gpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index ed2b6d3..6a26258 100644
+--- a/hw/display/virtio-gpu.c
 b/hw/display/virtio-gpu.c
+@@ -28,6 +28,8 @@
+ static struct virtio_gpu_simple_resource*
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+ 
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource 
*res);
++
+ #ifdef CONFIG_VIRGL
+ #include 
+ #define VIRGL(_g, _virgl, _simple, ...) \
+@@ -364,6 +366,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
+ struct virtio_gpu_simple_resource 
*res)
+ {
+ pixman_image_unref(res->image);
++virtio_gpu_cleanup_mapping(res);
+ QTAILQ_REMOVE(>reslist, res, next);
+ g->hostmem -= res->hostmem;
+ g_free(res);
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb 
b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
index 75928c6..d0f9fab 100644
--- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
@@ -18,6 +18,7 @@ SRC_URI += " \
 
file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \
 file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch \
 file://CVE-2016-9908.patch \
+file://CVE-2016-9912.patch \
 "
 
 SRC_URI =+ "http://wiki.qemu-project.org/download/${BP}.tar.bz2;
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 1/2] Qemu: display: CVE-2016-9908

[Sona Sarmadi]

virtio-gpu: information leakage in virgl_cmd_get_capset

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-9908.patch | 44 ++
 meta/recipes-devtools/qemu/qemu_2.8.0.bb   |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch
new file mode 100644
index 000..e0f7a1a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch
@@ -0,0 +1,44 @@
+From 7139ccbc907441337b4b59cde2c5b5a54cb5b2cc Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarm...@enea.com>
+
+virtio-gpu: fix information leak in capset get dispatch
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <liqiang...@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
+Message-id: 58188cae.4a6ec20a.3d2d1.a...@mx.google.com
+
+[Sona: backported from master to v2.8.0 and resolved conflict]
+
+Reference to upstream patch:
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=85d9d044471f93c48c5c396f7e217b4ef12f69f8
+
+CVE: CVE-2016-9908
+Upstream-Status: Backport
+
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
 b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+ 
+ virgl_renderer_get_cap_set(gc.capset_id, _ver,
+_size);
+-resp = g_malloc(sizeof(*resp) + max_size);
++resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb 
b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
index ce475e0..75928c6 100644
--- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
@@ -17,6 +17,7 @@ SRC_URI += " \
 
file://0002-Introduce-condition-to-notify-waiters-of-completed-c.patch \
 
file://0003-Introduce-condition-in-TPM-backend-for-notification.patch \
 file://0004-Add-support-for-VM-suspend-resume-for-TPM-TIS.patch \
+file://CVE-2016-9908.patch \
 "
 
 SRC_URI =+ "http://wiki.qemu-project.org/download/${BP}.tar.bz2;
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv2] tar: CVE-2016-6321

[Sona Sarmadi]

Skip members whose names contain "..".

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321

Upstream patch:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f671

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-extended/tar/tar/CVE-2016-6321.patch | 66 +++
 meta/recipes-extended/tar/tar_1.29.bb |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 meta/recipes-extended/tar/tar/CVE-2016-6321.patch

diff --git a/meta/recipes-extended/tar/tar/CVE-2016-6321.patch 
b/meta/recipes-extended/tar/tar/CVE-2016-6321.patch
new file mode 100644
index 000..6d35bcc
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2016-6321.patch
@@ -0,0 +1,66 @@
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <egg...@penguin.cs.ucla.edu>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+
+CVE: CVE-2016-6321
+Upstream-Status: Backport
+
+Cherry picked from commit: 7340f67 When extracting, skip ".." members
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ NEWS  | 8 +++-
+ src/extract.c | 8 
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 501164a..fc97cfc 100644
+--- a/NEWS
 b/NEWS
+@@ -1,6 +1,12 @@
+-GNU tar NEWS - User visible changes. 2016-05-16
++GNU tar NEWS - User visible changes. 2016-10-29
+ Please send GNU tar bug reports to <bug-...@gnu.org>
+ 
++* Member names containing '..' components are now skipped when extracting.
++
++This fixes tar's behavior to match its documentation, and is a bit
++safer when extracting untrusted archives over old files (an unsafe
++practice that the tar manual has long recommended against).
++
+ 
+ version 1.29 - Sergey Poznyakoff, 2016-05-16
+ 
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
 b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++&& contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++ERROR ((0, 0, _("%s: Member name contains '..'"),
++  quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++  || skip_dotdot_name
+   || (interactive_option
+ && !confirm ("extract", current_stat_info.file_name)))
+ {
+-- 
+1.9.1
+
diff --git a/meta/recipes-extended/tar/tar_1.29.bb 
b/meta/recipes-extended/tar/tar_1.29.bb
index efce57d..f22d9c9 100644
--- a/meta/recipes-extended/tar/tar_1.29.bb
+++ b/meta/recipes-extended/tar/tar_1.29.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRC_URI += "file://remove-gets.patch \
 file://musl_dirent.patch \
+file://CVE-2016-6321.patch \
"
 SRC_URI[md5sum] = "955cd533955acb1804b83fd70218da51"
 SRC_URI[sha256sum] = 
"236b11190c0a3a6885bdb8d61424f2b36a5872869aa3f7f695dea4b4843ae2f2"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] tar: CVE-2016-6321

[Sona Sarmadi]

Skip members whose names contain "..".

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321

Upstream patch:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f671

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-extended/tar/tar/CVE-2016-6321.patch | 58 +++
 meta/recipes-extended/tar/tar_1.29.bb |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-extended/tar/tar/CVE-2016-6321.patch

diff --git a/meta/recipes-extended/tar/tar/CVE-2016-6321.patch 
b/meta/recipes-extended/tar/tar/CVE-2016-6321.patch
new file mode 100644
index 000..4705d2d
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2016-6321.patch
@@ -0,0 +1,58 @@
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <egg...@penguin.cs.ucla.edu>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+
+CVE: CVE-2016-6321
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -Nurp a/NEWS b/NEWS
+--- a/NEWS 2016-05-16 10:51:12.0 +0200
 b/NEWS 2017-02-24 07:51:53.279524073 +0100
+@@ -1,9 +1,15 @@
+-GNU tar NEWS - User visible changes. 2016-05-16
++GNU tar NEWS - User visible changes. 2016-10-29
+ Please send GNU tar bug reports to <bug-...@gnu.org>
+ 
+ 
+ version 1.29 - Sergey Poznyakoff, 2016-05-16
+ 
++CVE-2016-6321
++* Member names containing '..' components are now skipped when extracting.
++This fixes tar's behavior to match its documentation, and is a bit
++safer when extracting untrusted archives over old files (an unsafe
++practice that the tar manual has long recommended against).
++
+ * New options: --verbatim-files-from, --no-verbatim-files-from
+ 
+ The --verbatim-files-from option instructs tar to treat each line read
+diff -Nurp a/src/extract.c b/src/extract.c
+--- a/src/extract.c2016-01-20 10:26:32.0 +0100
 b/src/extract.c2017-02-24 07:41:27.990942240 +0100
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++&& contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++ERROR ((0, 0, _("%s: Member name contains '..'"),
++  quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++  || skip_dotdot_name
+   || (interactive_option
+ && !confirm ("extract", current_stat_info.file_name)))
+ {
diff --git a/meta/recipes-extended/tar/tar_1.29.bb 
b/meta/recipes-extended/tar/tar_1.29.bb
index efce57d..f22d9c9 100644
--- a/meta/recipes-extended/tar/tar_1.29.bb
+++ b/meta/recipes-extended/tar/tar_1.29.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRC_URI += "file://remove-gets.patch \
 file://musl_dirent.patch \
+file://CVE-2016-6321.patch \
"
 SRC_URI[md5sum] = "955cd533955acb1804b83fd70218da51"
 SRC_URI[sha256sum] = 
"236b11190c0a3a6885bdb8d61424f2b36a5872869aa3f7f695dea4b4843ae2f2"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v5][morty] openssl: CVE: CVE-2017-3731

[Sona Sarmadi]

>> I am just curious if this is ok, or should we always put the CVE: tag inside 
>> the patch?

> The tag should always be in the patch file.
>
> Ross

So I guess this needs to be fixed:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=morty=8ba5b9eae34bbab537954ccee1726c7ee7a82750

//S
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v5][morty] openssl: CVE: CVE-2017-3731

[Sona Sarmadi]

Hi Alexandru,

Shouldn't CVE-2017-3731 in the patch files have CVE: tag? 

i.e. CVE-2017-3731  in 0001-CVE-2017-3731.patch & 0002-CVE-2017-3731.patch 

should be:

CVE: CVE-2017-3731

You have this tag in the meta patch, we add this normally inside the patch. 

> * CVE: CVE-2017-3731
> 
> Upstream-status: Backport

I am just curious if this is ok, or should we always put the CVE: tag inside 
the patch?

Thanks
//Sona

> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On
> Behalf Of Alexandru Moise
> Sent: den 7 februari 2017 12:49
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH v5][morty] openssl: CVE: CVE-2017-3731
> 
> If an SSL/TLS server or client is running on a 32-bit host, and a specific
> cipher is being used, then a truncated packet can cause that server or
> client  to perform an out-of-bounds read, usually resulting in a crash.
> 
> Backported from:
> https://github.com/openssl/openssl/commit/8e20499629b6bcf868d007
> 2c7011e590b5c2294d
> https://github.com/openssl/openssl/commit/2198b3a55de681e1f3c23e
> db0586afe13f438051
> 
> * CVE: CVE-2017-3731
> 
> Upstream-status: Backport
> 
> Signed-off-by: Alexandru Moise 
> ---
>  .../openssl/openssl/0001-CVE-2017-3731.patch   | 46
> +++
>  .../openssl/openssl/0002-CVE-2017-3731.patch   | 53
> ++
>  .../recipes-connectivity/openssl/openssl_1.0.2j.bb |  2 +
>  3 files changed, 101 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-
> CVE-2017-3731.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-
> CVE-2017-3731.patch
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-
> 3731.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-
> 2017-3731.patch
> new file mode 100644
> index 000..b378c5e
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-
> 3731.patch
> @@ -0,0 +1,46 @@
> +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17
> 00:00:00 2001
> +From: Alexandru Moise 
> +Date: Tue, 7 Feb 2017 11:13:19 +0200
> +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Originally a crash in 32-bit build was reported CHACHA20-POLY1305
> +cipher. The crash is triggered by truncated packet and is result of
> +excessive hashing to the edge of accessible memory (or bogus MAC
> value
> +is produced if x86 MD5 assembly module is involved). Since hash
> +operation is read-only it is not considered to be exploitable beyond a
> +DoS condition.
> +
> +Thanks to Robert Święcki for report.
> +
> +CVE-2017-3731
> +
> +Backported from upstream commit:
> +8e20499629b6bcf868d0072c7011e590b5c2294d
> +
> +Upstream-Status: Backport
> +
> +Reviewed-by: Rich Salz 
> +Signed-off-by: Alexandru Moise 
> +---
> + crypto/evp/e_rc4_hmac_md5.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/crypto/evp/e_rc4_hmac_md5.c
> b/crypto/evp/e_rc4_hmac_md5.c
> +index 5e92855..3293419 100644
> +--- a/crypto/evp/e_rc4_hmac_md5.c
>  b/crypto/evp/e_rc4_hmac_md5.c
> +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX
> *ctx, int type, int arg,
> + len = p[arg - 2] << 8 | p[arg - 1];
> +
> + if (!ctx->encrypt) {
> ++if (len < MD5_DIGEST_LENGTH)
> ++return -1;
> + len -= MD5_DIGEST_LENGTH;
> + p[arg - 2] = len >> 8;
> + p[arg - 1] = len;
> +--
> +2.10.2
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-
> 3731.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-
> 2017-3731.patch
> new file mode 100644
> index 000..990cbfd
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-
> 3731.patch
> @@ -0,0 +1,53 @@
> +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17
> 00:00:00 2001
> +From: Alexandru Moise 
> +Date: Tue, 7 Feb 2017 11:16:13 +0200
> +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Originally a crash in 32-bit build was reported CHACHA20-POLY1305
> +cipher. The crash is triggered by truncated packet and is result of
> +excessive hashing to the edge of accessible memory. Since hash
> +operation is read-only it is not considered to be exploitable beyond a
> +DoS condition. Other ciphers were hardened.
> +
> +Thanks to Robert Święcki for report.
> +
> +CVE-2017-3731
> +
> +Backported from upstream commit:
> +2198b3a55de681e1f3c23edb0586afe13f438051
> +
> +Upstream-Status: Backport
> +
> +Reviewed-by: Rich Salz 
> +Signed-off-by: 

[OE-core] do_populate_cve_db: Error in executing cve-check-update

[Sona Sarmadi]

Hi all,


Does anyone know if there is an issue with cve-check tool on master branch? 

It seems that "cve-check-update -d" fails, does anyone know why?
poky/build-cve-check$ bitbake -k -c cve_check universe


WARNING: cve-check-tool-native-5.6.4-r0 do_populate_cve_db: Error in executing 
cve-check-update
WARNING: cve-check-tool-native-5.6.4-r0 do_populate_cve_db: Failed to update 
cve-check-tool database, CVEs won't be checked



do_populate_cve_db() {
if [ "${BB_NO_NETWORK}" = "1" ] ; then
bberror "BB_NO_NETWORK is set; Can't update cve-check-tool database, 
CVEs won't be checked"
return
fi

# In case we don't inherit cve-check class, use default values defined in 
the class.
cve_dir="${CVE_CHECK_DB_DIR}"
cve_file="${CVE_CHECK_TMP_FILE}"

[ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
[ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"

bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
if cve-check-update -d "$cve_dir" ; then
printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc 
+'%F %T')" > "$cve_file"
else
bbwarn "Error in executing cve-check-update"  <
if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 
] ; then
bbwarn "Failed to update cve-check-tool database, CVEs won't be 
checked"<<
fi
fi
}

Thanks
//Sona
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 1/2] libX11: CVE-2016-7942

[Sona Sarmadi]

The XGetImage function in X.org libX11 before 1.6.4 might allow remote X
servers to gain privileges via vectors involving image type and geometry,
which triggers out-of-bounds read operations.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
Upstream patch
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../xorg-lib/libx11/CVE-2016-7942.patch| 69 ++
 meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
new file mode 100644
index 000..f5b4d69
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
@@ -0,0 +1,69 @@
+From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:25:25 +0200
+Subject: Validation of server responses in XGetImage()
+
+Check if enough bytes were received for specified image type and
+geometry. Otherwise GetPixel and other functions could trigger an
+out of boundary read later on.
+
+CVE: CVE-2016-7942
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/GetImage.c b/src/GetImage.c
+index c461abc..ff32d58 100644
+--- a/src/GetImage.c
 b/src/GetImage.c
+@@ -59,6 +59,7 @@ XImage *XGetImage (
+   char *data;
+   unsigned long nbytes;
+   XImage *image;
++  int planes;
+   LockDisplay(dpy);
+   GetReq (GetImage, req);
+   /*
+@@ -91,18 +92,28 @@ XImage *XGetImage (
+   return (XImage *) NULL;
+   }
+ _XReadPad (dpy, data, nbytes);
+-if (format == XYPixmap)
+- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+-Ones (plane_mask &
+-  (((unsigned long)0x) >> (32 - rep.depth))),
+-format, 0, data, width, height, dpy->bitmap_pad, 0);
+-  else /* format == ZPixmap */
+-   image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+-   rep.depth, ZPixmap, 0, data, width, height,
+-_XGetScanlinePad(dpy, (int) rep.depth), 0);
++if (format == XYPixmap) {
++  image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
++  Ones (plane_mask &
++  (((unsigned long)0x) >> (32 - rep.depth))),
++  format, 0, data, width, height, dpy->bitmap_pad, 0);
++  planes = image->depth;
++  } else { /* format == ZPixmap */
++image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
++  rep.depth, ZPixmap, 0, data, width, height,
++  _XGetScanlinePad(dpy, (int) rep.depth), 0);
++  planes = 1;
++  }
+ 
+   if (!image)
+   Xfree(data);
++  if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
++  INT_MAX / image->height <= image->bytes_per_line ||
++  INT_MAX / planes <= image->height * image->bytes_per_line ||
++  nbytes < planes * image->height * image->bytes_per_line) {
++  XDestroyImage(image);
++  image = NULL;
++  }
+   UnlockDisplay(dpy);
+   SyncHandle();
+   return (image);
+-- 
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb 
b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
index 8e531c7..152ccd9 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
@@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk"
 
 SRC_URI += "file://disable_tests.patch \
 file://libX11-Add-missing-NULL-check.patch \
+file://CVE-2016-7942.patch \
"
 
 SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 2/2] libx11: CVE-2016-7943

[Sona Sarmadi]

The XListFonts function in X.org libX11 before 1.6.4 might allow
remote X servers to gain privileges via vectors involving length
fields, which trigger out-of-bounds write operations.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943
https://lists.x.org/archives/xorg-announce/2016-October/002720.html

Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../xorg-lib/libx11/CVE-2016-7943.patch| 103 +
 meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
new file mode 100644
index 000..5002423
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
@@ -0,0 +1,103 @@
+From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:22:57 +0200
+Subject: The validation of server responses avoids out of boundary accesses.
+
+v2: FontNames.c  return a NULL list whenever a single
+length field from the server is incohent.
+
+CVE: CVE-2016-7943
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 21dcafe..e55f338 100644
+--- a/src/FontNames.c
 b/src/FontNames.c
+@@ -66,7 +66,7 @@ int *actualCount)/* RETURN */
+ 
+ if (rep.nFonts) {
+   flist = Xmalloc (rep.nFonts * sizeof(char *));
+-  if (rep.length < (INT_MAX >> 2)) {
++  if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+   rlen = rep.length << 2;
+   ch = Xmalloc(rlen + 1);
+   /* +1 to leave room for last null-terminator */
+@@ -93,11 +93,22 @@ int *actualCount)  /* RETURN */
+   if (ch + length < chend) {
+   flist[i] = ch + 1;  /* skip over length */
+   ch += length + 1;  /* find next length ... */
+-  length = *(unsigned char *)ch;
+-  *ch = '\0';  /* and replace with null-termination */
+-  count++;
+-  } else
+-  flist[i] = NULL;
++  if (ch <= chend) {
++  length = *(unsigned char *)ch;
++  *ch = '\0';  /* and replace with null-termination */
++  count++;
++  } else {
++Xfree(flist);
++flist = NULL;
++count = 0;
++break;
++  }
++  } else {
++Xfree(flist);
++flist = NULL;
++count = 0;
++break;
++}
+   }
+ }
+ *actualCount = count;
+diff --git a/src/ListExt.c b/src/ListExt.c
+index be6b989..0516e45 100644
+--- a/src/ListExt.c
 b/src/ListExt.c
+@@ -55,7 +55,7 @@ char **XListExtensions(
+ 
+   if (rep.nExtensions) {
+   list = Xmalloc (rep.nExtensions * sizeof (char *));
+-  if (rep.length < (INT_MAX >> 2)) {
++  if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+   rlen = rep.length << 2;
+   ch = Xmalloc (rlen + 1);
+ /* +1 to leave room for last null-terminator */
+@@ -80,9 +80,13 @@ char **XListExtensions(
+   if (ch + length < chend) {
+   list[i] = ch+1;  /* skip over length */
+   ch += length + 1; /* find next length ... */
+-  length = *ch;
+-  *ch = '\0'; /* and replace with null-termination */
+-  count++;
++  if (ch <= chend) {
++  length = *ch;
++  *ch = '\0'; /* and replace with null-termination */
++  count++;
++  } else {
++  list[i] = NULL;
++  }
+   } else
+   list[i] = NULL;
+   }
+diff --git a/src/ModMap.c b/src/ModMap.c
+index a809aa2..49a5d08 100644
+--- a/src/ModMap.c
 b/src/ModMap.c
+@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
+ GetEmptyReq(GetModifierMapping, req);
+ (void) _XReply (dpy, (xReply *), 0, xFalse);
+ 
+-if (rep.length < (INT_MAX >> 2)) {
++if (rep.length < (INT_MAX >> 2) &&
++  (rep.length >> 1) == rep.numKeyPerModifier) {
+   nbytes = (unsigned long)rep.length << 2;
+   res = Xmalloc(sizeof (XModifierKeymap));
+   if (res)
+-- 
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-li

[OE-core] [PATCH][morty 2/2] libx11: CVE-2016-7943

[Sona Sarmadi]

The XListFonts function in X.org libX11 before 1.6.4 might allow
remote X servers to gain privileges via vectors involving length
fields, which trigger out-of-bounds write operations.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943
https://lists.x.org/archives/xorg-announce/2016-October/002720.html

Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../xorg-lib/libx11/CVE-2016-7943.patch| 103 +
 meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
new file mode 100644
index 000..5002423
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
@@ -0,0 +1,103 @@
+From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:22:57 +0200
+Subject: The validation of server responses avoids out of boundary accesses.
+
+v2: FontNames.c  return a NULL list whenever a single
+length field from the server is incohent.
+
+CVE: CVE-2016-7943
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 21dcafe..e55f338 100644
+--- a/src/FontNames.c
 b/src/FontNames.c
+@@ -66,7 +66,7 @@ int *actualCount)/* RETURN */
+ 
+ if (rep.nFonts) {
+   flist = Xmalloc (rep.nFonts * sizeof(char *));
+-  if (rep.length < (INT_MAX >> 2)) {
++  if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+   rlen = rep.length << 2;
+   ch = Xmalloc(rlen + 1);
+   /* +1 to leave room for last null-terminator */
+@@ -93,11 +93,22 @@ int *actualCount)  /* RETURN */
+   if (ch + length < chend) {
+   flist[i] = ch + 1;  /* skip over length */
+   ch += length + 1;  /* find next length ... */
+-  length = *(unsigned char *)ch;
+-  *ch = '\0';  /* and replace with null-termination */
+-  count++;
+-  } else
+-  flist[i] = NULL;
++  if (ch <= chend) {
++  length = *(unsigned char *)ch;
++  *ch = '\0';  /* and replace with null-termination */
++  count++;
++  } else {
++Xfree(flist);
++flist = NULL;
++count = 0;
++break;
++  }
++  } else {
++Xfree(flist);
++flist = NULL;
++count = 0;
++break;
++}
+   }
+ }
+ *actualCount = count;
+diff --git a/src/ListExt.c b/src/ListExt.c
+index be6b989..0516e45 100644
+--- a/src/ListExt.c
 b/src/ListExt.c
+@@ -55,7 +55,7 @@ char **XListExtensions(
+ 
+   if (rep.nExtensions) {
+   list = Xmalloc (rep.nExtensions * sizeof (char *));
+-  if (rep.length < (INT_MAX >> 2)) {
++  if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+   rlen = rep.length << 2;
+   ch = Xmalloc (rlen + 1);
+ /* +1 to leave room for last null-terminator */
+@@ -80,9 +80,13 @@ char **XListExtensions(
+   if (ch + length < chend) {
+   list[i] = ch+1;  /* skip over length */
+   ch += length + 1; /* find next length ... */
+-  length = *ch;
+-  *ch = '\0'; /* and replace with null-termination */
+-  count++;
++  if (ch <= chend) {
++  length = *ch;
++  *ch = '\0'; /* and replace with null-termination */
++  count++;
++  } else {
++  list[i] = NULL;
++  }
+   } else
+   list[i] = NULL;
+   }
+diff --git a/src/ModMap.c b/src/ModMap.c
+index a809aa2..49a5d08 100644
+--- a/src/ModMap.c
 b/src/ModMap.c
+@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
+ GetEmptyReq(GetModifierMapping, req);
+ (void) _XReply (dpy, (xReply *), 0, xFalse);
+ 
+-if (rep.length < (INT_MAX >> 2)) {
++if (rep.length < (INT_MAX >> 2) &&
++  (rep.length >> 1) == rep.numKeyPerModifier) {
+   nbytes = (unsigned long)rep.length << 2;
+   res = Xmalloc(sizeof (XModifierKeymap));
+   if (res)
+-- 
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-li

[OE-core] [PATCH][morty 1/2] libX11: CVE-2016-7942

[Sona Sarmadi]

The XGetImage function in X.org libX11 before 1.6.4 might allow remote X
servers to gain privileges via vectors involving image type and geometry,
which triggers out-of-bounds read operations.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
Upstream patch
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../xorg-lib/libx11/CVE-2016-7942.patch| 69 ++
 meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
new file mode 100644
index 000..f5b4d69
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
@@ -0,0 +1,69 @@
+From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:25:25 +0200
+Subject: Validation of server responses in XGetImage()
+
+Check if enough bytes were received for specified image type and
+geometry. Otherwise GetPixel and other functions could trigger an
+out of boundary read later on.
+
+CVE: CVE-2016-7942
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/GetImage.c b/src/GetImage.c
+index c461abc..ff32d58 100644
+--- a/src/GetImage.c
 b/src/GetImage.c
+@@ -59,6 +59,7 @@ XImage *XGetImage (
+   char *data;
+   unsigned long nbytes;
+   XImage *image;
++  int planes;
+   LockDisplay(dpy);
+   GetReq (GetImage, req);
+   /*
+@@ -91,18 +92,28 @@ XImage *XGetImage (
+   return (XImage *) NULL;
+   }
+ _XReadPad (dpy, data, nbytes);
+-if (format == XYPixmap)
+- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+-Ones (plane_mask &
+-  (((unsigned long)0x) >> (32 - rep.depth))),
+-format, 0, data, width, height, dpy->bitmap_pad, 0);
+-  else /* format == ZPixmap */
+-   image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+-   rep.depth, ZPixmap, 0, data, width, height,
+-_XGetScanlinePad(dpy, (int) rep.depth), 0);
++if (format == XYPixmap) {
++  image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
++  Ones (plane_mask &
++  (((unsigned long)0x) >> (32 - rep.depth))),
++  format, 0, data, width, height, dpy->bitmap_pad, 0);
++  planes = image->depth;
++  } else { /* format == ZPixmap */
++image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
++  rep.depth, ZPixmap, 0, data, width, height,
++  _XGetScanlinePad(dpy, (int) rep.depth), 0);
++  planes = 1;
++  }
+ 
+   if (!image)
+   Xfree(data);
++  if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
++  INT_MAX / image->height <= image->bytes_per_line ||
++  INT_MAX / planes <= image->height * image->bytes_per_line ||
++  nbytes < planes * image->height * image->bytes_per_line) {
++  XDestroyImage(image);
++  image = NULL;
++  }
+   UnlockDisplay(dpy);
+   SyncHandle();
+   return (image);
+-- 
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb 
b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
index 8e531c7..152ccd9 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
@@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk"
 
 SRC_URI += "file://disable_tests.patch \
 file://libX11-Add-missing-NULL-check.patch \
+file://CVE-2016-7942.patch \
"
 
 SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][morty] libXrandr: fix for CVE-2016-7947 and CVE-2016-7948

[Sona Sarmadi]

CVE-2016-7947
Insufficient validation of server responses result in Integer overflows

CVE-2016-7948
Insufficient validation of server responses result in various data mishandlings

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
https://lists.x.org/archives/xorg-announce/2016-October/002720.html

Upstream patch for both CVEs:
https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../libxrandr/CVE-2016-7947_CVE-2016-7948.patch| 439 +
 meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb  |   3 +
 2 files changed, 442 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch

diff --git 
a/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch 
b/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch
new file mode 100644
index 000..a9b3dbc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch
@@ -0,0 +1,439 @@
+From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:21:40 +0200
+Subject: Avoid out of boundary accesses on illegal responses
+
+The responses of the connected X server have to be properly checked
+to avoid out of boundary accesses that could otherwise be triggered
+by a malicious server.
+
+CVE: CVE-2016-7947
+libXrandr: Insufficient validation of server responses result in Integer 
overflows
+
+CVE: CVE-2016-7948
+libXrandr: Insufficient validation of server responses result in various data 
mishandlings
+
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/XrrConfig.c b/src/XrrConfig.c
+index 2f0282b..e68c45a 100644
+--- a/src/XrrConfig.c
 b/src/XrrConfig.c
+@@ -29,6 +29,7 @@
+ #include 
+ #endif
+ 
++#include 
+ #include 
+ #include 
+ /* we need to be able to manipulate the Display structure on events */
+@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo 
(Display *dpy,
+   rep.rate = 0;
+   rep.nrateEnts = 0;
+ }
++if (rep.length < INT_MAX >> 2) {
++  nbytes = (long) rep.length << 2;
+ 
+-nbytes = (long) rep.length << 2;
++  nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
++  ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
+ 
+-nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
+-   ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
++  /*
++   * first we must compute how much space to allocate for
++   * randr library's use; we'll allocate the structures in a single
++   * allocation, on cleanlyness grounds.
++   */
+ 
+-/*
+- * first we must compute how much space to allocate for
+- * randr library's use; we'll allocate the structures in a single
+- * allocation, on cleanlyness grounds.
+- */
++  rbytes = sizeof (XRRScreenConfiguration) +
++(rep.nSizes * sizeof (XRRScreenSize) +
++ rep.nrateEnts * sizeof (int));
+ 
+-rbytes = sizeof (XRRScreenConfiguration) +
+-  (rep.nSizes * sizeof (XRRScreenSize) +
+-   rep.nrateEnts * sizeof (int));
++  scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
++} else {
++  nbytes = 0;
++  nbytesRead = 0;
++  rbytes = 0;
++  scp = NULL;
++}
+ 
+-scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
+ if (scp == NULL) {
+   _XEatData (dpy, (unsigned long) nbytes);
+   return NULL;
+diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
+index 5ae35c5..6665092 100644
+--- a/src/XrrCrtc.c
 b/src/XrrCrtc.c
+@@ -24,6 +24,7 @@
+ #include 
+ #endif
+ 
++#include 
+ #include 
+ #include 
+ /* we need to be able to manipulate the Display structure on events */
+@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources 
*resources, RRCrtc crtc)
+   return NULL;
+ }
+ 
+-nbytes = (long) rep.length << 2;
++if (rep.length < INT_MAX >> 2)
++{
++  nbytes = (long) rep.length << 2;
+ 
+-nbytesRead = (long) (rep.nOutput * 4 +
+-   rep.nPossibleOutput * 4);
++  nbytesRead = (long) (rep.nOutput * 4 +
++   rep.nPossibleOutput * 4);
+ 
+-/*
+- * first we must compute how much space to allocate for
+- * randr library's use; we'll allocate the structures in a single
+- * allocation, on cleanlyness grounds.
+- */
++  /*
++   * first we must compute how much space to allocate for
++   * randr library's use; we'll allocate the structures in a single
++  

[OE-core] [PATCH][krogoth] libxrender: CVE-2016-7949

[Sona Sarmadi]

Insufficient validation of server responses results
in overflow of previously reserved memory

Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4

External References:
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../xorg-lib/libxrender/CVE-2016-7949.patch| 59 ++
 meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb |  3 ++
 2 files changed, 62 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch

diff --git a/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch 
b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
new file mode 100644
index 000..73315b1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,59 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+CVE: CVE-2016-7949
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu he...@laas.fr
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
 b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+   screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+   screen->subpixel = SubPixelUnknown;
+   xDepth = (xPictDepth *) (xScreen + 1);
++  if (screen->ndepths > rep.numDepths) {
++  Xfree (xri);
++  Xfree (xData);
++  _XEatDataWords (dpy, rep.length);
++  UnlockDisplay (dpy);
++  SyncHandle ();
++  return 0;
++  }
++  rep.numDepths -= screen->ndepths;
+   for (nd = 0; nd < screen->ndepths; nd++)
+   {
+   depth->depth = xDepth->depth;
+   depth->nvisuals = xDepth->nPictVisuals;
+   depth->visuals = visual;
+   xVisual = (xPictVisual *) (xDepth + 1);
++  if (depth->nvisuals > rep.numVisuals) {
++  Xfree (xri);
++  Xfree (xData);
++  _XEatDataWords (dpy, rep.length);
++  UnlockDisplay (dpy);
++  SyncHandle ();
++  return 0;
++  }
++  rep.numVisuals -= depth->nvisuals;
+   for (nv = 0; nv < depth->nvisuals; nv++)
+   {
+   visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+-- 
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb 
b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
index 9fde040..96116ea 100644
--- a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrender"
 
 BBCLASSEXTEND = "native nativesdk"
 
+SRC_URI += "file://CVE-2016-7949.patch \
+"
+
 SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622"
 SRC_URI[sha256sum] = 
"fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][morty] libxrender: CVE-2016-7949

[Sona Sarmadi]

Insufficient validation of server responses results
in overflow of previously reserved memory

Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4

External References:
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../xorg-lib/libxrender/CVE-2016-7949.patch| 59 ++
 meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb |  3 ++
 2 files changed, 62 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch

diff --git a/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch 
b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
new file mode 100644
index 000..73315b1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,59 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+CVE: CVE-2016-7949
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+Reviewed-by: Matthieu he...@laas.fr
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
 b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+   screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+   screen->subpixel = SubPixelUnknown;
+   xDepth = (xPictDepth *) (xScreen + 1);
++  if (screen->ndepths > rep.numDepths) {
++  Xfree (xri);
++  Xfree (xData);
++  _XEatDataWords (dpy, rep.length);
++  UnlockDisplay (dpy);
++  SyncHandle ();
++  return 0;
++  }
++  rep.numDepths -= screen->ndepths;
+   for (nd = 0; nd < screen->ndepths; nd++)
+   {
+   depth->depth = xDepth->depth;
+   depth->nvisuals = xDepth->nPictVisuals;
+   depth->visuals = visual;
+   xVisual = (xPictVisual *) (xDepth + 1);
++  if (depth->nvisuals > rep.numVisuals) {
++  Xfree (xri);
++  Xfree (xData);
++  _XEatDataWords (dpy, rep.length);
++  UnlockDisplay (dpy);
++  SyncHandle ();
++  return 0;
++  }
++  rep.numVisuals -= depth->nvisuals;
+   for (nv = 0; nv < depth->nvisuals; nv++)
+   {
+   visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+-- 
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb 
b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
index 44cb2e0..eac3679 100644
--- a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrender"
 
 BBCLASSEXTEND = "native nativesdk"
 
+SRC_URI += "file://CVE-2016-7949.patch \
+"
+
 SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622"
 SRC_URI[sha256sum] = 
"fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] expat: CVE-2012-6702, CVE-2016-5300

[Sona Sarmadi]

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
http://www.openwall.com/lists/oss-security/2016/06/04/5

Reference to upstream fix:
https://bugzilla.redhat.com/attachment.cgi?id=1165210
Squashed backport against vanilla Expat 2.1.1, addressing:
* CVE-2012-6702 -- unanticipated internal calls to srand
* CVE-2016-5300 -- use of too little entropy

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch  | 123 +
 meta/recipes-core/expat/expat_2.1.0.bb |   4 +
 2 files changed, 127 insertions(+)
 create mode 100644 
meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch

diff --git 
a/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch 
b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch
new file mode 100644
index 000..00cc731
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/CVE-2016-5300_CVE-2012-6702.patch
@@ -0,0 +1,123 @@
+From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Wed, 16 Mar 2016 15:30:12 +0100
+Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0)
+
+Squashed backport against vanilla Expat 2.1.1, addressing:
+* CVE-2012-6702 -- unanticipated internal calls to srand
+* CVE-2016-5300 -- use of too little entropy
+
+Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d
+(released with Expat 2.1.0) Expat called srand by itself
+from inside generate_hash_secret_salt for an instance
+of XML_Parser if XML_SetHashSalt was either (a) not called
+for that instance or if (b) salt 0 was passed to XML_SetHashSalt
+prior to parsing.  That call to srand passed (rather litle)
+entropy extracted from the current time as a seed for srand.
+
+That call to srand (1) broke repeatability for code calling
+srand with a non-random seed prior to parsing with Expat,
+and (2) resulted in a rather small set of hashing salts in
+Expat in total.
+
+For a short- to mid-term fix, the new approach avoids calling
+srand altogether, extracts more entropy out of the clock and
+other sources, too.
+
+For a long term fix, we may want to read sizeof(long) bytes
+from a source like getrandom(..) on Linux, and from similar
+sources on other supported architectures.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1197087
+
+CVE: CVE-2012-6702
+CVE: CVE-2016-5300
+Upstream-Status: Backport
+
+Removed changes from CMakeLists.txt from original patch, since that code is
+not part of fix for these CVEs.
+Reference to the commit for CMakeLists.txt changes:
+https://sourceforge.net/p/expat/code_git/ci/37f7efb878660d55ff5fd67ad2cda1c103297df6
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff -Nurp a/lib/xmlparse.c b/lib/xmlparse.c
+--- a/lib/xmlparse.c   2017-01-13 10:16:35.570784710 +0100
 b/lib/xmlparse.c   2017-01-13 11:22:20.522433486 +0100
+@@ -6,7 +6,14 @@
+ #include  /* memset(), memcpy() */
+ #include 
+ #include  /* UINT_MAX */
+-#include/* time() */
++
++#ifdef COMPILED_FROM_DSP
++#define getpid GetCurrentProcessId
++#else
++#include/* gettimeofday() */
++#include   /* getpid() */
++#include  /* getpid() */
++#endif
+ 
+ #define XML_BUILDING_EXPAT 1
+ 
+@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
+ getElementType(XML_Parser parser, const ENCODING *enc,
+const char *ptr, const char *end);
+ 
+-static unsigned long generate_hash_secret_salt(void);
++static unsigned long generate_hash_secret_salt(XML_Parser parser);
+ static XML_Bool startParsing(XML_Parser parser);
+ 
+ static XML_Parser
+@@ -691,11 +698,38 @@ static const XML_Char implicitContext[]
+ };
+ 
+ static unsigned long
+-generate_hash_secret_salt(void)
++gather_time_entropy(void)
++{
++#ifdef COMPILED_FROM_DSP
++  FILETIME ft;
++  GetSystemTimeAsFileTime(); /* never fails */
++  return ft.dwHighDateTime ^ ft.dwLowDateTime;
++#else
++  struct timeval tv;
++  int gettimeofday_res;
++
++  gettimeofday_res = gettimeofday(, NULL);
++  assert (gettimeofday_res == 0);
++
++  /* Microseconds time is <20 bits entropy */
++  return tv.tv_usec;
++#endif
++}
++
++static unsigned long
++generate_hash_secret_salt(XML_Parser parser)
+ {
+-  unsigned int seed = time(NULL) % UINT_MAX;
+-  srand(seed);
+-  return rand();
++  /* Process ID is 0 bits entropy if attacker has local access
++   * XML_Parser address is few bits of entropy if attacker has local access */
++  const unsigned long entropy =
++  gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
++
++  /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
++  if (sizeof(unsigned long) == 4) {
++return entropy * 2147483647;
++  } else {
++return entropy * 2305843009213693951;
++  }
+ }
+ 
+ static XML_Bool  /

Re: [OE-core] [PATCH][morty] libxtst: 1.2.2 -> 1.2.3

[Sona Sarmadi]

> On 01/10/2017 03:10 AM, Sona Sarmadi wrote:
> > Upgrade libxtst from 1.2.2 to 1.2.3 to address:
> What else changed in this update?
> - armin

Hi Armin,

I believe the only changes between 1.2.2 and 1.2.3 is one commit 
" Remove fallback for _XEatDataWords, require libX11 1.6 for it" see below:

https://cgit.freedesktop.org/xorg/lib/libXtst/
Age Commit message  Author  Files   Lines
2016-10-04  libXtst 1.2.3   HEADlibXtst-1.2.3master Matthieu Herrb  1   
-1/+1
2016-09-25  Out of boundary access and endless loop in libXtst  Tobias 
Stoeckmann   1   -4/+39
2013-11-23  Remove fallback for _XEatDataWords, require libX11 1.6 for it   
Michael Joost   2   -18/+1
2013-05-31  libXtst 1.2.2libXtst-1.2.2

//Sona



-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] FW: [PATCH][krogoth] libxtst: 1.2.2 -> 1.2.3

[Sona Sarmadi]

Hi Armin,

I hope it is ok to upgrade libXtst, please let me know if you want to keep the 
same version and apply the patch instead of upgrade.

 The upgrade have only following changes:

https://cgit.freedesktop.org/xorg/lib/libXtst/
Age Commit message  Author  Files   Lines
2016-10-04  libXtst 1.2.3HEADlibXtst-1.2.3masterMatthieu Herrb  1   
-1/+1
2016-09-25  Out of boundary access and endless loop in libXtst  Tobias 
Stoeckmann   1   -4/+39
2013-11-23  Remove fallback for _XEatDataWords, require libX11 1.6 for it   
Michael Joost   2   -18/+1
2013-05-31  libXtst 1.2.2libXtst-1.2.2

This does not affect master. According to Mitre this affects libXtst before 
1.2.3:

Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers 
to trigger out-of-bounds memory access operations by leveraging the lack of 
range checks.

Cheers
//Sona

> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On
> Behalf Of Sona Sarmadi
> Sent: den 10 januari 2017 12:11
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH][krogoth] libxtst: 1.2.2 -> 1.2.3
> 
> Upgrade libxtst from 1.2.2 to 1.2.3 to address:
> Out of Bounds Write Denial of Service Vulnerability, CVE-2016-7951
> 
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
> https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af312
> 9ec4a7a4f4b54a0d59701beeae3
> 
> Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
> ---
>  meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4
> ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)  rename meta/recipes-
> graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} (78%)
> 
> diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
> b/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
> similarity index 78%
> rename from meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
> rename to meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
> index 1b0bcf3..31ea439 100644
> --- a/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
> +++ b/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
> @@ -16,5 +16,5 @@ PE = "1"
> 
>  XORG_PN = "libXtst"
> 
> -SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59"
> -SRC_URI[sha256sum] =
> "ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c83
> 09f6d9"
> +SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca"
> +SRC_URI[sha256sum] =
> "4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4b
> f5204"
> --
> 1.9.1
> 
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][morty] libxtst: 1.2.2 -> 1.2.3

[Sona Sarmadi]

Upgrade libxtst from 1.2.2 to 1.2.3 to address:
Out of Bounds Write Denial of Service Vulnerability, CVE-2016-7951

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} 
(78%)

diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb 
b/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
similarity index 78%
rename from meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
rename to meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
index 1b0bcf3..31ea439 100644
--- a/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
+++ b/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
@@ -16,5 +16,5 @@ PE = "1"
 
 XORG_PN = "libXtst"
 
-SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59"
-SRC_URI[sha256sum] = 
"ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9"
+SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca"
+SRC_URI[sha256sum] = 
"4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4bf5204"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] libxtst: 1.2.2 -> 1.2.3

[Sona Sarmadi]

Upgrade libxtst from 1.2.2 to 1.2.3 to address:
Out of Bounds Write Denial of Service Vulnerability, CVE-2016-7951

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxtst_1.2.2.bb => libxtst_1.2.3.bb} 
(78%)

diff --git a/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb 
b/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
similarity index 78%
rename from meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
rename to meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
index 1b0bcf3..31ea439 100644
--- a/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
+++ b/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
@@ -16,5 +16,5 @@ PE = "1"
 
 XORG_PN = "libXtst"
 
-SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59"
-SRC_URI[sha256sum] = 
"ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9"
+SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca"
+SRC_URI[sha256sum] = 
"4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4bf5204"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] Made spdx support SPDX2.0 SPEC Signed-off-by: Lei Maohui <leimao...@cn.fujitsu.com>

[Sona Sarmadi]

Hi Lei, all,

> --- a/meta/classes/spdx.bbclass
> +++ b/meta/classes/spdx.bbclass
> @@ -1,12 +1,9 @@
>  # This class integrates real-time license scanning, generation of SPDX
> standard  # output and verifiying license info during the building process.
> -# It is a combination of efforts from the OE-Core, SPDX and Fossology
> projects.
> +# It is a combination of efforts from the OE-Core, SPDX and DoSOCSv2
> projects.

Why replace Fossology with DoSOCSv2? Why not make it optional?

Has anyone any comments on this suggestion? AFAI see this patch has not been 
accepted yet. Is there any plan to do it?

Cheers
//Sona
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] bash: fix CVE-2016-7543

[Sona Sarmadi]

Specially crafted SHELLOPTS+PS4 variables allows command substitution

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7543
http://lists.gnu.org/archive/html/bug-bash/2016-10/msg9.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../recipes-extended/bash/bash/CVE-2016-7543.patch | 38 ++
 meta/recipes-extended/bash/bash_4.3.30.bb  |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-extended/bash/bash/CVE-2016-7543.patch

diff --git a/meta/recipes-extended/bash/bash/CVE-2016-7543.patch 
b/meta/recipes-extended/bash/bash/CVE-2016-7543.patch
new file mode 100644
index 000..7c9a9c6
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-7543.patch
@@ -0,0 +1,38 @@
+bash: fix CVE-2016-7543
+
+Bug-Reference-URL:
+http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html
+
+Bug-Description:
+
+If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
+and a value for $PS4 that includes a command substitution into a shell
+running as root, bash will expand the command substitution as part of
+expanding $PS4 when it executes a traced command.
+
+Patch (apply with `patch -p0'):
+
+CVE: CVE-2016-7543
+Upstream-Status: Backport
+[changes in patchlevel.h has been removed from original patch]
+
+Reference to upstream patch:
+http://lists.gnu.org/archive/html/bug-bash/2016-10/msg9.html
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+diff -Nurp a/variables.c b/variables.c
+--- a/variables.c  2016-12-05 09:49:39.552587211 +0100
 b/variables.c  2016-12-05 09:52:00.406522230 +0100
+@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod
+ #endif
+   set_if_not ("PS2", secondary_prompt);
+ }
+-  set_if_not ("PS4", "+ ");
++
++  if (current_user.euid == 0)
++bind_variable ("PS4", "+ ", 0);
++  else
++set_if_not ("PS4", "+ ");
+ 
+   /* Don't allow IFS to be imported from the environment. */
+   temp_var = bind_variable ("IFS", " \t\n", 0);
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb 
b/meta/recipes-extended/bash/bash_4.3.30.bb
index fcd6caf..fdad39b 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
file://run-ptest \
   file://fix-run-builtins.patch \
file://CVE-2016-0634.patch;striplevel=0 \
+   file://CVE-2016-7543.patch \
"
 
 SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] Qemu: net: CVE-2016-4001

[Sona Sarmadi]

buffer overflow in stellaris_enet emulator

Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=patch;h=3a15cc0e1ee7168db0782133d2607a6bfa422d66

Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4001

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-4001.patch | 51 ++
 meta/recipes-devtools/qemu/qemu_2.5.0.bb   |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4001.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4001.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2016-4001.patch
new file mode 100644
index 000..cfec8b8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4001.patch
@@ -0,0 +1,51 @@
+From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Fri, 8 Apr 2016 11:33:48 +0530
+Subject: [PATCH] net: stellaris_enet: check packet length against receive
+ buffer
+
+When receiving packets over Stellaris ethernet controller, it
+uses receive buffer of size 2048 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+CVE: CVE-2016-4001
+Upstream-Status: Backport
+
+Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhan...@intel.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-id: 1460095428-22698-1-git-send-email-ppan...@redhat.com
+Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
+Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ hw/net/stellaris_enet.c | 12 +++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
+index 84cf60b..6880894 100644
+--- a/hw/net/stellaris_enet.c
 b/hw/net/stellaris_enet.c
+@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, 
const uint8_t *buf, si
+ n = s->next_packet + s->np;
+ if (n >= 31)
+ n -= 31;
+-s->np++;
+ 
++if (size >= sizeof(s->rx[n].data) - 6) {
++/* If the packet won't fit into the
++ * emulated 2K RAM, this is reported
++ * as a FIFO overrun error.
++ */
++s->ris |= SE_INT_FOV;
++stellaris_enet_update(s);
++return -1;
++}
++
++s->np++;
+ s->rx[n].len = size + 6;
+ p = s->rx[n].data;
+ *(p++) = (size + 6);
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb 
b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index b965f69..6823b62 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -28,6 +28,7 @@ SRC_URI += 
"file://configure-fix-Darwin-target-detection.patch \
 file://CVE-2016-5403.patch \
 file://CVE-2016-4441.patch \
 file://CVE-2016-4952.patch \
+file://CVE-2016-4001.patch \
"
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2;
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 10/11] curl: CVE-2016-8624

[Sona Sarmadi]

invalid URL parsing with '#'

Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102J.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8624.patch | 51 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8624.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8624.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
new file mode 100644
index 000..009f7d0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
@@ -0,0 +1,51 @@
+From 3bb273db7e40ebc284cff45f3ce3f0475c8339c2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 11 Oct 2016 00:48:35 +0200
+Subject: [PATCH] urlparse: accept '#' as end of host name
+
+'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+for the '/' document with the rest of the URL being a fragment.
+
+CVE: CVE-2016-8624
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102J.html
+Reported-by: Fernando Muñoz
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/lib/url.c b/lib/url.c
+--- a/lib/url.c2016-11-07 08:50:23.030126833 +0100
 b/lib/url.c2016-11-07 10:16:13.562089428 +0100
+@@ -4086,7 +4086,7 @@
+ path[0]=0;
+ 
+ if(2 > sscanf(data->change.url,
+-   "%15[^\n:]://%[^\n/?]%[^\n]",
++   "%15[^\n:]://%[^\n/?#]%[^\n]",
+protobuf,
+conn->host.name, path)) {
+ 
+@@ -4094,7 +4094,7 @@
+* The URL was badly formatted, let's try the browser-style _without_
+* protocol specified like 'http://'.
+*/
+-  rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
++  rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
+   if(1 > rc) {
+ /*
+  * We couldn't even get this format.
+@@ -4184,10 +4184,10 @@
+   }
+ 
+   /* If the URL is malformatted (missing a '/' after hostname before path) we
+-   * insert a slash here. The only letter except '/' we accept to start a path
+-   * is '?'.
++   * insert a slash here. The only letters except '/' that can start a path is
++   * '?' and '#' - as controlled by the two sscanf() patterns above.
+*/
+-  if(path[0] == '?') {
++  if(path[0] != '/') {
+ /* We need this function to deal with overlapping memory areas. We know
+that the memory area 'path' points to is 'urllen' bytes big and that
+is bigger than the path. Use +1 to move the zero byte too. */
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 0f8fa3a..3c877e4 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -24,6 +24,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8621.patch \
  file://CVE-2016-8622.patch \
  file://CVE-2016-8623.patch \
+ file://CVE-2016-8624.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 11/11] curl: CVE-2016-8625

[Sona Sarmadi]

IDNA 2003 makes curl use wrong host

Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
 .../url-remove-unconditional-idn2.h-include.patch  |  29 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   2 +
 3 files changed, 646 insertions(+)
 create mode 100755 meta/recipes-support/curl/curl/CVE-2016-8625.patch
 create mode 100644 
meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8625.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8625.patch
new file mode 100755
index 000..b618277
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8625.patch
@@ -0,0 +1,615 @@
+commit 914aae739463ec72340130ea9ad42e04b02a5338
+Author: Daniel Stenberg <dan...@haxx.se>
+Date:   Wed Oct 12 09:01:06 2016 +0200
+
+idn: switch to libidn2 use and IDNA2008 support
+
+CVE: CVE-2016-8625
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102K.html
+Reported-by: Christian Heimes
+
+Conflicts:
+   CMakeLists.txt
+   lib/url.c
+
+Signed-off-by: Martin Borg <martin.b...@enea.com>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 06f18cf..c3e5c7c 100644
+--- a/CMakeLists.txt
 b/CMakeLists.txt
+@@ -440,7 +440,7 @@ if(NOT CURL_DISABLE_LDAPS)
+ endif()
+ 
+ # Check for idn
+-check_library_exists_concat("idn" idna_to_ascii_lz HAVE_LIBIDN)
++check_library_exists_concat("idn2" idn2_lookup_ul HAVE_LIBIDN2)
+ 
+ # Check for symbol dlopen (same as HAVE_LIBDL)
+ check_library_exists("${CURL_LIBS}" dlopen "" HAVE_DLOPEN)
+@@ -608,7 +608,7 @@ check_include_file_concat("des.h"HAVE_DES_H)
+ check_include_file_concat("err.h"HAVE_ERR_H)
+ check_include_file_concat("errno.h"  HAVE_ERRNO_H)
+ check_include_file_concat("fcntl.h"  HAVE_FCNTL_H)
+-check_include_file_concat("idn-free.h"   HAVE_IDN_FREE_H)
++check_include_file_concat("idn2.h"   HAVE_IDN2_H)
+ check_include_file_concat("ifaddrs.h"HAVE_IFADDRS_H)
+ check_include_file_concat("io.h" HAVE_IO_H)
+ check_include_file_concat("krb.h"HAVE_KRB_H)
+@@ -638,7 +638,6 @@ check_include_file_concat("stropts.h"
HAVE_STROPTS_H)
+ check_include_file_concat("termio.h" HAVE_TERMIO_H)
+ check_include_file_concat("termios.h"HAVE_TERMIOS_H)
+ check_include_file_concat("time.h"   HAVE_TIME_H)
+-check_include_file_concat("tld.h"HAVE_TLD_H)
+ check_include_file_concat("unistd.h" HAVE_UNISTD_H)
+ check_include_file_concat("utime.h"  HAVE_UTIME_H)
+ check_include_file_concat("x509.h"   HAVE_X509_H)
+@@ -652,9 +651,6 @@ check_include_file_concat("netinet/if_ether.h" 
HAVE_NETINET_IF_ETHER_H)
+ check_include_file_concat("stdint.h"HAVE_STDINT_H)
+ check_include_file_concat("sockio.h"HAVE_SOCKIO_H)
+ check_include_file_concat("sys/utsname.h"   HAVE_SYS_UTSNAME_H)
+-check_include_file_concat("idna.h"  HAVE_IDNA_H)
+-
+-
+ 
+ check_type_size(size_t  SIZEOF_SIZE_T)
+ check_type_size(ssize_t  SIZEOF_SSIZE_T)
+@@ -802,9 +798,6 @@ check_symbol_exists(pipe   "${CURL_INCLUDES}" 
HAVE_PIPE)
+ check_symbol_exists(ftruncate  "${CURL_INCLUDES}" HAVE_FTRUNCATE)
+ check_symbol_exists(getprotobyname "${CURL_INCLUDES}" HAVE_GETPROTOBYNAME)
+ check_symbol_exists(getrlimit  "${CURL_INCLUDES}" HAVE_GETRLIMIT)
+-check_symbol_exists(idn_free   "${CURL_INCLUDES}" HAVE_IDN_FREE)
+-check_symbol_exists(idna_strerror  "${CURL_INCLUDES}" HAVE_IDNA_STRERROR)
+-check_symbol_exists(tld_strerror   "${CURL_INCLUDES}" HAVE_TLD_STRERROR)
+ check_symbol_exists(setlocale  "${CURL_INCLUDES}" HAVE_SETLOCALE)
+ check_symbol_exists(setrlimit  "${CURL_INCLUDES}" HAVE_SETRLIMIT)
+ check_symbol_exists(fcntl  "${CURL_INCLUDES}" HAVE_FCNTL)
+@@ -1067,7 +1060,7 @@ _add_if("IPv6"  ENABLE_IPV6)
+ _add_if("unix-sockets"  USE_UNIX_SOCKETS)
+ _add_if("libz"  HAVE_LIBZ)
+ _add_if("AsynchDNS" USE_ARES OR USE_THREADS_POSIX)
+-_add_if("IDN"   HAVE_LIBIDN)
++_add_if("IDN"   HAVE_LIBIDN2)
+ # TODO SSP1 (WinSSL) check is missing
+ _add_if("SSPI"  USE_WINDOWS_SSPI)
+ _add_if("GSS-API"   HAVE_GSSAPI)
+diff --git a/configure.ac b/configure.ac
+index 4c9862f..c8e2721 100644
+--- a/configure.ac
 b/co

[OE-core] [PATCHv5][krogoth 06/11] curl: CVE-2016-8620

[Sona Sarmadi]

glob parser write/read out of bounds

Affected versions: curl 7.34.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102F.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8620.patch | 44 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8620.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
new file mode 100644
index 000..613ace3
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
@@ -0,0 +1,44 @@
+From fbb5f1aa0326d485d5a7ac643b48481897ca667f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 3 Oct 2016 17:27:16 +0200
+Subject: [PATCH] range: prevent negative end number in a glob range
+
+CVE: CVE-2016-8620
+
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102F.html
+Reported-by: Luật Nguyễn
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ src/tool_urlglob.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index a357b8b..64c75ba 100644
+--- a/src/tool_urlglob.c
 b/src/tool_urlglob.c
+@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+ endp = NULL;
+   else {
+ pattern = endp+1;
++while(*pattern && ISBLANK(*pattern))
++  pattern++;
++if(!ISDIGIT(*pattern)) {
++  endp = NULL;
++  goto fail;
++}
+ errno = 0;
+ max_n = strtoul(pattern, , 10);
+ if(errno || (*endp == ':')) {
+@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+   }
+ }
+ 
++fail:
+ *posp += (pattern - *patternp);
+ 
+ if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 9ef5718..e6ad03f 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -20,6 +20,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8617.patch \
  file://CVE-2016-8618.patch \
  file://CVE-2016-8619.patch \
+ file://CVE-2016-8620.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 07/11] curl: CVE-2016-8621

[Sona Sarmadi]

curl_getdate read out of bounds

Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8621.patch | 120 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   1 +
 2 files changed, 121 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8621.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8621.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8621.patch
new file mode 100644
index 000..7345838
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8621.patch
@@ -0,0 +1,120 @@
+From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 4 Oct 2016 16:59:38 +0200
+Subject: [PATCH] parsedate: handle cut off numbers better
+
+... and don't read outside of the given buffer!
+
+CVE: CVE-2016-8621
+Upstream-Status: Backport
+
+bug: https://curl.haxx.se/docs/adv_20161102G.html
+Reported-by: Luật Nguyễn
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/parsedate.c| 12 +++-
+ tests/data/test517 |  6 ++
+ tests/libtest/lib517.c |  8 +++-
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/lib/parsedate.c b/lib/parsedate.c
+index dfcf855..8e932f4 100644
+--- a/lib/parsedate.c
 b/lib/parsedate.c
+@@ -3,11 +3,11 @@
+  *  Project ___| | | |  _ \| |
+  * / __| | | | |_) | |
+  *| (__| |_| |  _ <| |___
+  * \___|\___/|_| \_\_|
+  *
+- * Copyright (C) 1998 - 2014, Daniel Stenberg, <dan...@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at https://curl.haxx.se/docs/copyright.html.
+  *
+@@ -384,19 +384,21 @@ static int parsedate(const char *date, time_t *output)
+ }
+ else if(ISDIGIT(*date)) {
+   /* a digit */
+   int val;
+   char *end;
++  int len=0;
+   if((secnum == -1) &&
+- (3 == sscanf(date, "%02d:%02d:%02d", , , ))) {
++ (3 == sscanf(date, "%02d:%02d:%02d%n",
++  , , , ))) {
+ /* time stamp! */
+-date += 8;
++date += len;
+   }
+   else if((secnum == -1) &&
+-  (2 == sscanf(date, "%02d:%02d", , ))) {
++  (2 == sscanf(date, "%02d:%02d%n", , , ))) {
+ /* time stamp without seconds */
+-date += 5;
++date += len;
+ secnum = 0;
+   }
+   else {
+ long lval;
+ int error;
+diff --git a/tests/data/test517 b/tests/data/test517
+index c81a45e..513634f 100644
+--- a/tests/data/test517
 b/tests/data/test517
+@@ -114,10 +114,16 @@ nothing
+ 79: 20110632 12:34:56 => -1
+ 80: 20110623 56:34:56 => -1
+ 81: 20111323 12:34:56 => -1
+ 82: 20110623 12:34:79 => -1
+ 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
++84: 20110623 12:3 => 1308830580
++85: 20110623 1:3 => 1308790980
++86: 20110623 1:30 => 1308792600
++87: 20110623 12:12:3 => 1308831123
++88: 20110623 01:12:3 => 1308791523
++89: 20110623 01:99:30 => -1
+ 
+ 
+ # This test case previously tested an overflow case ("2094 Nov 6 =>
+ # 2147483647") for 32bit time_t, but since some systems have 64bit time_t and
+ # handles this (returning 393984), and some 64bit-time_t systems don't
+diff --git a/tests/libtest/lib517.c b/tests/libtest/lib517.c
+index 2f68ebd..22162ff 100644
+--- a/tests/libtest/lib517.c
 b/tests/libtest/lib517.c
+@@ -3,11 +3,11 @@
+  *  Project ___| | | |  _ \| |
+  * / __| | | | |_) | |
+  *| (__| |_| |  _ <| |___
+  * \___|\___/|_| \_\_|
+  *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, <dan...@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at https://curl.haxx.se/docs/copyright.html.
+  *
+@@ -114,10 +114,16 @@ static const char * const dates[]={
+   "20110632 12:34:56",
+   "20110623 56:34:56",
+   "20111323 12:34:56",
+   "20110623 12:34:79",
+   "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
++  "20110623 12:3",
++  "20110623 1:3",
++  "20110623 1:30",
++  "20110623 12:12:3",
++  "20110623 01:12:3",
++  "20110623 01:99:30",
+   NULL
+ };
+ 
+

[OE-core] [PATCHv5][krogoth 01/11] curl: CVE-2016-8615

[Sona Sarmadi]

cookie injection for other servers

Affected versions: curl 7.1 to and including 7.50.3

Reference:
https://curl.haxx.se/docs/adv_20161102A.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8615.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
new file mode 100644
index 000..5faa423
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
@@ -0,0 +1,77 @@
+From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 17:36:19 +0200
+Subject: [PATCH] cookie: replace use of fgets() with custom version
+
+... that will ignore lines that are too long to fit in the buffer.
+
+CVE: CVE-2016-8615
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102A.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0f05da2..e5097d3 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data,
+   }
+ 
+   return co;
+ }
+ 
++/*
++ * get_line() makes sure to only return complete whole lines that fit in 'len'
++ * bytes and end with a newline.
++ */
++static char *get_line(char *buf, int len, FILE *input)
++{
++  bool partial = FALSE;
++  while(1) {
++char *b = fgets(buf, len, input);
++if(b) {
++  size_t rlen = strlen(b);
++  if(rlen && (b[rlen-1] == '\n')) {
++if(partial) {
++  partial = FALSE;
++  continue;
++}
++return b;
++  }
++  else
++/* read a partial, discard the next piece that ends with newline */
++partial = TRUE;
++}
++else
++  break;
++  }
++  return NULL;
++}
++
++
+ /*
+  *
+  * Curl_cookie_init()
+  *
+  * Inits a cookie struct to read data from a local file. This is always
+@@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy 
*data,
+ bool headerline;
+ 
+ line = malloc(MAX_COOKIE_LINE);
+ if(!line)
+   goto fail;
+-while(fgets(line, MAX_COOKIE_LINE, fp)) {
++while(get_line(line, MAX_COOKIE_LINE, fp)) {
+   if(checkprefix("Set-Cookie:", line)) {
+ /* This is a cookie line, get it! */
+ lineptr=[11];
+ headerline=TRUE;
+   }
+-- 
+2.9.3
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 3670a11..1f2758c 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -15,6 +15,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-5420.patch \
  file://CVE-2016-5421.patch \
  file://CVE-2016-7141.patch \
+ file://CVE-2016-8615.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 08/11] curl: CVE-2016-8622

[Sona Sarmadi]

URL unescape heap overflow via integer truncation

Affected versions: curl 7.24.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102H.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8622.patch | 94 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8622.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8622.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8622.patch
new file mode 100644
index 000..8edad01
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8622.patch
@@ -0,0 +1,94 @@
+From 53e71e47d6b81650d26ec33a58d0dca24c7ffb2c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 4 Oct 2016 18:56:45 +0200
+Subject: [PATCH] unescape: avoid integer overflow
+
+CVE: CVE-2016-8622
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102H.html
+Reported-by: Cure53
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/docs/libcurl/curl_easy_unescape.3 
b/docs/libcurl/curl_easy_unescape.3
+--- a/docs/libcurl/curl_easy_unescape.32016-02-03 00:08:02.0 
+0100
 b/docs/libcurl/curl_easy_unescape.32016-11-07 09:25:45.33275 
+0100
+@@ -5,7 +5,7 @@
+ .\" *| (__| |_| |  _ <| |___
+ .\" * \___|\___/|_| \_\_|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -40,7 +40,10 @@
+ 
+ If \fBoutlength\fP is non-NULL, the function will write the length of the
+ returned string in the integer it points to. This allows an escaped string
+-containing %00 to still get used properly after unescaping.
++containing %00 to still get used properly after unescaping. Since this is a
++pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no
++longer string can be unescaped if the string length is returned in this
++parameter.
+ 
+ You must \fIcurl_free(3)\fP the returned string when you're done with it.
+ .SH AVAILABILITY
+diff -ruN a/lib/dict.c b/lib/dict.c
+--- a/lib/dict.c   2016-02-03 00:02:44.0 +0100
 b/lib/dict.c   2016-11-07 09:25:45.33275 +0100
+@@ -5,7 +5,7 @@
+  *| (__| |_| |  _ <| |___
+  * \___|\___/|_| \_\_|
+  *
+- * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -52,7 +52,7 @@
+ #include 
+ #include "transfer.h"
+ #include "sendf.h"
+-
++#include "escape.h"
+ #include "progress.h"
+ #include "strequal.h"
+ #include "dict.h"
+@@ -96,12 +96,12 @@
+   char *newp;
+   char *dictp;
+   char *ptr;
+-  int len;
++  size_t len;
+   char ch;
+   int olen=0;
+ 
+-  newp = curl_easy_unescape(data, inputbuff, 0, );
+-  if(!newp)
++  CURLcode result = Curl_urldecode(data, inputbuff, 0, , , FALSE);
++  if(!newp || result)
+ return NULL;
+ 
+   dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */
+diff -ruN a/lib/escape.c b/lib/escape.c
+--- a/lib/escape.c 2016-02-05 10:02:03.0 +0100
 b/lib/escape.c 2016-11-07 09:29:43.073671606 +0100
+@@ -217,8 +217,14 @@
+ FALSE);
+   if(res)
+ return NULL;
+-  if(olen)
+-*olen = curlx_uztosi(outputlen);
++
++if(olen) {
++  if(outputlen <= (size_t) INT_MAX)
++*olen = curlx_uztosi(outputlen);
++  else
++/* too large to return in an int, fail! */
++Curl_safefree(str);
++}
+   return str;
+ }
+ 
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 67b07da..4bff34e 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -22,6 +22,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8619.patch \
  file://CVE-2016-8620.patch \
  file://CVE-2016-8621.patch \
+ file://CVE-2016-8622.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 09/11] curl: CVE-2016-8623

[Sona Sarmadi]

Use-after-free via shared cookies

Affected versions: curl 7.10.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102I.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8623.patch | 209 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   1 +
 2 files changed, 210 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8623.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 000..d9ddef6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,209 @@
+From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 4 Oct 2016 23:26:13 +0200
+Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
+
+Previously it only held references to them, which was reckless as the
+thread lock was released so the cookies could get modified by other
+handles that share the same cookie jar over the share interface.
+
+CVE: CVE-2016-8623
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102I.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 61 +++-
+ lib/cookie.h |  4 ++--
+ lib/http.c   |  2 +-
+ 3 files changed, 43 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0f05da2..8607ce3 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -1022,10 +1022,44 @@ static int cookie_sort(const void *p1, const void *p2)
+ 
+   /* sorry, can't be more deterministic */
+   return 0;
+ }
+ 
++#define CLONE(field) \
++  do {   \
++if(src->field) { \
++  dup->field = strdup(src->field);   \
++  if(!dup->field)\
++goto fail;   \
++}\
++  } while(0)
++
++static struct Cookie *dup_cookie(struct Cookie *src)
++{
++  struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
++  if(dup) {
++CLONE(expirestr);
++CLONE(domain);
++CLONE(path);
++CLONE(spath);
++CLONE(name);
++CLONE(value);
++CLONE(maxage);
++CLONE(version);
++dup->expires = src->expires;
++dup->tailmatch = src->tailmatch;
++dup->secure = src->secure;
++dup->livecookie = src->livecookie;
++dup->httponly = src->httponly;
++  }
++  return dup;
++
++  fail:
++  freecookie(dup);
++  return NULL;
++}
++
+ /*
+  *
+  * Curl_cookie_getlist()
+  *
+  * For a given host and path, return a linked list of cookies that the
+@@ -1077,15 +,12 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo 
*c,
+ if(!co->spath || pathmatch(co->spath, path) ) {
+ 
+   /* and now, we know this is a match and we should create an
+  entry for the return-linked-list */
+ 
+-  newco = malloc(sizeof(struct Cookie));
++  newco = dup_cookie(co);
+   if(newco) {
+-/* first, copy the whole source cookie: */
+-memcpy(newco, co, sizeof(struct Cookie));
+-
+ /* then modify our next */
+ newco->next = mainco;
+ 
+ /* point the main to us */
+ mainco = newco;
+@@ -1093,16 +1124,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo 
*c,
+ matches++;
+   }
+   else {
+ fail:
+ /* failure, clear up the allocated chain and return NULL */
+-while(mainco) {
+-  co = mainco->next;
+-  free(mainco);
+-  mainco = co;
+-}
+-
++Curl_cookie_freelist(mainco);
+ return NULL;
+   }
+ }
+   }
+ }
+@@ -1150,11 +1176,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo 
*c,
+  *
+  /
+ void Curl_cookie_clearall(struct CookieInfo *cookies)
+ {
+   if(cookies) {
+-Curl_cookie_freelist(cookies->cookies, TRUE);
++Curl_cookie_freelist(cookies->cookies);
+ cookies->cookies = NULL;
+ cookies->numcookies = 0;
+   }
+ }
+ 
+@@ -1162,25 +1188,18 @@ void Curl_cookie_clearall(struct CookieInfo *cookies)
+  *
+  * Curl_cookie_freelist()
+  *
+  * Free a list of cookies previously returned by Curl_cookie_getlist();
+  *
+- * The 'cookiestoo' argument tells this function whether to just free the
+- * list or actually also free all cookies within the list as well.
+- *
+  /
+ 
+-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
++vo

[OE-core] [PATCHv5][krogoth 05/11] curl: CVE-2016-8619

[Sona Sarmadi]

double-free in krb5 code

Affected versions: curl 7.3 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102E.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8619.patch | 52 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8619.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8619.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
new file mode 100644
index 000..fb21cf6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
@@ -0,0 +1,52 @@
+From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 28 Sep 2016 12:56:02 +0200
+Subject: [PATCH] krb5: avoid realloc(0)
+
+If the requested size is zero, bail out with error instead of doing a
+realloc() that would cause a double-free: realloc(0) acts as a free()
+and then there's a second free in the cleanup path.
+
+CVE: CVE-2016-8619
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102E.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/security.c | 9 ++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index a268d4a..4cef8f8 100644
+--- a/lib/security.c
 b/lib/security.c
+@@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, 
const void *to,
+ static CURLcode read_data(struct connectdata *conn,
+   curl_socket_t fd,
+   struct krb5buffer *buf)
+ {
+   int len;
+-  void* tmp;
++  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, , sizeof(len));
+   if(result)
+ return result;
+ 
+-  len = ntohl(len);
+-  tmp = realloc(buf->data, len);
++  if(len) {
++/* only realloc if there was a length */
++len = ntohl(len);
++tmp = realloc(buf->data, len);
++  }
+   if(tmp == NULL)
+ return CURLE_OUT_OF_MEMORY;
+ 
+   buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+-- 
+2.9.3
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 27a999e..9ef5718 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -19,6 +19,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8616.patch \
  file://CVE-2016-8617.patch \
  file://CVE-2016-8618.patch \
+ file://CVE-2016-8619.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 02/11] curl: CVE-2016-8616

[Sona Sarmadi]

case insensitive password comparison

Affected versions: curl 7.7 to and including 7.50.3

Reference:
https://curl.haxx.se/docs/adv_20161102B.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8616.patch | 49 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8616.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8616.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
new file mode 100644
index 000..d5d78fc
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
@@ -0,0 +1,49 @@
+From b3ee26c5df75d97f6895e6ec4538894ebaf76e48 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 18:01:53 +0200
+Subject: [PATCH] connectionexists: use case sensitive user/password
+ comparisons
+
+CVE: CVE-2016-8616
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102B.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/lib/url.c b/lib/url.c
+--- a/lib/url.c2016-11-07 08:50:23.030126833 +0100
 b/lib/url.c2016-11-07 09:16:20.459836564 +0100
+@@ -3305,8 +3305,8 @@
+   if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+ /* This protocol requires credentials per connection,
+so verify that we're using the same name and password as well */
+-if(!strequal(needle->user, check->user) ||
+-   !strequal(needle->passwd, check->passwd)) {
++if(strcmp(needle->user, check->user) ||
++   strcmp(needle->passwd, check->passwd)) {
+   /* one of them was different */
+   continue;
+ }
+@@ -3369,8 +3369,8 @@
+possible. (Especially we must not reuse the same connection if
+partway through a handshake!) */
+ if(wantNTLMhttp) {
+-  if(!strequal(needle->user, check->user) ||
+- !strequal(needle->passwd, check->passwd))
++  if(strcmp(needle->user, check->user) ||
++ strcmp(needle->passwd, check->passwd))
+ continue;
+ }
+ else if(check->ntlm.state != NTLMSTATE_NONE) {
+@@ -3380,8 +3380,8 @@
+ 
+ /* Same for Proxy NTLM authentication */
+ if(wantProxyNTLMhttp) {
+-  if(!strequal(needle->proxyuser, check->proxyuser) ||
+- !strequal(needle->proxypasswd, check->proxypasswd))
++  if(strcmp(needle->proxyuser, check->proxyuser) ||
++ strcmp(needle->proxypasswd, check->proxypasswd))
+ continue;
+ }
+ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 1f2758c..20c3721 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -16,6 +16,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-5421.patch \
  file://CVE-2016-7141.patch \
  file://CVE-2016-8615.patch \
+ file://CVE-2016-8616.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 04/11] curl: CVE-2016-8618

[Sona Sarmadi]

double-free in curl_maprintf

Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102D.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8618.patch | 52 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8618.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
new file mode 100644
index 000..2fd4749
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
@@ -0,0 +1,52 @@
+From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 28 Sep 2016 10:15:34 +0200
+Subject: [PATCH] aprintf: detect wrap-around when growing allocation
+
+On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+bytes and crash.
+
+CVE: CVE-2016-8618
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102D.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/mprintf.c | 9 ++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/mprintf.c b/lib/mprintf.c
+index dbedeaa..2c88aa8 100644
+--- a/lib/mprintf.c
 b/lib/mprintf.c
+@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data)
+ }
+ infop->alloc = 32;
+ infop->len =0;
+   }
+   else if(infop->len+1 >= infop->alloc) {
+-char *newptr;
++char *newptr = NULL;
++size_t newsize = infop->alloc*2;
+ 
+-newptr = realloc(infop->buffer, infop->alloc*2);
++/* detect wrap-around or other overflow problems */
++if(newsize > infop->alloc)
++  newptr = realloc(infop->buffer, newsize);
+ 
+ if(!newptr) {
+   infop->fail = 1;
+   return -1; /* fail */
+ }
+ infop->buffer = newptr;
+-infop->alloc *= 2;
++infop->alloc = newsize;
+   }
+ 
+   infop->buffer[ infop->len ] = outc;
+ 
+   infop->len++;
+-- 
+2.9.3
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 3724411..27a999e 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8615.patch \
  file://CVE-2016-8616.patch \
  file://CVE-2016-8617.patch \
+ file://CVE-2016-8618.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv5][krogoth 03/11] curl: CVE-2016-8617

[Sona Sarmadi]

OOB write via unchecked multiplication

Affected versions: curl 7.1 to and including 7.50.3

Reference:
https://curl.haxx.se/docs/adv_20161102C.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8617.patch | 28 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8617.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8617.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8617.patch
new file mode 100644
index 000..d16c2f5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8617.patch
@@ -0,0 +1,28 @@
+From efd24d57426bd77c9b5860e6b297904703750412 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 28 Sep 2016 00:05:12 +0200
+Subject: [PATCH] base64: check for integer overflow on large input
+
+CVE: CVE-2016-8617
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102C.html
+Reported-by: Cure53
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff -ruN a/lib/base64.c b/lib/base64.c
+--- a/lib/base64.c 2016-02-03 00:02:43.0 +0100
 b/lib/base64.c 2016-11-07 09:22:07.918167530 +0100
+@@ -190,6 +190,11 @@
+   if(0 == insize)
+ insize = strlen(indata);
+ 
++#if SIZEOF_SIZE_T == 4
++  if(insize > UINT_MAX/4)
++return CURLE_OUT_OF_MEMORY;
++#endif
++
+   base64data = output = malloc(insize*4/3+4);
+   if(NULL == output)
+ return CURLE_OUT_OF_MEMORY;
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 20c3721..3724411 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -17,6 +17,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-7141.patch \
  file://CVE-2016-8615.patch \
  file://CVE-2016-8616.patch \
+ file://CVE-2016-8617.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv4][krogoth] curl: CVE-2016-8625

[Sona Sarmadi]

IDNA 2003 makes curl use wrong host

Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
 .../url-remove-unconditional-idn2.h-include.patch  |  29 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   2 +
 3 files changed, 646 insertions(+)
 create mode 100755 meta/recipes-support/curl/curl/CVE-2016-8625.patch
 create mode 100644 
meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8625.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8625.patch
new file mode 100755
index 000..b618277
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8625.patch
@@ -0,0 +1,615 @@
+commit 914aae739463ec72340130ea9ad42e04b02a5338
+Author: Daniel Stenberg <dan...@haxx.se>
+Date:   Wed Oct 12 09:01:06 2016 +0200
+
+idn: switch to libidn2 use and IDNA2008 support
+
+CVE: CVE-2016-8625
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102K.html
+Reported-by: Christian Heimes
+
+Conflicts:
+   CMakeLists.txt
+   lib/url.c
+
+Signed-off-by: Martin Borg <martin.b...@enea.com>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 06f18cf..c3e5c7c 100644
+--- a/CMakeLists.txt
 b/CMakeLists.txt
+@@ -440,7 +440,7 @@ if(NOT CURL_DISABLE_LDAPS)
+ endif()
+ 
+ # Check for idn
+-check_library_exists_concat("idn" idna_to_ascii_lz HAVE_LIBIDN)
++check_library_exists_concat("idn2" idn2_lookup_ul HAVE_LIBIDN2)
+ 
+ # Check for symbol dlopen (same as HAVE_LIBDL)
+ check_library_exists("${CURL_LIBS}" dlopen "" HAVE_DLOPEN)
+@@ -608,7 +608,7 @@ check_include_file_concat("des.h"HAVE_DES_H)
+ check_include_file_concat("err.h"HAVE_ERR_H)
+ check_include_file_concat("errno.h"  HAVE_ERRNO_H)
+ check_include_file_concat("fcntl.h"  HAVE_FCNTL_H)
+-check_include_file_concat("idn-free.h"   HAVE_IDN_FREE_H)
++check_include_file_concat("idn2.h"   HAVE_IDN2_H)
+ check_include_file_concat("ifaddrs.h"HAVE_IFADDRS_H)
+ check_include_file_concat("io.h" HAVE_IO_H)
+ check_include_file_concat("krb.h"HAVE_KRB_H)
+@@ -638,7 +638,6 @@ check_include_file_concat("stropts.h"
HAVE_STROPTS_H)
+ check_include_file_concat("termio.h" HAVE_TERMIO_H)
+ check_include_file_concat("termios.h"HAVE_TERMIOS_H)
+ check_include_file_concat("time.h"   HAVE_TIME_H)
+-check_include_file_concat("tld.h"HAVE_TLD_H)
+ check_include_file_concat("unistd.h" HAVE_UNISTD_H)
+ check_include_file_concat("utime.h"  HAVE_UTIME_H)
+ check_include_file_concat("x509.h"   HAVE_X509_H)
+@@ -652,9 +651,6 @@ check_include_file_concat("netinet/if_ether.h" 
HAVE_NETINET_IF_ETHER_H)
+ check_include_file_concat("stdint.h"HAVE_STDINT_H)
+ check_include_file_concat("sockio.h"HAVE_SOCKIO_H)
+ check_include_file_concat("sys/utsname.h"   HAVE_SYS_UTSNAME_H)
+-check_include_file_concat("idna.h"  HAVE_IDNA_H)
+-
+-
+ 
+ check_type_size(size_t  SIZEOF_SIZE_T)
+ check_type_size(ssize_t  SIZEOF_SSIZE_T)
+@@ -802,9 +798,6 @@ check_symbol_exists(pipe   "${CURL_INCLUDES}" 
HAVE_PIPE)
+ check_symbol_exists(ftruncate  "${CURL_INCLUDES}" HAVE_FTRUNCATE)
+ check_symbol_exists(getprotobyname "${CURL_INCLUDES}" HAVE_GETPROTOBYNAME)
+ check_symbol_exists(getrlimit  "${CURL_INCLUDES}" HAVE_GETRLIMIT)
+-check_symbol_exists(idn_free   "${CURL_INCLUDES}" HAVE_IDN_FREE)
+-check_symbol_exists(idna_strerror  "${CURL_INCLUDES}" HAVE_IDNA_STRERROR)
+-check_symbol_exists(tld_strerror   "${CURL_INCLUDES}" HAVE_TLD_STRERROR)
+ check_symbol_exists(setlocale  "${CURL_INCLUDES}" HAVE_SETLOCALE)
+ check_symbol_exists(setrlimit  "${CURL_INCLUDES}" HAVE_SETRLIMIT)
+ check_symbol_exists(fcntl  "${CURL_INCLUDES}" HAVE_FCNTL)
+@@ -1067,7 +1060,7 @@ _add_if("IPv6"  ENABLE_IPV6)
+ _add_if("unix-sockets"  USE_UNIX_SOCKETS)
+ _add_if("libz"  HAVE_LIBZ)
+ _add_if("AsynchDNS" USE_ARES OR USE_THREADS_POSIX)
+-_add_if("IDN"   HAVE_LIBIDN)
++_add_if("IDN"   HAVE_LIBIDN2)
+ # TODO SSP1 (WinSSL) check is missing
+ _add_if("SSPI"  USE_WINDOWS_SSPI)
+ _add_if("GSS-API"   HAVE_GSSAPI)
+diff --git a/configure.ac b/configure.ac
+index 4c9862f..c8e2721 100644
+--- a/configure.ac
 b/co

[OE-core] [PATCH][krogoth 06/12] curl: CVE-2016-8620

[Sona Sarmadi]

glob parser write/read out of bounds

Affected versions: curl 7.34.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102F.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8620.patch | 44 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8620.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8620.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
new file mode 100644
index 000..613ace3
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8620.patch
@@ -0,0 +1,44 @@
+From fbb5f1aa0326d485d5a7ac643b48481897ca667f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 3 Oct 2016 17:27:16 +0200
+Subject: [PATCH] range: prevent negative end number in a glob range
+
+CVE: CVE-2016-8620
+
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102F.html
+Reported-by: Luật Nguyễn
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ src/tool_urlglob.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index a357b8b..64c75ba 100644
+--- a/src/tool_urlglob.c
 b/src/tool_urlglob.c
+@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+ endp = NULL;
+   else {
+ pattern = endp+1;
++while(*pattern && ISBLANK(*pattern))
++  pattern++;
++if(!ISDIGIT(*pattern)) {
++  endp = NULL;
++  goto fail;
++}
+ errno = 0;
+ max_n = strtoul(pattern, , 10);
+ if(errno || (*endp == ':')) {
+@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+   }
+ }
+ 
++fail:
+ *posp += (pattern - *patternp);
+ 
+ if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 9ef5718..e6ad03f 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -20,6 +20,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8617.patch \
  file://CVE-2016-8618.patch \
  file://CVE-2016-8619.patch \
+ file://CVE-2016-8620.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 02/12] curl: CVE-2016-8616

[Sona Sarmadi]

case insensitive password comparison

Affected versions: curl 7.7 to and including 7.50.3

Reference:
https://curl.haxx.se/docs/adv_20161102B.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8616.patch | 49 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8616.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8616.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
new file mode 100644
index 000..d5d78fc
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
@@ -0,0 +1,49 @@
+From b3ee26c5df75d97f6895e6ec4538894ebaf76e48 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 18:01:53 +0200
+Subject: [PATCH] connectionexists: use case sensitive user/password
+ comparisons
+
+CVE: CVE-2016-8616
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102B.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/lib/url.c b/lib/url.c
+--- a/lib/url.c2016-11-07 08:50:23.030126833 +0100
 b/lib/url.c2016-11-07 09:16:20.459836564 +0100
+@@ -3305,8 +3305,8 @@
+   if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+ /* This protocol requires credentials per connection,
+so verify that we're using the same name and password as well */
+-if(!strequal(needle->user, check->user) ||
+-   !strequal(needle->passwd, check->passwd)) {
++if(strcmp(needle->user, check->user) ||
++   strcmp(needle->passwd, check->passwd)) {
+   /* one of them was different */
+   continue;
+ }
+@@ -3369,8 +3369,8 @@
+possible. (Especially we must not reuse the same connection if
+partway through a handshake!) */
+ if(wantNTLMhttp) {
+-  if(!strequal(needle->user, check->user) ||
+- !strequal(needle->passwd, check->passwd))
++  if(strcmp(needle->user, check->user) ||
++ strcmp(needle->passwd, check->passwd))
+ continue;
+ }
+ else if(check->ntlm.state != NTLMSTATE_NONE) {
+@@ -3380,8 +3380,8 @@
+ 
+ /* Same for Proxy NTLM authentication */
+ if(wantProxyNTLMhttp) {
+-  if(!strequal(needle->proxyuser, check->proxyuser) ||
+- !strequal(needle->proxypasswd, check->proxypasswd))
++  if(strcmp(needle->proxyuser, check->proxyuser) ||
++ strcmp(needle->proxypasswd, check->proxypasswd))
+ continue;
+ }
+ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 1f2758c..20c3721 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -16,6 +16,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-5421.patch \
  file://CVE-2016-7141.patch \
  file://CVE-2016-8615.patch \
+ file://CVE-2016-8616.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 12/12] curl/url: remove unconditional idn2.h include

[Sona Sarmadi]

Mistake brought by 9c91ec778104a [fix to CVE-2016-8625]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../url-remove-unconditional-idn2.h-include.patch  | 28 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 
meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch

diff --git 
a/meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch 
b/meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch
new file mode 100644
index 000..e2a88e4
--- /dev/null
+++ 
b/meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch
@@ -0,0 +1,28 @@
+From c27013c05d99d92370b57e1a7af1b854eef4e7c1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Mon, 31 Oct 2016 09:49:50 +0100
+Subject: [PATCH] url: remove unconditional idn2.h include
+
+Mistake brought by 9c91ec778104a [fix to CVE-2016-8625]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/url.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index c90a1c5..b997f41 100644
+--- a/lib/url.c
 b/lib/url.c
+@@ -67,8 +67,6 @@
+ bool curl_win32_idn_to_ascii(const char *in, char **out);
+ #endif  /* USE_LIBIDN2 */
+ 
+-#include 
+-
+ #include "urldata.h"
+ #include "netrc.h"
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index a7f6917..7fab7cf 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -26,6 +26,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8623.patch \
  file://CVE-2016-8624.patch \
  file://CVE-2016-8625.patch \
+ file://url-remove-unconditional-idn2.h-include.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 09/12] curl: CVE-2016-8623

[Sona Sarmadi]

Use-after-free via shared cookies

Affected versions: curl 7.10.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102I.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8623.patch | 209 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   1 +
 2 files changed, 210 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8623.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 000..d9ddef6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,209 @@
+From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 4 Oct 2016 23:26:13 +0200
+Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
+
+Previously it only held references to them, which was reckless as the
+thread lock was released so the cookies could get modified by other
+handles that share the same cookie jar over the share interface.
+
+CVE: CVE-2016-8623
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102I.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 61 +++-
+ lib/cookie.h |  4 ++--
+ lib/http.c   |  2 +-
+ 3 files changed, 43 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0f05da2..8607ce3 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -1022,10 +1022,44 @@ static int cookie_sort(const void *p1, const void *p2)
+ 
+   /* sorry, can't be more deterministic */
+   return 0;
+ }
+ 
++#define CLONE(field) \
++  do {   \
++if(src->field) { \
++  dup->field = strdup(src->field);   \
++  if(!dup->field)\
++goto fail;   \
++}\
++  } while(0)
++
++static struct Cookie *dup_cookie(struct Cookie *src)
++{
++  struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
++  if(dup) {
++CLONE(expirestr);
++CLONE(domain);
++CLONE(path);
++CLONE(spath);
++CLONE(name);
++CLONE(value);
++CLONE(maxage);
++CLONE(version);
++dup->expires = src->expires;
++dup->tailmatch = src->tailmatch;
++dup->secure = src->secure;
++dup->livecookie = src->livecookie;
++dup->httponly = src->httponly;
++  }
++  return dup;
++
++  fail:
++  freecookie(dup);
++  return NULL;
++}
++
+ /*
+  *
+  * Curl_cookie_getlist()
+  *
+  * For a given host and path, return a linked list of cookies that the
+@@ -1077,15 +,12 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo 
*c,
+ if(!co->spath || pathmatch(co->spath, path) ) {
+ 
+   /* and now, we know this is a match and we should create an
+  entry for the return-linked-list */
+ 
+-  newco = malloc(sizeof(struct Cookie));
++  newco = dup_cookie(co);
+   if(newco) {
+-/* first, copy the whole source cookie: */
+-memcpy(newco, co, sizeof(struct Cookie));
+-
+ /* then modify our next */
+ newco->next = mainco;
+ 
+ /* point the main to us */
+ mainco = newco;
+@@ -1093,16 +1124,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo 
*c,
+ matches++;
+   }
+   else {
+ fail:
+ /* failure, clear up the allocated chain and return NULL */
+-while(mainco) {
+-  co = mainco->next;
+-  free(mainco);
+-  mainco = co;
+-}
+-
++Curl_cookie_freelist(mainco);
+ return NULL;
+   }
+ }
+   }
+ }
+@@ -1150,11 +1176,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo 
*c,
+  *
+  /
+ void Curl_cookie_clearall(struct CookieInfo *cookies)
+ {
+   if(cookies) {
+-Curl_cookie_freelist(cookies->cookies, TRUE);
++Curl_cookie_freelist(cookies->cookies);
+ cookies->cookies = NULL;
+ cookies->numcookies = 0;
+   }
+ }
+ 
+@@ -1162,25 +1188,18 @@ void Curl_cookie_clearall(struct CookieInfo *cookies)
+  *
+  * Curl_cookie_freelist()
+  *
+  * Free a list of cookies previously returned by Curl_cookie_getlist();
+  *
+- * The 'cookiestoo' argument tells this function whether to just free the
+- * list or actually also free all cookies within the list as well.
+- *
+  /
+ 
+-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
++vo

[OE-core] [PATCH][krogoth 11/12] curl: CVE-2016-8625

[Sona Sarmadi]

IDNA 2003 makes curl use wrong host

Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   1 +
 2 files changed, 616 insertions(+)
 create mode 100755 meta/recipes-support/curl/curl/CVE-2016-8625.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8625.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8625.patch
new file mode 100755
index 000..b618277
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8625.patch
@@ -0,0 +1,615 @@
+commit 914aae739463ec72340130ea9ad42e04b02a5338
+Author: Daniel Stenberg <dan...@haxx.se>
+Date:   Wed Oct 12 09:01:06 2016 +0200
+
+idn: switch to libidn2 use and IDNA2008 support
+
+CVE: CVE-2016-8625
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102K.html
+Reported-by: Christian Heimes
+
+Conflicts:
+   CMakeLists.txt
+   lib/url.c
+
+Signed-off-by: Martin Borg <martin.b...@enea.com>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 06f18cf..c3e5c7c 100644
+--- a/CMakeLists.txt
 b/CMakeLists.txt
+@@ -440,7 +440,7 @@ if(NOT CURL_DISABLE_LDAPS)
+ endif()
+ 
+ # Check for idn
+-check_library_exists_concat("idn" idna_to_ascii_lz HAVE_LIBIDN)
++check_library_exists_concat("idn2" idn2_lookup_ul HAVE_LIBIDN2)
+ 
+ # Check for symbol dlopen (same as HAVE_LIBDL)
+ check_library_exists("${CURL_LIBS}" dlopen "" HAVE_DLOPEN)
+@@ -608,7 +608,7 @@ check_include_file_concat("des.h"HAVE_DES_H)
+ check_include_file_concat("err.h"HAVE_ERR_H)
+ check_include_file_concat("errno.h"  HAVE_ERRNO_H)
+ check_include_file_concat("fcntl.h"  HAVE_FCNTL_H)
+-check_include_file_concat("idn-free.h"   HAVE_IDN_FREE_H)
++check_include_file_concat("idn2.h"   HAVE_IDN2_H)
+ check_include_file_concat("ifaddrs.h"HAVE_IFADDRS_H)
+ check_include_file_concat("io.h" HAVE_IO_H)
+ check_include_file_concat("krb.h"HAVE_KRB_H)
+@@ -638,7 +638,6 @@ check_include_file_concat("stropts.h"
HAVE_STROPTS_H)
+ check_include_file_concat("termio.h" HAVE_TERMIO_H)
+ check_include_file_concat("termios.h"HAVE_TERMIOS_H)
+ check_include_file_concat("time.h"   HAVE_TIME_H)
+-check_include_file_concat("tld.h"HAVE_TLD_H)
+ check_include_file_concat("unistd.h" HAVE_UNISTD_H)
+ check_include_file_concat("utime.h"  HAVE_UTIME_H)
+ check_include_file_concat("x509.h"   HAVE_X509_H)
+@@ -652,9 +651,6 @@ check_include_file_concat("netinet/if_ether.h" 
HAVE_NETINET_IF_ETHER_H)
+ check_include_file_concat("stdint.h"HAVE_STDINT_H)
+ check_include_file_concat("sockio.h"HAVE_SOCKIO_H)
+ check_include_file_concat("sys/utsname.h"   HAVE_SYS_UTSNAME_H)
+-check_include_file_concat("idna.h"  HAVE_IDNA_H)
+-
+-
+ 
+ check_type_size(size_t  SIZEOF_SIZE_T)
+ check_type_size(ssize_t  SIZEOF_SSIZE_T)
+@@ -802,9 +798,6 @@ check_symbol_exists(pipe   "${CURL_INCLUDES}" 
HAVE_PIPE)
+ check_symbol_exists(ftruncate  "${CURL_INCLUDES}" HAVE_FTRUNCATE)
+ check_symbol_exists(getprotobyname "${CURL_INCLUDES}" HAVE_GETPROTOBYNAME)
+ check_symbol_exists(getrlimit  "${CURL_INCLUDES}" HAVE_GETRLIMIT)
+-check_symbol_exists(idn_free   "${CURL_INCLUDES}" HAVE_IDN_FREE)
+-check_symbol_exists(idna_strerror  "${CURL_INCLUDES}" HAVE_IDNA_STRERROR)
+-check_symbol_exists(tld_strerror   "${CURL_INCLUDES}" HAVE_TLD_STRERROR)
+ check_symbol_exists(setlocale  "${CURL_INCLUDES}" HAVE_SETLOCALE)
+ check_symbol_exists(setrlimit  "${CURL_INCLUDES}" HAVE_SETRLIMIT)
+ check_symbol_exists(fcntl  "${CURL_INCLUDES}" HAVE_FCNTL)
+@@ -1067,7 +1060,7 @@ _add_if("IPv6"  ENABLE_IPV6)
+ _add_if("unix-sockets"  USE_UNIX_SOCKETS)
+ _add_if("libz"  HAVE_LIBZ)
+ _add_if("AsynchDNS" USE_ARES OR USE_THREADS_POSIX)
+-_add_if("IDN"   HAVE_LIBIDN)
++_add_if("IDN"   HAVE_LIBIDN2)
+ # TODO SSP1 (WinSSL) check is missing
+ _add_if("SSPI"  USE_WINDOWS_SSPI)
+ _add_if("GSS-API"   HAVE_GSSAPI)
+diff --git a/configure.ac b/configure.ac
+index 4c9862f..c8e2721 100644
+--- a/configure.ac
 b/configure.ac
+@@ -157,7 +157,7 @@ curl_tls_srp_msg="no  (--enable-tls-srp)"
+ curl_res_msg="default (--enable-ares / --enable-threaded-re

[OE-core] [PATCH][krogoth 07/12] curl: CVE-2016-8621

[Sona Sarmadi]

curl_getdate read out of bounds

Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8621.patch | 120 +
 meta/recipes-support/curl/curl_7.47.1.bb   |   1 +
 2 files changed, 121 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8621.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8621.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8621.patch
new file mode 100644
index 000..7345838
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8621.patch
@@ -0,0 +1,120 @@
+From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 4 Oct 2016 16:59:38 +0200
+Subject: [PATCH] parsedate: handle cut off numbers better
+
+... and don't read outside of the given buffer!
+
+CVE: CVE-2016-8621
+Upstream-Status: Backport
+
+bug: https://curl.haxx.se/docs/adv_20161102G.html
+Reported-by: Luật Nguyễn
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/parsedate.c| 12 +++-
+ tests/data/test517 |  6 ++
+ tests/libtest/lib517.c |  8 +++-
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/lib/parsedate.c b/lib/parsedate.c
+index dfcf855..8e932f4 100644
+--- a/lib/parsedate.c
 b/lib/parsedate.c
+@@ -3,11 +3,11 @@
+  *  Project ___| | | |  _ \| |
+  * / __| | | | |_) | |
+  *| (__| |_| |  _ <| |___
+  * \___|\___/|_| \_\_|
+  *
+- * Copyright (C) 1998 - 2014, Daniel Stenberg, <dan...@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at https://curl.haxx.se/docs/copyright.html.
+  *
+@@ -384,19 +384,21 @@ static int parsedate(const char *date, time_t *output)
+ }
+ else if(ISDIGIT(*date)) {
+   /* a digit */
+   int val;
+   char *end;
++  int len=0;
+   if((secnum == -1) &&
+- (3 == sscanf(date, "%02d:%02d:%02d", , , ))) {
++ (3 == sscanf(date, "%02d:%02d:%02d%n",
++  , , , ))) {
+ /* time stamp! */
+-date += 8;
++date += len;
+   }
+   else if((secnum == -1) &&
+-  (2 == sscanf(date, "%02d:%02d", , ))) {
++  (2 == sscanf(date, "%02d:%02d%n", , , ))) {
+ /* time stamp without seconds */
+-date += 5;
++date += len;
+ secnum = 0;
+   }
+   else {
+ long lval;
+ int error;
+diff --git a/tests/data/test517 b/tests/data/test517
+index c81a45e..513634f 100644
+--- a/tests/data/test517
 b/tests/data/test517
+@@ -114,10 +114,16 @@ nothing
+ 79: 20110632 12:34:56 => -1
+ 80: 20110623 56:34:56 => -1
+ 81: 20111323 12:34:56 => -1
+ 82: 20110623 12:34:79 => -1
+ 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
++84: 20110623 12:3 => 1308830580
++85: 20110623 1:3 => 1308790980
++86: 20110623 1:30 => 1308792600
++87: 20110623 12:12:3 => 1308831123
++88: 20110623 01:12:3 => 1308791523
++89: 20110623 01:99:30 => -1
+ 
+ 
+ # This test case previously tested an overflow case ("2094 Nov 6 =>
+ # 2147483647") for 32bit time_t, but since some systems have 64bit time_t and
+ # handles this (returning 393984), and some 64bit-time_t systems don't
+diff --git a/tests/libtest/lib517.c b/tests/libtest/lib517.c
+index 2f68ebd..22162ff 100644
+--- a/tests/libtest/lib517.c
 b/tests/libtest/lib517.c
+@@ -3,11 +3,11 @@
+  *  Project ___| | | |  _ \| |
+  * / __| | | | |_) | |
+  *| (__| |_| |  _ <| |___
+  * \___|\___/|_| \_\_|
+  *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, <dan...@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at https://curl.haxx.se/docs/copyright.html.
+  *
+@@ -114,10 +114,16 @@ static const char * const dates[]={
+   "20110632 12:34:56",
+   "20110623 56:34:56",
+   "20111323 12:34:56",
+   "20110623 12:34:79",
+   "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
++  "20110623 12:3",
++  "20110623 1:3",
++  "20110623 1:30",
++  "20110623 12:12:3",
++  "20110623 01:12:3",
++  "20110623 01:99:30",
+   NULL
+ };
+ 
+

[OE-core] [PATCH][krogoth 04/12] curl: CVE-2016-8618

[Sona Sarmadi]

double-free in curl_maprintf

Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102D.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8618.patch | 52 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8618.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8618.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
new file mode 100644
index 000..2fd4749
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8618.patch
@@ -0,0 +1,52 @@
+From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 28 Sep 2016 10:15:34 +0200
+Subject: [PATCH] aprintf: detect wrap-around when growing allocation
+
+On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+bytes and crash.
+
+CVE: CVE-2016-8618
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102D.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/mprintf.c | 9 ++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/mprintf.c b/lib/mprintf.c
+index dbedeaa..2c88aa8 100644
+--- a/lib/mprintf.c
 b/lib/mprintf.c
+@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data)
+ }
+ infop->alloc = 32;
+ infop->len =0;
+   }
+   else if(infop->len+1 >= infop->alloc) {
+-char *newptr;
++char *newptr = NULL;
++size_t newsize = infop->alloc*2;
+ 
+-newptr = realloc(infop->buffer, infop->alloc*2);
++/* detect wrap-around or other overflow problems */
++if(newsize > infop->alloc)
++  newptr = realloc(infop->buffer, newsize);
+ 
+ if(!newptr) {
+   infop->fail = 1;
+   return -1; /* fail */
+ }
+ infop->buffer = newptr;
+-infop->alloc *= 2;
++infop->alloc = newsize;
+   }
+ 
+   infop->buffer[ infop->len ] = outc;
+ 
+   infop->len++;
+-- 
+2.9.3
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 3724411..27a999e 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8615.patch \
  file://CVE-2016-8616.patch \
  file://CVE-2016-8617.patch \
+ file://CVE-2016-8618.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 01/12] curl: CVE-2016-8615

[Sona Sarmadi]

cookie injection for other servers

Affected versions: curl 7.1 to and including 7.50.3

Reference:
https://curl.haxx.se/docs/adv_20161102A.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8615.patch | 77 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8615.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
new file mode 100644
index 000..5faa423
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
@@ -0,0 +1,77 @@
+From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 17:36:19 +0200
+Subject: [PATCH] cookie: replace use of fgets() with custom version
+
+... that will ignore lines that are too long to fit in the buffer.
+
+CVE: CVE-2016-8615
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102A.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0f05da2..e5097d3 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data,
+   }
+ 
+   return co;
+ }
+ 
++/*
++ * get_line() makes sure to only return complete whole lines that fit in 'len'
++ * bytes and end with a newline.
++ */
++static char *get_line(char *buf, int len, FILE *input)
++{
++  bool partial = FALSE;
++  while(1) {
++char *b = fgets(buf, len, input);
++if(b) {
++  size_t rlen = strlen(b);
++  if(rlen && (b[rlen-1] == '\n')) {
++if(partial) {
++  partial = FALSE;
++  continue;
++}
++return b;
++  }
++  else
++/* read a partial, discard the next piece that ends with newline */
++partial = TRUE;
++}
++else
++  break;
++  }
++  return NULL;
++}
++
++
+ /*
+  *
+  * Curl_cookie_init()
+  *
+  * Inits a cookie struct to read data from a local file. This is always
+@@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy 
*data,
+ bool headerline;
+ 
+ line = malloc(MAX_COOKIE_LINE);
+ if(!line)
+   goto fail;
+-while(fgets(line, MAX_COOKIE_LINE, fp)) {
++while(get_line(line, MAX_COOKIE_LINE, fp)) {
+   if(checkprefix("Set-Cookie:", line)) {
+ /* This is a cookie line, get it! */
+ lineptr=[11];
+ headerline=TRUE;
+   }
+-- 
+2.9.3
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 3670a11..1f2758c 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -15,6 +15,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-5420.patch \
  file://CVE-2016-5421.patch \
  file://CVE-2016-7141.patch \
+ file://CVE-2016-8615.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 08/12] curl: CVE-2016-8622

[Sona Sarmadi]

URL unescape heap overflow via integer truncation

Affected versions: curl 7.24.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102H.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8622.patch | 94 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8622.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8622.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8622.patch
new file mode 100644
index 000..8edad01
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8622.patch
@@ -0,0 +1,94 @@
+From 53e71e47d6b81650d26ec33a58d0dca24c7ffb2c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 4 Oct 2016 18:56:45 +0200
+Subject: [PATCH] unescape: avoid integer overflow
+
+CVE: CVE-2016-8622
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102H.html
+Reported-by: Cure53
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/docs/libcurl/curl_easy_unescape.3 
b/docs/libcurl/curl_easy_unescape.3
+--- a/docs/libcurl/curl_easy_unescape.32016-02-03 00:08:02.0 
+0100
 b/docs/libcurl/curl_easy_unescape.32016-11-07 09:25:45.33275 
+0100
+@@ -5,7 +5,7 @@
+ .\" *| (__| |_| |  _ <| |___
+ .\" * \___|\___/|_| \_\_|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -40,7 +40,10 @@
+ 
+ If \fBoutlength\fP is non-NULL, the function will write the length of the
+ returned string in the integer it points to. This allows an escaped string
+-containing %00 to still get used properly after unescaping.
++containing %00 to still get used properly after unescaping. Since this is a
++pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no
++longer string can be unescaped if the string length is returned in this
++parameter.
+ 
+ You must \fIcurl_free(3)\fP the returned string when you're done with it.
+ .SH AVAILABILITY
+diff -ruN a/lib/dict.c b/lib/dict.c
+--- a/lib/dict.c   2016-02-03 00:02:44.0 +0100
 b/lib/dict.c   2016-11-07 09:25:45.33275 +0100
+@@ -5,7 +5,7 @@
+  *| (__| |_| |  _ <| |___
+  * \___|\___/|_| \_\_|
+  *
+- * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -52,7 +52,7 @@
+ #include 
+ #include "transfer.h"
+ #include "sendf.h"
+-
++#include "escape.h"
+ #include "progress.h"
+ #include "strequal.h"
+ #include "dict.h"
+@@ -96,12 +96,12 @@
+   char *newp;
+   char *dictp;
+   char *ptr;
+-  int len;
++  size_t len;
+   char ch;
+   int olen=0;
+ 
+-  newp = curl_easy_unescape(data, inputbuff, 0, );
+-  if(!newp)
++  CURLcode result = Curl_urldecode(data, inputbuff, 0, , , FALSE);
++  if(!newp || result)
+ return NULL;
+ 
+   dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */
+diff -ruN a/lib/escape.c b/lib/escape.c
+--- a/lib/escape.c 2016-02-05 10:02:03.0 +0100
 b/lib/escape.c 2016-11-07 09:29:43.073671606 +0100
+@@ -217,8 +217,14 @@
+ FALSE);
+   if(res)
+ return NULL;
+-  if(olen)
+-*olen = curlx_uztosi(outputlen);
++
++if(olen) {
++  if(outputlen <= (size_t) INT_MAX)
++*olen = curlx_uztosi(outputlen);
++  else
++/* too large to return in an int, fail! */
++Curl_safefree(str);
++}
+   return str;
+ }
+ 
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 67b07da..4bff34e 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -22,6 +22,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8619.patch \
  file://CVE-2016-8620.patch \
  file://CVE-2016-8621.patch \
+ file://CVE-2016-8622.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 05/12] curl: CVE-2016-8619

[Sona Sarmadi]

double-free in krb5 code

Affected versions: curl 7.3 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102E.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8619.patch | 52 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8619.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8619.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
new file mode 100644
index 000..fb21cf6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8619.patch
@@ -0,0 +1,52 @@
+From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 28 Sep 2016 12:56:02 +0200
+Subject: [PATCH] krb5: avoid realloc(0)
+
+If the requested size is zero, bail out with error instead of doing a
+realloc() that would cause a double-free: realloc(0) acts as a free()
+and then there's a second free in the cleanup path.
+
+CVE: CVE-2016-8619
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102E.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/security.c | 9 ++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index a268d4a..4cef8f8 100644
+--- a/lib/security.c
 b/lib/security.c
+@@ -190,19 +190,22 @@ socket_write(struct connectdata *conn, curl_socket_t fd, 
const void *to,
+ static CURLcode read_data(struct connectdata *conn,
+   curl_socket_t fd,
+   struct krb5buffer *buf)
+ {
+   int len;
+-  void* tmp;
++  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, , sizeof(len));
+   if(result)
+ return result;
+ 
+-  len = ntohl(len);
+-  tmp = realloc(buf->data, len);
++  if(len) {
++/* only realloc if there was a length */
++len = ntohl(len);
++tmp = realloc(buf->data, len);
++  }
+   if(tmp == NULL)
+ return CURLE_OUT_OF_MEMORY;
+ 
+   buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+-- 
+2.9.3
+
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 27a999e..9ef5718 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -19,6 +19,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8616.patch \
  file://CVE-2016-8617.patch \
  file://CVE-2016-8618.patch \
+ file://CVE-2016-8619.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 10/12] curl: CVE-2016-8624

[Sona Sarmadi]

invalid URL parsing with '#'

Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102J.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8624.patch | 51 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8624.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8624.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
new file mode 100644
index 000..009f7d0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8624.patch
@@ -0,0 +1,51 @@
+From 3bb273db7e40ebc284cff45f3ce3f0475c8339c2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 11 Oct 2016 00:48:35 +0200
+Subject: [PATCH] urlparse: accept '#' as end of host name
+
+'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+for the '/' document with the rest of the URL being a fragment.
+
+CVE: CVE-2016-8624
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102J.html
+Reported-by: Fernando Muñoz
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/lib/url.c b/lib/url.c
+--- a/lib/url.c2016-11-07 08:50:23.030126833 +0100
 b/lib/url.c2016-11-07 10:16:13.562089428 +0100
+@@ -4086,7 +4086,7 @@
+ path[0]=0;
+ 
+ if(2 > sscanf(data->change.url,
+-   "%15[^\n:]://%[^\n/?]%[^\n]",
++   "%15[^\n:]://%[^\n/?#]%[^\n]",
+protobuf,
+conn->host.name, path)) {
+ 
+@@ -4094,7 +4094,7 @@
+* The URL was badly formatted, let's try the browser-style _without_
+* protocol specified like 'http://'.
+*/
+-  rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
++  rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
+   if(1 > rc) {
+ /*
+  * We couldn't even get this format.
+@@ -4184,10 +4184,10 @@
+   }
+ 
+   /* If the URL is malformatted (missing a '/' after hostname before path) we
+-   * insert a slash here. The only letter except '/' we accept to start a path
+-   * is '?'.
++   * insert a slash here. The only letters except '/' that can start a path is
++   * '?' and '#' - as controlled by the two sscanf() patterns above.
+*/
+-  if(path[0] == '?') {
++  if(path[0] != '/') {
+ /* We need this function to deal with overlapping memory areas. We know
+that the memory area 'path' points to is 'urllen' bytes big and that
+is bigger than the path. Use +1 to move the zero byte too. */
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 0f8fa3a..3c877e4 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -24,6 +24,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-8621.patch \
  file://CVE-2016-8622.patch \
  file://CVE-2016-8623.patch \
+ file://CVE-2016-8624.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth 03/12] curl: CVE-2016-8617

[Sona Sarmadi]

OOB write via unchecked multiplication

Affected versions: curl 7.1 to and including 7.50.3

Reference:
https://curl.haxx.se/docs/adv_20161102C.html

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8617.patch | 28 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8617.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8617.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8617.patch
new file mode 100644
index 000..d16c2f5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8617.patch
@@ -0,0 +1,28 @@
+From efd24d57426bd77c9b5860e6b297904703750412 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 28 Sep 2016 00:05:12 +0200
+Subject: [PATCH] base64: check for integer overflow on large input
+
+CVE: CVE-2016-8617
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102C.html
+Reported-by: Cure53
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff -ruN a/lib/base64.c b/lib/base64.c
+--- a/lib/base64.c 2016-02-03 00:02:43.0 +0100
 b/lib/base64.c 2016-11-07 09:22:07.918167530 +0100
+@@ -190,6 +190,11 @@
+   if(0 == insize)
+ insize = strlen(indata);
+ 
++#if SIZEOF_SIZE_T == 4
++  if(insize > UINT_MAX/4)
++return CURLE_OUT_OF_MEMORY;
++#endif
++
+   base64data = output = malloc(insize*4/3+4);
+   if(NULL == output)
+ return CURLE_OUT_OF_MEMORY;
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 20c3721..3724411 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -17,6 +17,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-7141.patch \
  file://CVE-2016-8615.patch \
  file://CVE-2016-8616.patch \
+ file://CVE-2016-8617.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv3][krogoth] curl: fix multiple CVEs

[Sona Sarmadi]

CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

[url-remove-unconditional-idn2.h-include.patch is needed
for CVE-2016-8625]

Reference:
https://curl.haxx.se/docs/security.html

Fixes [Yocto #10617]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8615.patch |  70 +++
 meta/recipes-support/curl/curl/CVE-2016-8616.patch |  50 ++
 meta/recipes-support/curl/curl/CVE-2016-8617.patch |  29 +
 meta/recipes-support/curl/curl/CVE-2016-8618.patch |  49 ++
 meta/recipes-support/curl/curl/CVE-2016-8619.patch |  49 ++
 meta/recipes-support/curl/curl/CVE-2016-8620.patch |  47 ++
 meta/recipes-support/curl/curl/CVE-2016-8621.patch | 104 
 meta/recipes-support/curl/curl/CVE-2016-8622.patch |  95 
 meta/recipes-support/curl/curl/CVE-2016-8623.patch | 174 ++
 meta/recipes-support/curl/curl/CVE-2016-8624.patch |  55 ++
 meta/recipes-support/curl/curl/CVE-2016-8625.patch | 615 +
 .../url-remove-unconditional-idn2.h-include.patch  |  29 +
 meta/recipes-support/curl/curl_7.47.1.bb   |  12 +
 13 files changed, 1378 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8615.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8616.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8617.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8618.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8619.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8620.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8621.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8622.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8623.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8624.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8625.patch
 create mode 100644 
meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
new file mode 100644
index 000..95070f4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
@@ -0,0 +1,70 @@
+From cff89bc088b7884098ea0c5378bbda3d49c437bc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 17:36:19 +0200
+Subject: [PATCH] cookie: replace use of fgets() with custom version
+
+... that will ignore lines that are too long to fit in the buffer.
+
+CVE: CVE-2016-8615
+
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102A.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4932ab1..1b3e645 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -902,6 +902,35 @@ Curl_cookie_add(struct Curl_easy *data,
+   return co;
+ }
+ 
++/*
++ * get_line() makes sure to only return complete whole lines that fit in 'len'
++ * bytes and end with a newline.
++ */
++static char *get_line(char *buf, int len, FILE *input)
++{
++  bool partial = FALSE;
++  while(1) {
++char *b = fgets(buf, len, input);
++if(b) {
++  size_t rlen = strlen(b);
++  if(rlen && (b[rlen-1] == '\n')) {
++if(partial) {
++  partial = FALSE;
++  continue;
++}
++return b;
++  }
++  else
++/* read a partial, discard the next piece that ends with newline */
++partial = TRUE;
++}
++else
++  break;
++  }
++  return NULL;
++}
++
++
+ /*
+  *
+  * Curl_cookie_init()
+@@ -958,7 +987,7 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+ line = malloc(MAX_COOKIE_LINE);
+ if(!line)
+   goto fail;
+-while(fgets(line, MAX_COOKIE_LINE, fp)) {
++while(get_line(line, MAX_COOKIE_LINE, fp)) {
+   if(checkprefix("Set-Cookie:", line)) {
+ /* This is a cookie line, get it! */
+ lineptr=[11];
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8616.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
new file mode 100644
index 000..2849d28
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
@@ -0,0 +1,50 @@
+From b3ee26c5df75d97f6895e6ec4538894ebaf

[OE-core] [PATCHv2][krogoth] curl: fix multiple CVEs

[Sona Sarmadi]

CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

[url-remove-unconditional-idn2.h-include.patch is needed
for CVE-2016-8625]

Reference:
https://curl.haxx.se/docs/security.html

Fixes [Yocto #10617]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8615.patch |  70 +++
 meta/recipes-support/curl/curl/CVE-2016-8616.patch |  50 ++
 meta/recipes-support/curl/curl/CVE-2016-8617.patch |  29 +
 meta/recipes-support/curl/curl/CVE-2016-8618.patch |  49 ++
 meta/recipes-support/curl/curl/CVE-2016-8619.patch |  49 ++
 meta/recipes-support/curl/curl/CVE-2016-8620.patch |  47 ++
 meta/recipes-support/curl/curl/CVE-2016-8621.patch | 104 
 meta/recipes-support/curl/curl/CVE-2016-8622.patch |  95 
 meta/recipes-support/curl/curl/CVE-2016-8623.patch | 174 ++
 meta/recipes-support/curl/curl/CVE-2016-8624.patch |  55 ++
 meta/recipes-support/curl/curl/CVE-2016-8625.patch | 593 +
 .../url-remove-unconditional-idn2.h-include.patch  |  29 +
 meta/recipes-support/curl/curl_7.47.1.bb   |  12 +
 13 files changed, 1356 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8615.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8616.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8617.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8618.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8619.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8620.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8621.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8622.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8623.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8624.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8625.patch
 create mode 100644 
meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
new file mode 100644
index 000..95070f4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
@@ -0,0 +1,70 @@
+From cff89bc088b7884098ea0c5378bbda3d49c437bc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 17:36:19 +0200
+Subject: [PATCH] cookie: replace use of fgets() with custom version
+
+... that will ignore lines that are too long to fit in the buffer.
+
+CVE: CVE-2016-8615
+
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102A.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4932ab1..1b3e645 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -902,6 +902,35 @@ Curl_cookie_add(struct Curl_easy *data,
+   return co;
+ }
+ 
++/*
++ * get_line() makes sure to only return complete whole lines that fit in 'len'
++ * bytes and end with a newline.
++ */
++static char *get_line(char *buf, int len, FILE *input)
++{
++  bool partial = FALSE;
++  while(1) {
++char *b = fgets(buf, len, input);
++if(b) {
++  size_t rlen = strlen(b);
++  if(rlen && (b[rlen-1] == '\n')) {
++if(partial) {
++  partial = FALSE;
++  continue;
++}
++return b;
++  }
++  else
++/* read a partial, discard the next piece that ends with newline */
++partial = TRUE;
++}
++else
++  break;
++  }
++  return NULL;
++}
++
++
+ /*
+  *
+  * Curl_cookie_init()
+@@ -958,7 +987,7 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+ line = malloc(MAX_COOKIE_LINE);
+ if(!line)
+   goto fail;
+-while(fgets(line, MAX_COOKIE_LINE, fp)) {
++while(get_line(line, MAX_COOKIE_LINE, fp)) {
+   if(checkprefix("Set-Cookie:", line)) {
+ /* This is a cookie line, get it! */
+ lineptr=[11];
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8616.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
new file mode 100644
index 000..2849d28
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
@@ -0,0 +1,50 @@
+From b3ee26c5df75d97f6895e6ec4538894ebaf

[OE-core] [PATCH][krogoth] curl: fix multiple CVEs

[Sona Sarmadi]

CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

[url-remove-unconditional-idn2.h-include.patch is needed
for CVE-2016-8625]

Reference:
https://curl.haxx.se/docs/security.html

Fixes [Yocto #10617]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-8615.patch |  70 +++
 meta/recipes-support/curl/curl/CVE-2016-8616.patch |  50 ++
 meta/recipes-support/curl/curl/CVE-2016-8617.patch |  29 ++
 meta/recipes-support/curl/curl/CVE-2016-8618.patch |  49 ++
 meta/recipes-support/curl/curl/CVE-2016-8619.patch |  49 ++
 meta/recipes-support/curl/curl/CVE-2016-8620.patch |  47 ++
 meta/recipes-support/curl/curl/CVE-2016-8621.patch | 104 
 meta/recipes-support/curl/curl/CVE-2016-8622.patch |  95 
 meta/recipes-support/curl/curl/CVE-2016-8623.patch | 174 +++
 meta/recipes-support/curl/curl/CVE-2016-8624.patch |  55 ++
 meta/recipes-support/curl/curl/CVE-2016-8625.patch | 580 +
 .../url-remove-unconditional-idn2.h-include.patch  |  29 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  12 +
 13 files changed, 1343 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8615.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8616.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8617.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8618.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8619.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8620.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8621.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8622.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8623.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8624.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-8625.patch
 create mode 100644 
meta/recipes-support/curl/curl/url-remove-unconditional-idn2.h-include.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-8615.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
new file mode 100644
index 000..95070f4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8615.patch
@@ -0,0 +1,70 @@
+From cff89bc088b7884098ea0c5378bbda3d49c437bc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 27 Sep 2016 17:36:19 +0200
+Subject: [PATCH] cookie: replace use of fgets() with custom version
+
+... that will ignore lines that are too long to fit in the buffer.
+
+CVE: CVE-2016-8615
+
+Upstream-Status: Backport
+
+Bug: https://curl.haxx.se/docs/adv_20161102A.html
+Reported-by: Cure53
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/cookie.c | 31 ++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4932ab1..1b3e645 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -902,6 +902,35 @@ Curl_cookie_add(struct Curl_easy *data,
+   return co;
+ }
+ 
++/*
++ * get_line() makes sure to only return complete whole lines that fit in 'len'
++ * bytes and end with a newline.
++ */
++static char *get_line(char *buf, int len, FILE *input)
++{
++  bool partial = FALSE;
++  while(1) {
++char *b = fgets(buf, len, input);
++if(b) {
++  size_t rlen = strlen(b);
++  if(rlen && (b[rlen-1] == '\n')) {
++if(partial) {
++  partial = FALSE;
++  continue;
++}
++return b;
++  }
++  else
++/* read a partial, discard the next piece that ends with newline */
++partial = TRUE;
++}
++else
++  break;
++  }
++  return NULL;
++}
++
++
+ /*
+  *
+  * Curl_cookie_init()
+@@ -958,7 +987,7 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+ line = malloc(MAX_COOKIE_LINE);
+ if(!line)
+   goto fail;
+-while(fgets(line, MAX_COOKIE_LINE, fp)) {
++while(get_line(line, MAX_COOKIE_LINE, fp)) {
+   if(checkprefix("Set-Cookie:", line)) {
+ /* This is a cookie line, get it! */
+ lineptr=[11];
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8616.patch 
b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
new file mode 100644
index 000..2849d28
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8616.patch
@@ -0,0 +1,50 @@
+From b3ee26c5df75d97f6895e6ec45388

Re: [OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb

[Sona Sarmadi]

Hi guys,

curl 7.51.0-r0 addresses all these CVEs. I wonder if we can upgrade krogoth and 
morty to curl 7.51.0-r0 as well? Both package versions are using same share 
library version i.e. libcurl.so.4.4.0 so I assume full ABI compatibility.

tmp/work/i586-poky-linux/curl/7.47.1-r0/sysroot-destdir/usr/lib/libcurl.so.4.4.0
tmp/work/i586-poky-linux/curl/7.51.0-r0/sysroot-destdir/usr/lib/libcurl.so.4.4.0

For more info see:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10617

Thanks
//Sona
-Original Message-
From: openembedded-core-boun...@lists.openembedded.org 
[mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf Of Sona 
Sarmadi
Sent: den 8 november 2016 11:42
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb

The upgrade addresses following CVEs:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

Reference:
https://curl.haxx.se/docs/security.html

Fixes [Yocto #10617]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)  rename 
meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} (94%)

diff --git a/meta/recipes-support/curl/curl_7.50.1.bb 
b/meta/recipes-support/curl/curl_7.51.0.bb
similarity index 94%
rename from meta/recipes-support/curl/curl_7.50.1.bb
rename to meta/recipes-support/curl/curl_7.51.0.bb
index a21419a..e1a996b 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.51.0.bb
@@ -14,8 +14,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \  
#  SRC_URI += " file://configure_ac.patch"
 
-SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
-SRC_URI[sha256sum] = 
"3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156"
+SRC_URI[md5sum] = "09a7c5769a7eae676d5e2c86d51f167e"
+SRC_URI[sha256sum] = 
"7f8240048907e5030f67be0a6129bc4b333783b9cca1391026d700835a788dde"
 
 inherit autotools pkgconfig binconfig multilib_header
 
--
1.9.1

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb

[Sona Sarmadi]

The upgrade addresses following CVEs:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

Reference:
https://curl.haxx.se/docs/security.html

Fixes [Yocto #10617]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} (94%)

diff --git a/meta/recipes-support/curl/curl_7.50.1.bb 
b/meta/recipes-support/curl/curl_7.51.0.bb
similarity index 94%
rename from meta/recipes-support/curl/curl_7.50.1.bb
rename to meta/recipes-support/curl/curl_7.51.0.bb
index a21419a..e1a996b 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.51.0.bb
@@ -14,8 +14,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 #
 SRC_URI += " file://configure_ac.patch"
 
-SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
-SRC_URI[sha256sum] = 
"3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156"
+SRC_URI[md5sum] = "09a7c5769a7eae676d5e2c86d51f167e"
+SRC_URI[sha256sum] = 
"7f8240048907e5030f67be0a6129bc4b333783b9cca1391026d700835a788dde"
 
 inherit autotools pkgconfig binconfig multilib_header
 
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] dropbear: Fix multiple CVEs

[Sona Sarmadi]

CVE-2016-7406
CVE-2016-7407
CVE-2016-7408
CVE-2016-7409

Reference:
https://matt.ucc.asn.au/dropbear/CHANGES

[YOCTO #10443]

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-core/dropbear/dropbear.inc|4 +
 .../dropbear/dropbear/CVE-2016-7406.patch  |  104 +
 .../dropbear/dropbear/CVE-2016-7407.patch  | 2485 
 .../dropbear/dropbear/CVE-2016-7408.patch  |  101 +
 .../dropbear/dropbear/CVE-2016-7409.patch  |   26 +
 5 files changed, 2720 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2016-7407.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2016-7409.patch

diff --git a/meta/recipes-core/dropbear/dropbear.inc 
b/meta/recipes-core/dropbear/dropbear.inc
index 923d31c..ee2cd98 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -17,6 +17,10 @@ SRC_URI = 
"http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://0003-configure.patch \
file://0004-fix-2kb-keys.patch \
file://0007-dropbear-fix-for-x32-abi.patch \
+   file://CVE-2016-7406.patch \
+   file://CVE-2016-7407.patch \
+   file://CVE-2016-7408.patch \
+   file://CVE-2016-7409.patch \
file://init \
file://dropbearkey.service \
file://dropbear@.service \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch 
b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
new file mode 100644
index 000..22b494c
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
@@ -0,0 +1,104 @@
+# HG changeset patch
+# User Matt Johnston <m...@ucc.asn.au>
+# Date 1468249773 -28800
+# Node ID b66a483f3dcb66a70341845dd36e922ddaee4c5a
+# Parent  eed9376a4ad68e3ae7f17d154dbf126ee66c54bc
+Improve exit message formatting
+
+Patch is backported from:
+https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb
+
+CVE: CVE-2016-7406
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+diff -ruN a/cli-main.c b/cli-main.c
+--- a/cli-main.c   2016-03-09 15:54:53.0 +0100
 b/cli-main.c   2016-10-20 12:49:00.323501119 +0200
+@@ -85,29 +85,30 @@
+ #endif /* DBMULTI stuff */
+ 
+ static void cli_dropbear_exit(int exitcode, const char* format, va_list 
param) {
++  char exitmsg[150];
++  char fullmsg[300];
+ 
+-  char fmtbuf[300];
+-  char exitmsg[500];
++  /* Note that exit message must be rendered before session cleanup */
+ 
++  /* Render the formatted exit message */
++  vsnprintf(exitmsg, sizeof(exitmsg), format, param);
++
++  /* Add the prefix depending on session/auth state */
+   if (!sessinitdone) {
+-  snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s",
+-  format);
++  snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg);
+   } else {
+-  snprintf(fmtbuf, sizeof(fmtbuf), 
++  snprintf(fullmsg, sizeof(fullmsg), 
+   "Connection to %s@%s:%s exited: %s", 
+   cli_opts.username, cli_opts.remotehost, 
+-  cli_opts.remoteport, format);
++  cli_opts.remoteport, exitmsg);
+   }
+ 
+-  /* Arguments to the exit printout may be unsafe to use after 
session_cleanup() */
+-  vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param);
+-
+   /* Do the cleanup first, since then the terminal will be reset */
+   session_cleanup();
+   /* Avoid printing onwards from terminal cruft */
+   fprintf(stderr, "\n");
+ 
+-  dropbear_log(LOG_INFO, "%s", exitmsg);;
++  dropbear_log(LOG_INFO, "%s", fullmsg);
+   exit(exitcode);
+ }
+ 
+diff -ruN a/svr-session.c b/svr-session.c
+--- a/svr-session.c2016-03-09 15:54:54.0 +0100
 b/svr-session.c2016-10-20 13:27:20.629628336 +0200
+@@ -145,30 +145,33 @@
+ /* failure exit - format must be <= 100 chars */
+ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
+ 
+-  char fmtbuf[300];
++  char exitmsg[150];
++  char fullmsg[300];
+   int i;
+ 
++  /* Render the formatted exit message */
++  vsnprintf(exitmsg, sizeof(exitmsg), format, param);
++
++  /* Add the prefix depending on session/auth state */
+   if (!sessinitdone) {
+   /* before session init */
+-  snprintf(fmtbuf, sizeof(fmtbuf), 
+-  "Early exit: %s", format);
++snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg);
+   } else if (ses.authstate.authdone) {
+   /* user has 

[OE-core] [PATCH][krogoth] bash: Security fix CVE-2016-0634

[Sona Sarmadi]

References to upstream patch:
https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047
http://openwall.com/lists/oss-security/2016/09/16/8

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../recipes-extended/bash/bash/CVE-2016-0634.patch | 136 +
 meta/recipes-extended/bash/bash_4.3.30.bb  |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-extended/bash/bash/CVE-2016-0634.patch

diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch 
b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
new file mode 100644
index 000..71c033e
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
@@ -0,0 +1,136 @@
+Bash-Release:  4.3
+Patch-ID:  bash43-047
+
+Bug-Reported-by:   Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL: 
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded.  If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Patch (apply with `patch -p0')
+
+CVE:  CVE-2016-0634
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+*** ../bash-4.3-patched/parse.y2015-08-13 15:11:54.0 -0400
+--- parse.y2016-03-07 15:44:14.0 -0500
+***
+*** 5259,5263 
+int result_size, result_index;
+int c, n, i;
+!   char *temp, octal_string[4];
+struct tm *tm;  
+time_t the_time;
+--- 5259,5263 
+int result_size, result_index;
+int c, n, i;
+!   char *temp, *t_host, octal_string[4];
+struct tm *tm;  
+time_t the_time;
+***
+*** 5407,5411 
+   case 's':
+ temp = base_pathname (shell_name);
+!temp = savestring (temp);
+ goto add_string;
+  
+--- 5407,5415 
+   case 's':
+ temp = base_pathname (shell_name);
+!/* Try to quote anything the user can set in the file system */
+!if (promptvars || posixly_correct)
+!  temp = sh_backslash_quote_for_double_quotes (temp);
+!else
+!  temp = savestring (temp);
+ goto add_string;
+  
+***
+*** 5497,5503 
+   case 'h':
+   case 'H':
+!temp = savestring (current_host_name);
+!if (c == 'h' && (t = (char *)strchr (temp, '.')))
+   *t = '\0';
+ goto add_string;
+  
+--- 5501,5515 
+   case 'h':
+   case 'H':
+!t_host = savestring (current_host_name);
+!if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+   *t = '\0';
++if (promptvars || posixly_correct)
++  /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++  temp = sh_backslash_quote_for_double_quotes (t_host);
++else
++  temp = savestring (t_host);
++free (t_host);
+ goto add_string;
+  
+*** ../bash-4.3-patched/y.tab.c2015-08-13 15:11:54.0 -0400
+--- y.tab.c2016-03-07 15:44:14.0 -0500
+***
+*** 7571,7575 
+int result_size, result_index;
+int c, n, i;
+!   char *temp, octal_string[4];
+struct tm *tm;  
+time_t the_time;
+--- 7571,7575 
+int result_size, result_index;
+int c, n, i;
+!   char *temp, *t_host, octal_string[4];
+struct tm *tm;  
+time_t the_time;
+***
+*** 7719,7723 
+   case 's':
+ temp = base_pathname (shell_name);
+!temp = savestring (temp);
+ goto add_string;
+  
+--- 7719,7727 
+   case 's':
+ temp = base_pathname (shell_name);
+!/* Try to quote anything the user can set in the file system */
+!if (promptvars || posixly_correct)
+!  temp = sh_backslash_quote_for_double_quotes (temp);
+!else
+!  temp = savestring (temp);
+ goto add_string;
+  
+***
+*** 7809,7815 
+   case 'h':
+   case 'H':
+!temp = savestring (current_host_name);
+!if (c == 'h' && (t = (char *)strchr (temp, '.')))
+   *t = '\0';
+ goto add_string;
+  
+--- 7813,7827 
+   case 'h':
+   case 'H':
+!t_host = savestring (current_host_name);
+!if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+   *t = '\0';
++if (promptvars || posixly_correct)
++

Re: [OE-core] CVE-2016-0634 -- bash prompt expanding $HOSTNAME patch for krogoth

[Sona Sarmadi]

Thanks Ross,
I guess you mean striplevel? Right? It didn’t work with stripnum but it worked 
with striplevel:

  file://CVE-2016-0634.patch;striplevel=0 \

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 10 oktober 2016 13:26
To: Sona Sarmadi <sona.sarm...@enea.com>
Cc: Armin Kuster (akuster...@gmail.com) <akuster...@gmail.com>; 
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] CVE-2016-0634 -- bash prompt expanding $HOSTNAME patch 
for krogoth


On 10 October 2016 at 10:49, Sona Sarmadi 
<sona.sarm...@enea.com<mailto:sona.sarm...@enea.com>> wrote:
ERROR: bash-4.3.30-r0 do_patch: Command Error: 'quilt --quiltrc 
/data/fb/hopo/6.0/poky/build-qemuppc/tmp/sysroots/x86_64-linux/etc/quiltrc 
push' exited with 1  Output:
Applying patch CVE-2016-0634.patch
can't find file to patch at input line 25
Perhaps you used the wrong -p or --strip option?

If the patch needs -p0 then you need to tell bitbake this with the ;stripnum=0 
parameter in SRC_URI.

Ross
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] CVE-2016-0634 -- bash prompt expanding $HOSTNAME patch for krogoth

[Sona Sarmadi]

Hi Armin,

I am trying to backport the following patch to bash in krogoth:
https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047

Reference to CVE assignment: http://openwall.com/lists/oss-security/2016/09/16/8

The patch can be applied with: `patch -p0'

"patch -p0 < ~/security-patches/CVE-2016-0634.patch

poky/build-qemuppc/tmp/work/ppc7400-enea-linux/bash/4.3.30-r0/bash-4.3.30# 
patch -p0 < CVE-2016-0634.patch
patching file parse.y
Hunk #1 succeeded at 5257 (offset -2 lines).
Hunk #2 succeeded at 5405 (offset -2 lines).
Hunk #3 succeeded at 5499 (offset -2 lines).
patching file y.tab.c
Hunk #1 succeeded at 7569 (offset -2 lines).
Hunk #2 succeeded at 7717 (offset -2 lines).
Hunk #3 succeeded at 7811 (offset -2 lines).
root@sestofb10:/media/data/fb/hopo/6.0/poky/build-qemuppc/tmp/work/ppc7400-enea-linux/bash/4.3.30-r0/bash-4.3.30#<mailto:root@sestofb10:/media/data/fb/hopo/6.0/poky/build-qemuppc/tmp/work/ppc7400-enea-linux/bash/4.3.30-r0/bash-4.3.30#>

But when I add it to the bash recipe and run bitbake I get error (I guess patch 
-p1 does not work). Do you know how can I solve this issue?
ERROR: bash-4.3.30-r0 do_patch: Command Error: 'quilt --quiltrc 
/data/fb/hopo/6.0/poky/build-qemuppc/tmp/sysroots/x86_64-linux/etc/quiltrc 
push' exited with 1  Output:
Applying patch CVE-2016-0634.patch
can't find file to patch at input line 25
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|Bash-Release:  4.3
|Patch-ID:  bash43-047
|
|Bug-Reported-by:   Bernd Dietzel
|Bug-Reference-ID:
|Bug-Reference-URL: 
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
|
|Bug-Description:
|
|Bash performs word expansions on the prompt strings after the special
|escape sequences are expanded.  If a malicious user can modify the system
|hostname or change the name of the bash executable and coerce a user into
|executing it, and the new name contains word expansions (including
|command substitution), bash will expand them in prompt strings containing
|the \h or \H and \s escape sequences, respectively.
|
|Patch (apply with `patch -p0')
|
|CVE:  CVE-2016-0634
|Upstream-Status: Backport
|Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
|
|*** ../bash-4.3-patched/parse.y2015-08-13 15:11:54.0 -0400
|--- parse.y2016-03-07 15:44:14.0 -0500
--
No file to patch.  Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 82
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|*** ../bash-4.3-patched/y.tab.c2015-08-13 15:11:54.0 -0400
|--- y.tab.c2016-03-07 15:44:14.0 -0500
--


Thanks
//Sona


-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] qemu: CVE-2016-3710

[Sona Sarmadi]

Fixes an out-of-bounds read/write access flaw which was found
in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE)
support performed read/write operations using I/O port methods.

A privileged guest user could use this flaw to execute arbitrary
code on the host with the privileges of the host's QEMU process.

Reference to pstream fix:
-
https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg01197.html

References:
---
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3710
http://www.openwall.com/lists/oss-security/2016/05/09/3
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3710

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-3710.patch | 111 +
 meta/recipes-devtools/qemu/qemu_2.5.0.bb   |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
new file mode 100644
index 000..48b9589
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch
@@ -0,0 +1,111 @@
+From 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kra...@redhat.com>
+Date: Tue, 26 Apr 2016 08:49:10 +0200
+Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
+
+vga allows banked access to video memory using the window at 0xa0
+and it supports a different access modes with different address
+calculations.
+
+The VBE bochs extentions support banked access too, using the
+VBE_DISPI_INDEX_BANK register.  The code tries to take the different
+address calculations into account and applies different limits to
+VBE_DISPI_INDEX_BANK depending on the current access mode.
+
+Which is probably effective in stopping misprogramming by accident.
+But from a security point of view completely useless as an attacker
+can easily change access modes after setting the bank register.
+
+Drop the bogus check, add range checks to vga_mem_{readb,writeb}
+instead.
+
+Upstream-Status: Backport [from v2.6.0-rc5~1^2~4
+commit: 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e]
+
+Fixes: CVE-2016-3710
+Reported-by: Qinghao Tang <luodalon...@gmail.com>
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ hw/display/vga.c | 24 ++--
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 657e9f1..b9191ca 100644
+--- a/hw/display/vga.c
 b/hw/display/vga.c
+@@ -179,6 +179,7 @@ static void vga_update_memory_access(VGACommonState *s)
+ size = 0x8000;
+ break;
+ }
++assert(offset + size <= s->vram_size);
+ memory_region_init_alias(>chain4_alias, 
memory_region_owner(>vram),
+  "vga.chain4", >vram, offset, size);
+ memory_region_add_subregion_overlap(s->legacy_address_space, base,
+@@ -716,11 +717,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, 
uint32_t val)
+ vbe_fixup_regs(s);
+ break;
+ case VBE_DISPI_INDEX_BANK:
+-if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+-  val &= (s->vbe_bank_mask >> 2);
+-} else {
+-  val &= s->vbe_bank_mask;
+-}
++val &= s->vbe_bank_mask;
+ s->vbe_regs[s->vbe_index] = val;
+ s->bank_offset = (val << 16);
+ vga_update_memory_access(s);
+@@ -819,13 +816,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
+ 
+ if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ /* chain 4 mode : simplest access */
++assert(addr < s->vram_size);
+ ret = s->vram_ptr[addr];
+ } else if (s->gr[VGA_GFX_MODE] & 0x10) {
+ /* odd/even mode (aka text mode mapping) */
+ plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+-ret = s->vram_ptr[((addr & ~1) << 1) | plane];
++addr = ((addr & ~1) << 1) | plane;
++if (addr >= s->vram_size) {
++return 0xff;
++}
++ret = s->vram_ptr[addr];
+ } else {
+ /* standard VGA latched access */
++if (addr * sizeof(uint32_t) >= s->vram_size) {
++return 0xff;
++}
+ s->latch = ((uint32_t *)s->vram_ptr)[addr];
+ 
+ if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
+@@ -882,6 +887,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, 
uint32_t val)
+ plane = addr & 3;
+ mask = (1 << plane);
+ if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
++assert(addr < s->vram_size);
+ s->vram_ptr[addr] =

[OE-core] [PATCH][krogoth] dropbear: upgrade to 2016.72

[Sona Sarmadi]

The upgrade addresses CVE-2016-3116:

- Validate X11 forwarding input. Could allow bypass of
  authorized_keys command= restrictions,
  found by github.com/tintinweb.
  Thanks for Damien Miller for a patch. CVE-2016-3116

References:
https://matt.ucc.asn.au/dropbear/CHANGES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-core/dropbear/dropbear_2015.71.bb | 5 -
 meta/recipes-core/dropbear/dropbear_2016.72.bb | 4 
 2 files changed, 4 insertions(+), 5 deletions(-)
 delete mode 100644 meta/recipes-core/dropbear/dropbear_2015.71.bb
 create mode 100644 meta/recipes-core/dropbear/dropbear_2016.72.bb

diff --git a/meta/recipes-core/dropbear/dropbear_2015.71.bb 
b/meta/recipes-core/dropbear/dropbear_2015.71.bb
deleted file mode 100644
index 6332579..000
--- a/meta/recipes-core/dropbear/dropbear_2015.71.bb
+++ /dev/null
@@ -1,5 +0,0 @@
-require dropbear.inc
-
-SRC_URI[md5sum] = "2ccc0a2f3e37ca221db12c5af6a88137"
-SRC_URI[sha256sum] = 
"376214169c0e187ee9f48ae1a99b3f835016ad5b98ede4bfd1cf581deba783af"
-
diff --git a/meta/recipes-core/dropbear/dropbear_2016.72.bb 
b/meta/recipes-core/dropbear/dropbear_2016.72.bb
new file mode 100644
index 000..1385efd
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear_2016.72.bb
@@ -0,0 +1,4 @@
+require dropbear.inc
+
+SRC_URI[md5sum] = "96226b82725a8cbecad9fc738930d1d2"
+SRC_URI[sha256sum] = 
"9323766d3257699fd7d6e7b282c5a65790864ab32fd09ac73ea3d46c9ca2d681"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Sona Sarmadi]

> >> That said, I vote for updating to the version that comes with the
> >> fix.
> >> Backporting fixes should not be the default in the stable yocto
> >> releases; we should trust the upstream more.
> >
> > Taking that argument to the extreme, we should update all versions in
> > the "stable" release to the latest to ensure we get all the fixes. At
> > that point, it becomes no different to master and its not the
> > definition of "stable" which most people want to use.
> 
> But I'm not making this argument at all. What I'm saying, is that master
> branch and stable branches are two different extremes with their own
> problems (one is moving too fast, the other is conservative to a fault), and
> we should try to find a sensible middle ground between them.
> 
> > In this case, its a question of what else changed in dropbear between
> > these versions. Were there a ton of new features or was it just
> > bugfixes? How much risk of other problems is there?
> 
> In this case, the only difference between 2015.71 and 2016.72 is indeed
> the CVE fix commit:
> https://secure.ucc.asn.au/hg/dropbear/graph
> 
> (you need to scroll down some to see it in the graph).


Thanks guys for your feedbacks. I agree that by default we shouldn't upgrade 
package 
versions in stable branches as far as possible but sometimes we have to. If 
there isn't a 
suitable patch I personally prefer upgrading (only if it is minor changes) 
rather than 
sticking to a vulnerable version. We have done this in the past e.g. for 
OpenSSL (from 
1.0.1x to 1.0.1y). 

I will do some investigation to find out if 
https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff 
is the fix for CVE-2016-3116 (by quick analysis it looks the right patch) and 
use that patch and NOT 
upgrade the dropbear version in krogoth !!

Thanks
//Sona
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Sona Sarmadi]

Hi guys,

I need your advice how to address this CVE in krogoth (master is not affected)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116

I couldn't find a patch for this specific CVE in dropbear git or somewhere 
else, if we want to address this issue it seems that we need to update the 
dropbear version in krogoth to "2016.72". Is this ok?

Dropbear version in krogoth is 2015.71:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-core/dropbear?h=krogoth
dropbear_2015.71.bb


https://matt.ucc.asn.au/dropbear/CHANGES
.
2016.72 - 9 March 2016<<< dropbear version this CVE has been fixed
- Validate X11 forwarding input. Could allow bypass of authorized_keys command= 
restrictions,
  found by github.com/tintinweb. Thanks for Damien Miller for a patch. 
CVE-2016-3116

2015.71 - 3 December 2015   dropbear version in krogoth
.

Looking at dropbear git repo I see some more commits between these versions but 
CHANGES file doesn't mention this so probably these are minor changes.

Thanks
//Sona
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] curl: security fix for CVE-2016-7141

[Sona Sarmadi]

Affected versions:
Affected versions: libcurl 7.19.6 to and including 7.50.1
Not affected versions: libcurl >= 7.50.2

Reference to upstream patch:
https://curl.haxx.se/CVE-2016-7141.patch

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-support/curl/curl/CVE-2016-7141.patch | 50 ++
 meta/recipes-support/curl/curl_7.47.1.bb   |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-7141.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-7141.patch 
b/meta/recipes-support/curl/curl/CVE-2016-7141.patch
new file mode 100644
index 000..eb03afd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-7141.patch
@@ -0,0 +1,50 @@
+From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdu...@redhat.com>
+Date: Mon, 22 Aug 2016 10:24:35 +0200
+Subject: [PATCH] nss: refuse previously loaded certificate from file
+
+... when we are not asked to use a certificate from file
+
+Bug: https://curl.haxx.se/docs/adv_20160907.html
+Reported-by: kdu...@redhat.com
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-5421.patch
+
+CVE: CVE-2016-7141
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/vtls/nss.c | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 20c4277..cfb2263 100644
+--- a/lib/vtls/nss.c
 b/lib/vtls/nss.c
+@@ -1002,10 +1002,10 @@ static SECStatus SelectClientCert(void *arg, 
PRFileDesc *sock,
+   struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
+   struct Curl_easy *data = connssl->data;
+   const char *nickname = connssl->client_nickname;
++  static const char pem_slotname[] = "PEM Token #1";
+
+   if(connssl->obj_clicert) {
+ /* use the cert/key provided by PEM reader */
+-static const char pem_slotname[] = "PEM Token #1";
+ SECItem cert_der = { 0, NULL, 0 };
+ void *proto_win = SSL_RevealPinArg(sock);
+ struct CERTCertificateStr *cert;
+@@ -1067,6 +1067,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc 
*sock,
+   if(NULL == nickname)
+ nickname = "[unknown]";
+
++  if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
++failf(data, "NSS: refusing previously loaded certificate from file: %s",
++  nickname);
++return SECFailure;
++  }
++
+   if(NULL == *pRetKey) {
+ failf(data, "NSS: private key not found for certificate: %s", nickname);
+ return SECFailure;
+--
+2.7.4
diff --git a/meta/recipes-support/curl/curl_7.47.1.bb 
b/meta/recipes-support/curl/curl_7.47.1.bb
index 6c71760..3670a11 100644
--- a/meta/recipes-support/curl/curl_7.47.1.bb
+++ b/meta/recipes-support/curl/curl_7.47.1.bb
@@ -14,6 +14,7 @@ SRC_URI += " file://configure_ac.patch \
  file://CVE-2016-5419.patch \
  file://CVE-2016-5420.patch \
  file://CVE-2016-5421.patch \
+ file://CVE-2016-7141.patch \
"
 
 SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH][krogoth] sudo: CVE-2015-8239

[Sona Sarmadi]

Hi Ross,

This seems to be fixed in master. I checked the code.

//Sona

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 9 augusti 2016 13:54
To: Sona Sarmadi <sona.sarm...@enea.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH][krogoth] sudo: CVE-2015-8239


On 9 August 2016 at 12:04, Sona Sarmadi 
<sona.sarm...@enea.com<mailto:sona.sarm...@enea.com>> wrote:
Fixes race condition when checking digests in sudoers.

Reference:
http://seclists.org/oss-sec/2015/q4/327

Reference to upstream fixes:
https://www.sudo.ws/repos/sudo/raw-rev/397722cdd7ec
https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195

Is this applicable to master too, and should be backport it jethro?

Ross
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][krogoth] sudo: CVE-2015-8239

[Sona Sarmadi]

Fixes race condition when checking digests in sudoers.

Reference:
http://seclists.org/oss-sec/2015/q4/327

Reference to upstream fixes:
https://www.sudo.ws/repos/sudo/raw-rev/397722cdd7ec
https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../sudo/sudo/CVE-2015-8239-1.patch| 699 +
 .../sudo/sudo/CVE-2015-8239-2.patch|  45 ++
 meta/recipes-extended/sudo/sudo_1.8.15.bb  |   2 +
 3 files changed, 746 insertions(+)
 create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch
 create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch

diff --git a/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch 
b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch
new file mode 100644
index 000..582c0bf
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch
@@ -0,0 +1,699 @@
+# HG changeset patch
+# User Todd C. Miller <todd.mil...@courtesan.com>
+# Date 1451928918 25200
+# Node ID 397722cdd7eceef0aec561909418215e275ccd44
+# Parent  33272418bb10ee780184dbd2d966a4e5c3bc597e
+Add support for using fexecve() if supported on commands that are
+checksummed.
+
+Reference to upstream patch:
+https://www.sudo.ws/repos/sudo/rev/397722cdd7ec
+
+CVE: CVE-2015-8239
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff -ruN a/configure b/configure
+--- a/configure2015-11-01 00:35:24.0 +0100
 b/configure2016-08-08 12:56:03.441681854 +0200
+@@ -2650,6 +2650,7 @@
+ as_fn_append ac_header_list " sys/select.h"
+ as_fn_append ac_header_list " sys/stropts.h"
+ as_fn_append ac_header_list " sys/sysmacros.h"
++as_fn_append ac_func_list " fexecve"
+ as_fn_append ac_func_list " killpg"
+ as_fn_append ac_func_list " nl_langinfo"
+ as_fn_append ac_func_list " strftime"
+@@ -18078,6 +18079,8 @@
+ 
+ 
+ 
++
++
+ for ac_func in getgrouplist
+ do :
+   ac_fn_c_check_func "$LINENO" "getgrouplist" "ac_cv_func_getgrouplist"
+@@ -19903,8 +19906,8 @@
+ fi
+ done
+ 
+-# Check for fexecve, posix_spawn, and posix_spawnp
+-for ac_func in fexecve posix_spawn posix_spawnp
++# Check for posix_spawn, and posix_spawnp
++for ac_func in posix_spawn posix_spawnp
+ do :
+   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+diff -ruN a/configure.ac b/configure.ac
+--- a/configure.ac 2016-08-08 12:55:08.78102 +0200
 b/configure.ac 2016-08-08 12:56:03.445681547 +0200
+@@ -1,7 +1,7 @@
+ dnl
+ dnl Use the top-level autogen.sh script to generate configure and config.h.in
+ dnl
+-dnl Copyright (c) 1994-1996,1998-2015 Todd C. Miller 
<todd.mil...@courtesan.com>
++dnl Copyright (c) 1994-1996,1998-2016 Todd C. Miller 
<todd.mil...@courtesan.com>
+ dnl
+ AC_PREREQ([2.59])
+ AC_INIT([sudo], [1.8.15], [http://www.sudo.ws/bugs/], [sudo])
+@@ -2384,7 +2384,7 @@
+ dnl Function checks
+ dnl
+ AC_FUNC_GETGROUPS
+-AC_CHECK_FUNCS_ONCE([killpg nl_langinfo strftime pread pwrite openat])
++AC_CHECK_FUNCS_ONCE([fexecve killpg nl_langinfo strftime pread pwrite openat])
+ AC_CHECK_FUNCS([getgrouplist], [], [
+ case "$host_os" in
+ aix*)
+@@ -2676,8 +2676,8 @@
+ if test X"$with_noexec" != X"no"; then
+ # Check for non-standard exec functions
+ AC_CHECK_FUNCS([exect execvP execvpe])
+-# Check for fexecve, posix_spawn, and posix_spawnp
+-AC_CHECK_FUNCS([fexecve posix_spawn posix_spawnp])
++# Check for posix_spawn, and posix_spawnp
++AC_CHECK_FUNCS([posix_spawn posix_spawnp])
+ fi
+ 
+ dnl
+diff -ruN a/doc/sudoers.cat b/doc/sudoers.cat
+--- a/doc/sudoers.cat  2016-08-08 12:55:08.78102 +0200
 b/doc/sudoers.cat  2016-08-08 12:56:03.445681547 +0200
+@@ -410,6 +410,13 @@
+  $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+  EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+ 
++ Warning, if the user has write access to the command itself (directly or
++ via a sudo command), it may be possible for the user to replace the
++ command after the digest check has been performed but before the command
++ is executed.  A similar race condition exists on systems that lack the
++ fexecve(2) system call when the directory in which the command is located
++ is writable by the user.
++
+  Command digests are only supported by version 1.8.7 or higher.
+ 
+DDeeffaauullttss
+diff -ruN a/doc/sudoers.man.in b/doc/sudoers.man.in
+--- a/doc/sudoers.man.in   2016-08-08 12:55:08.78102 +0200
 b/doc/sudoers.man.in   2016-08-08 12:56:03.445681547 +0200
+@@ -1,7 +1,7 @@
+ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+ .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
+ .\"

[OE-core] [PATCH v2] bind: CVE-2016-1285 CVE-2016-1286

[Sona Sarmadi]

Fixes following vulnerabilities:
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure

[YOCTO #9400]

External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286

References to the Upstream commits and Security Advisories:
===
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=70037e040e587329cec82123e12b9f4f7c945f67

CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=a3d327bf1ceaaeabb20223d8de85166e940b9f12

CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=7602be276a73a6eb5431c5acd9718e68a55e8b61

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../bind/bind/CVE-2016-1285.patch  | 154 ++
 .../bind/bind/CVE-2016-1286_1.patch|  79 ++
 .../bind/bind/CVE-2016-1286_2.patch| 314 +
 meta/recipes-connectivity/bind/bind_9.10.3-P3.bb   |   3 +
 4 files changed, 550 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
new file mode 100644
index 000..2149bd1
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,154 @@
+From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <ma...@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318.   [security]  Malformed control messages can
+ trigger assertions in named and rndc. (CVE-2016-1285)
+ [RT #41666]
+
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+[Removed doc/arm/notes.xml changes from upstream patch]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ CHANGES |  3 +++
+ bin/named/control.c |  2 +-
+ bin/named/controlconf.c |  2 +-
+ bin/rndc/rndc.c |  8 
+ doc/arm/notes.xml   | 11 +++
+ lib/isccc/cc.c  | 14 +++---
+ 6 files changed, 27 insertions(+), 13 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index b9bd9ef..2c727d5 100644
+--- a/CHANGES
 b/CHANGES
+@@ -1,3 +1,6 @@
++4318. [security]  Malformed control messages can trigger assertions
++  in named and rndc. (CVE-2016-1285) [RT #41666]
++
+   --- 9.10.3-P3 released ---
+ 
+ 4288. [bug]   Fixed a regression in resolver.c:possibly_mark()
+diff --git a/bin/named/control.c b/bin/named/control.c
+index 8554335..81340ca 100644
+--- a/bin/named/control.c
 b/bin/named/control.c
+@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t 
*text) {
+ #endif
+ 
+   data = isccc_alist_lookup(message, "_data");
+-  if (data == NULL) {
++  if (!isccc_alist_alistp(data)) {
+   /*
+* No data section.
+*/
+diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
+index 765afdd..a39ab8b 100644
+--- a/bin/named/controlconf.c
 b/bin/named/controlconf.c
+@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+* Limit exposure to replay attacks.
+*/
+   _ctrl = isccc_alist_lookup(request, "_ctrl");
+-  if (_ctrl == NULL) {
++  if (!isccc_alist_alistp(_ctrl)) {
+   log_invalid(>ccmsg, ISC_R_FAILURE);
+   goto cleanup_request;
+   }
+diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+index cb17050..b6e05c8 100644
+--- a/bin/rndc/rndc.c
 b/bin/rndc/rndc.c
+@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+  isccc_cc_fromwire(, , algorithm, ));
+ 
+   data = isccc_alist_lookup(response, "_data");
+-  if (data == NULL)
+-  fatal("no data section in response");
++  if (!isccc_alist_alistp(data))
++  fatal("bad or missing data section in response");
+   result = isccc_cc_lookupstring(data, "err", );
+   if (result == ISC_R_SUCCESS) {
+   failed = ISC_TRUE;
+@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+  isccc_cc_fromwire(, , algorithm, ));
+ 
+   _ctrl = isccc_alist_lookup(response, 

Re: [OE-core] [PATCH][fido] bind: CVE-2016-1285 CVE-2016-1286

[Sona Sarmadi]

Yes, They are all tested;  build bind & boot core image … but I send the old 
patch, sorry about this ☹

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 12 april 2016 13:18
To: Sona Sarmadi <sona.sarm...@enea.com>
Cc: Joshua G Lock <joshua.g.l...@linux.intel.com>; 
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH][fido] bind: CVE-2016-1285 CVE-2016-1286


On 12 April 2016 at 12:11, Sona Sarmadi 
<sona.sarm...@enea.com<mailto:sona.sarm...@enea.com>> wrote:
I guess you need this patch: 
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=a078c9eeae8c2db7edf2b15ff1d25a3a297c751

Was this patch not build-tested then?  Where any of the bind patches 
build-tested?

Ross
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH][fido] bind: CVE-2016-1285 CVE-2016-1286

[Sona Sarmadi]

I guess you need this patch: 
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=a078c9eeae8c2db7edf2b15ff1d25a3a297c751

Can I send you a new patch or can you add this? 


> Unfortunately I can't build bind with this patch applied:
> 
> | cc.c: In function 'verify':
> | cc.c:293:27: error: 'hmac' undeclared (first use in this function)
> |   if (!isccc_sexpr_binaryp(hmac))
> |^
> | cc.c:293:27: note: each undeclared identifier is reported only once
> for each function it appears in
> | make[2]: *** [cc.o] Error 1
> 
> Based on a quick skim read of the patches I think this is caused by CVE-
> 2016-1285.patch:
> 

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] bind: Upgrade 9.10.3-P3 -> 9.10.3-P4

[Sona Sarmadi]

Sure, I can try ☺

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: den 12 april 2016 12:19
To: Sona Sarmadi <sona.sarm...@enea.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] bind: Upgrade 9.10.3-P3 -> 9.10.3-P4


On 12 April 2016 at 11:13, Sona Sarmadi 
<sona.sarm...@enea.com<mailto:sona.sarm...@enea.com>> wrote:
The upgrade addresses following vulnerabilities:
   CVE-2016-1285
   CVE-2016-1286
   CVE-2016-2088

Fixes [YOCTO #9400 and #9438].

References:
https://kb.isc.org/article/AA-01352
https://kb.isc.org/article/AA-01353
https://kb.isc.org/article/AA-01351

Far too late for upgrades in master, can you fix the CVEs as patches please?

Ross
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] bind: Upgrade 9.10.3-P3 -> 9.10.3-P4

[Sona Sarmadi]

The upgrade addresses following vulnerabilities:
   CVE-2016-1285
   CVE-2016-1286
   CVE-2016-2088

Fixes [YOCTO #9400 and #9438].

References:
https://kb.isc.org/article/AA-01352
https://kb.isc.org/article/AA-01353
https://kb.isc.org/article/AA-01351

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../bind/{bind_9.10.3-P3.bb => bind_9.10.3-P4.bb}   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-connectivity/bind/{bind_9.10.3-P3.bb => bind_9.10.3-P4.bb} 
(94%)

diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb 
b/meta/recipes-connectivity/bind/bind_9.10.3-P4.bb
similarity index 94%
rename from meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
rename to meta/recipes-connectivity/bind/bind_9.10.3-P4.bb
index fa057d5..cc124a9 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P4.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/;
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=98ba6d57f5b0e3d7819990c4166b3e52"
 
 DEPENDS = "openssl libcap"
 
@@ -23,8 +23,8 @@ SRC_URI = 
"ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-lib-dns-gen.c-fix-too-long-error.patch \
"
 
-SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
-SRC_URI[sha256sum] = 
"690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83"
+SRC_URI[md5sum] = "173ce5e83e9ba31f8368367ee1ff7807"
+SRC_URI[sha256sum] = 
"2ac044b5fbdf45fb45107af0df961b3b7cb5262a3bf1948ed3fe7a170dd13e3e"
 
 ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 
'yes', 'no', d)}"
 EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads 
\
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][jethro] bind: CVE-2016-1285 CVE-2016-1286

[Sona Sarmadi]

CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure

[YOCTO #9400]

External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286

References to the Upstream commits and Security Advisories:

CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63

CVE-2016-1286: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=499952eb459c9a41d2092f1d98899c131f9103b2

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../bind/bind/CVE-2016-1285.patch  | 138 +
 .../bind/bind/CVE-2016-1286_1.patch|  79 +
 .../bind/bind/CVE-2016-1286_2.patch| 318 +
 meta/recipes-connectivity/bind/bind_9.10.2-P4.bb   |   3 +
 4 files changed, 538 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
new file mode 100644
index 000..f73f642
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,138 @@
+From e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <ma...@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318. [security] Malformed control messages can
+trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
+
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+
+Hand applied Changelog changes.
+
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff -ruN a/bin/named/control.c b/bin/named/control.c
+--- a/bin/named/control.c  2015-08-15 02:28:49.0 +0200
 b/bin/named/control.c  2016-04-11 09:38:20.940827528 +0200
+@@ -69,7 +69,7 @@
+ #endif
+ 
+   data = isccc_alist_lookup(message, "_data");
+-  if (data == NULL) {
++  if (!isccc_alist_alistp(data)) {
+   /*
+* No data section.
+*/
+diff -ruN a/bin/named/controlconf.c b/bin/named/controlconf.c
+--- a/bin/named/controlconf.c  2015-08-15 02:28:49.0 +0200
 b/bin/named/controlconf.c  2016-04-11 09:38:20.944827355 +0200
+@@ -402,7 +402,7 @@
+* Limit exposure to replay attacks.
+*/
+   _ctrl = isccc_alist_lookup(request, "_ctrl");
+-  if (_ctrl == NULL) {
++  if (!isccc_alist_alistp(_ctrl)) {
+   log_invalid(>ccmsg, ISC_R_FAILURE);
+   goto cleanup_request;
+   }
+diff -ruN a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+--- a/bin/rndc/rndc.c  2015-08-15 02:28:49.0 +0200
 b/bin/rndc/rndc.c  2016-04-11 09:38:20.944827355 +0200
+@@ -254,8 +254,8 @@
+  isccc_cc_fromwire(, , algorithm, ));
+ 
+   data = isccc_alist_lookup(response, "_data");
+-  if (data == NULL)
+-  fatal("no data section in response");
++  if (!isccc_alist_alistp(data))
++  fatal("bad or missing data section in response");
+   result = isccc_cc_lookupstring(data, "err", );
+   if (result == ISC_R_SUCCESS) {
+   failed = ISC_TRUE;
+@@ -320,8 +320,8 @@
+  isccc_cc_fromwire(, , algorithm, ));
+ 
+   _ctrl = isccc_alist_lookup(response, "_ctrl");
+-  if (_ctrl == NULL)
+-  fatal("_ctrl section missing");
++  if (!isccc_alist_alistp(_ctrl))
++  fatal("bad or missing ctrl section in response");
+   nonce = 0;
+   if (isccc_cc_lookupuint32(_ctrl, "_nonce", ) != ISC_R_SUCCESS)
+   nonce = 0;
+diff -ruN a/CHANGES b/CHANGES
+--- a/CHANGES  2016-04-11 09:36:08.546578759 +0200
 b/CHANGES  2016-04-11 09:39:59.356552273 +0200
+@@ -1,3 +1,6 @@
++4318.  [security]  Malformed control messages can trigger assertions
++   in named and rndc. (CVE-2016-1285) [RT #41666]
++
+ 4146.  [bug]   Address reference leak that could prevent a clean
+shutdown. [RT #37125]
+ 
+diff -ruN a/lib/isccc/cc.c b/lib/isccc/cc.c
+--- a/lib/isccc/cc.c   2015-08-15 02:28:49.0 +0200
 b/lib/isccc/cc.c   2016-04-11 09:38:20.944827355 +0200
+@@ -403,13 +403,1

[OE-core] [PATCH][dizzy] bind: CVE-2016-1285 CVE-2016-1286

[Sona Sarmadi]

CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure

[YOCTO #9400]

External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286

References to the Upstream commits and Security Advisories:

CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=31e4657cf246e41d4c5c890315cb6cf89a0db25a

CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7

CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../bind/bind/CVE-2016-1285.patch  | 141 +
 .../bind/bind/CVE-2016-1286_1.patch|  78 +
 .../bind/bind/CVE-2016-1286_2.patch| 318 +
 .../bind/bind/fix-typo-in-CVE-2016-1285.patch  |  31 ++
 meta/recipes-connectivity/bind/bind_9.9.5.bb   |   4 +
 5 files changed, 572 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
 create mode 100644 
meta/recipes-connectivity/bind/bind/fix-typo-in-CVE-2016-1285.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
new file mode 100644
index 000..638ac23
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,141 @@
+From 31e4657cf246e41d4c5c890315cb6cf89a0db25a Mon Sep 17 00:00:00 2001
+From: Mark Andrews <ma...@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318. [security] Malformed control messages can
+trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
+
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+
+[Skipped CHANGES and doc/arm/notes.xml changes.]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ CHANGES |  3 +++
+ bin/named/control.c |  2 +-
+ bin/named/controlconf.c |  2 +-
+ bin/rndc/rndc.c |  8 
+ doc/arm/notes.xml   |  8 
+ lib/isccc/cc.c  | 14 +++---
+ 6 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/bin/named/control.c b/bin/named/control.c
+index 01fbe35..b1b744f 100644
+--- a/bin/named/control.c
 b/bin/named/control.c
+@@ -89,7 +89,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t 
*text) {
+ #endif
+ 
+   data = isccc_alist_lookup(message, "_data");
+-  if (data == NULL) {
++  if (!isccc_alist_alistp(data)) {
+   /*
+* No data section.
+*/
+diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
+index 95feaf5..31bdc48 100644
+--- a/bin/named/controlconf.c
 b/bin/named/controlconf.c
+@@ -397,7 +397,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+* Limit exposure to replay attacks.
+*/
+   _ctrl = isccc_alist_lookup(request, "_ctrl");
+-  if (_ctrl == NULL) {
++  if (!isccc_alist_alistp(_ctrl)) {
+   log_invalid(>ccmsg, ISC_R_FAILURE);
+   goto cleanup_request;
+   }
+diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+index c7d8fe1..ba3ac3a 100644
+--- a/bin/rndc/rndc.c
 b/bin/rndc/rndc.c
+@@ -249,8 +249,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+   DO("parse message", isccc_cc_fromwire(, , ));
+ 
+   data = isccc_alist_lookup(response, "_data");
+-  if (data == NULL)
+-  fatal("no data section in response");
++  if (!isccc_alist_alistp(data))
++  fatal("bad or missing data section in response");
+   result = isccc_cc_lookupstring(data, "err", );
+   if (result == ISC_R_SUCCESS) {
+   failed = ISC_TRUE;
+@@ -313,8 +313,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+   DO("parse message", isccc_cc_fromwire(, , ));
+ 
+   _ctrl = isccc_alist_lookup(response, "_ctrl");
+-  if (_ctrl == NULL)
+-  fatal("_ctrl section missing");
++  if (!isccc_alist_alistp(_ctrl))
++  fatal("bad or missing ctrl section in response");
+   nonce = 0;
+   if (isccc_cc_lookupuint32(_ctrl, "_nonce", ) != ISC_R_SUCCESS)
+

[OE-core] [PATCH][fido] bind: CVE-2016-1285 CVE-2016-1286

[Sona Sarmadi]

CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure

[YOCTO #9400]

External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286

References to the Upstream commits and Security Advisories:

CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=31e4657cf246e41d4c5c890315cb6cf89a0db25a

CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7

CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=ce3cd91caee698cb144e1350c6c78292c6be6339

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../bind/bind/CVE-2016-1285.patch  | 141 +
 .../bind/bind/CVE-2016-1286_1.patch|  78 +
 .../bind/bind/CVE-2016-1286_2.patch| 318 +
 meta/recipes-connectivity/bind/bind_9.9.5.bb   |   3 +
 4 files changed, 540 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
new file mode 100644
index 000..638ac23
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,141 @@
+From 31e4657cf246e41d4c5c890315cb6cf89a0db25a Mon Sep 17 00:00:00 2001
+From: Mark Andrews <ma...@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318. [security] Malformed control messages can
+trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
+
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+
+[Skipped CHANGES and doc/arm/notes.xml changes.]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ CHANGES |  3 +++
+ bin/named/control.c |  2 +-
+ bin/named/controlconf.c |  2 +-
+ bin/rndc/rndc.c |  8 
+ doc/arm/notes.xml   |  8 
+ lib/isccc/cc.c  | 14 +++---
+ 6 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/bin/named/control.c b/bin/named/control.c
+index 01fbe35..b1b744f 100644
+--- a/bin/named/control.c
 b/bin/named/control.c
+@@ -89,7 +89,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t 
*text) {
+ #endif
+ 
+   data = isccc_alist_lookup(message, "_data");
+-  if (data == NULL) {
++  if (!isccc_alist_alistp(data)) {
+   /*
+* No data section.
+*/
+diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
+index 95feaf5..31bdc48 100644
+--- a/bin/named/controlconf.c
 b/bin/named/controlconf.c
+@@ -397,7 +397,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+* Limit exposure to replay attacks.
+*/
+   _ctrl = isccc_alist_lookup(request, "_ctrl");
+-  if (_ctrl == NULL) {
++  if (!isccc_alist_alistp(_ctrl)) {
+   log_invalid(>ccmsg, ISC_R_FAILURE);
+   goto cleanup_request;
+   }
+diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+index c7d8fe1..ba3ac3a 100644
+--- a/bin/rndc/rndc.c
 b/bin/rndc/rndc.c
+@@ -249,8 +249,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+   DO("parse message", isccc_cc_fromwire(, , ));
+ 
+   data = isccc_alist_lookup(response, "_data");
+-  if (data == NULL)
+-  fatal("no data section in response");
++  if (!isccc_alist_alistp(data))
++  fatal("bad or missing data section in response");
+   result = isccc_cc_lookupstring(data, "err", );
+   if (result == ISC_R_SUCCESS) {
+   failed = ISC_TRUE;
+@@ -313,8 +313,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+   DO("parse message", isccc_cc_fromwire(, , ));
+ 
+   _ctrl = isccc_alist_lookup(response, "_ctrl");
+-  if (_ctrl == NULL)
+-  fatal("_ctrl section missing");
++  if (!isccc_alist_alistp(_ctrl))
++  fatal("bad or missing ctrl section in response");
+   nonce = 0;
+   if (isccc_cc_lookupuint32(_ctrl, "_nonce", ) != ISC_R_SUCCESS)
+   nonce = 0;
+ 
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index 9915568..ffcd584 100644
+--- a/lib/isccc/cc.c
 b/lib/isccc/cc.c
+@@ -2

Re: [OE-core] [yocto] FOSDEM 2016 web page

[Sona Sarmadi]

Hi Philip, all,

I am going to attend FOSDEM 2016, I am glad if I can help. I don't have 
anything for demo, but perhaps we can mention security updates/backport. I 
thinks some people might be interested in knowing that we continually backport 
security fixes :)

//Sona

> -Original Message-
> From: yocto-boun...@yoctoproject.org [mailto:yocto-
> boun...@yoctoproject.org] On Behalf Of Philip Balister
> Sent: den 25 december 2015 04:20
> To: openembedded-de...@lists.openembedded.org; openembedded-core
> ; Yocto Project
> 
> Subject: [yocto] FOSDEM 2016 web page
> 
> Yeah, it is Christmas Eve and I am getting this started:
> 
> http://openembedded.org/wiki/FOSDEM_2016
> 
> Please add content, especially when you can help with the stand. I'll link 
> this
> from the home page after Christmas.
> 
> I'd like to get a board + lcd panel running a presentation explaining the
> relationship between OpenEmbedded and the Yocto Project. That should
> reduce the number of times people at the booth need to explain this.
> 
> Philip
> --
> ___
> yocto mailing list
> yo...@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][fido][dizzy] bind: CVE-2015-8000

[Sona Sarmadi]

Fixes a denial of service in BIND.

An error in the parsing of incoming responses allows some
records with an incorrect class to be accepted by BIND
instead of being rejected as malformed. This can trigger
a REQUIRE assertion failure when those records are subsequently
cached.

[YOCTO #8838]

References:
http://www.openwall.com/lists/oss-security/2015/12/15/14
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://bugzilla.redhat.com/attachment.cgi?id=1105581

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../bind/bind/CVE-2015-8000.patch  | 194 +
 meta/recipes-connectivity/bind/bind_9.9.5.bb   |   1 +
 2 files changed, 195 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
new file mode 100644
index 000..b8d8412
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
@@ -0,0 +1,194 @@
+responses with a malformed class attribute can trigger an
+assertion failure in db.c
+
+[security]
+Insufficient testing when parsing a message allowed records with
+an incorrect class to be be accepted, triggering a REQUIRE failure
+when those records were subsequently cached. (CVE-2015-8000) [RT#4098]
+
+Upstream-Status: Backport
+
+[The patch is taken from BIND 9.9.4:
+https://bugzilla.redhat.com/attachment.cgi?id=1105581]
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
+index a6862fa..d999e75 100644
+--- a/lib/dns/include/dns/message.h
 b/lib/dns/include/dns/message.h
+@@ -210,6 +210,8 @@ struct dns_message {
+   unsigned intverify_attempted : 1;
+   unsigned intfree_query : 1;
+   unsigned intfree_saved : 1;
++  unsigned inttkey : 1;
++  unsigned intrdclass_set : 1;
+ 
+   unsigned intopt_reserved;
+   unsigned intsig_reserved;
+@@ -1374,6 +1376,15 @@ dns_message_buildopt(dns_message_t *msg, dns_rdataset_t 
**opt,
+  * \li other.
+  */
+ 
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li   msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_MESSAGE_H */
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 53efc5a..73def73 100644
+--- a/lib/dns/message.c
 b/lib/dns/message.c
+@@ -436,6 +436,8 @@ msginit(dns_message_t *m) {
+   m->saved.base = NULL;
+   m->saved.length = 0;
+   m->free_saved = 0;
++  m->tkey = 0;
++  m->rdclass_set = 0;
+   m->querytsig = NULL;
+ }
+ 
+@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, 
dns_decompress_t *dctx,
+* If this class is different than the one we already read,
+* this is an error.
+*/
+-  if (msg->state == DNS_SECTION_ANY) {
+-  msg->state = DNS_SECTION_QUESTION;
++  if (msg->rdclass_set == 0) {
+   msg->rdclass = rdclass;
++  msg->rdclass_set = 1;
+   } else if (msg->rdclass != rdclass)
+   DO_FORMERR;
+ 
+   /*
++   * Is this a TKEY query?
++   */
++  if (rdtype == dns_rdatatype_tkey)
++  msg->tkey = 1;
++
++  /*
+* Can't ask the same question twice.
+*/
+   result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, 
dns_decompress_t *dctx,
+* If there was no question section, we may not yet have
+* established a class.  Do so now.
+*/
+-  if (msg->state == DNS_SECTION_ANY &&
++  if (msg->rdclass_set == 0 &&
+   rdtype != dns_rdatatype_opt &&  /* class is UDP SIZE */
+   rdtype != dns_rdatatype_tsig && /* class is ANY */
+   rdtype != dns_rdatatype_tkey) { /* class is undefined */
+   msg->rdclass = rdclass;
+-  msg->state = DNS_SECTION_QUESTION;
++  msg->rdclass_set = 1;
+   }
+ 
+   /*
+@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, 
dns_decompress_t *dctx,
+   if (msg->opcode != dns_opcode_update
+   && rdtype != dns_rdatatype_tsig
+   && rdtype != dns_rdatatype_opt
+-

Re: [OE-core] [RFC] Mark of upstream CVE patches

[Sona Sarmadi]

Hi Mariano, all,

See my comments regarding "Bug 8119 - Define a format to mark Upstream CVE 
patches" below.


> There is an initiative to track vulnerable software being built (see bugs 8119
> and 7515). The idea is to have a testing tool that would check the recipe
> versions against CVEs. In order to accomplish such task there is need to
> reliable mark the patches from upstream that solve CVEs.
> 
> There have been two options to mark the patches that solve CVEs:
> 
> 1. Have  "CVE" and the CVE number as the patch filename.
>Pros:
>  Doesn't require a new tag.
>Cons:
>  It is not flexible to add more information, for example two CVEs in the 
> same
> patch
> 2. Add a new tag in the patch that have the CVE information.
>Pros:
>  It is flexible and can add more information.
>Cons:
>  Require a change in the patch metadata.
> 
> What I would recommend is to add a new tag in the patch, it must contain the
> CVE ID. With this it would be possible to look for the CVE information easily 
> in
> the testing tool or in NIST, MITRE, or another web page. For example, this
> would be part of the patch for CVE-2013-6435, currently in OE-Core:
> 
> -- snip --
> 
> Upstream-Status: Backport
> CVE: CVE-2013-6435
> 
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
> 
> -- snip --
> 
> The expected output of this discussion is a standard format for CVE patches
> that most, if not all, of community members agree on.
> 
> Please let me know your comments.

We are supposed to have reference to the CVE identifier both in the patch file/s
 and the commit message(e.g.  xxx- CVE-2013-6435.pacth) according to the 
guidelines 
for "Patch name convention and commit message" in the Yocto 
Wiki https://wiki.yoctoproject.org/wiki/Security.

If a patch address multiple CVEs, perhaps we should name the patch:
Fix-for-multiple-CVEs.patch and list all CVEs in the patch file.

Will this not solve the problem? Do you think there is still need for a new tag 
"CVE"?

Adding RedHat reference is ok for me along with Mitre & NVD or other useful 
& reliable references.

I have updated Yocto security wiki. Please feel free to update the page if you 
have 
some improvement or send your text/suggestion to me or Michael and we will help 
you.

Thanks
//Sona
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195

[Sona Sarmadi]

Fixes following vulnerabilities:
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
X509_ATTRIBUTE memory leak (CVE-2015-3195)

References:
https://openssl.org/news/secadv/20151203.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195

Upstream patches:
CVE-2015-3194:
https://git.openssl.org/?p=openssl.git;a=commit;h=
d8541d7e9e63bf5f343af24644046c8d96498c17

CVE-2015-3195:
https://git.openssl.org/?p=openssl.git;a=commit;h=
b29ffa392e839d05171206523e84909146f7a77c

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../CVE-2015-3194-Add-PSS-parameter-check.patch| 37 +
 ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 61 ++
 .../recipes-connectivity/openssl/openssl_1.0.1p.bb |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch

diff --git 
a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
new file mode 100644
index 000..a6697ca
--- /dev/null
+++ 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
@@ -0,0 +1,37 @@
+From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Fri, 2 Oct 2015 13:10:29 +0100
+Subject:Add PSS parameter check.
+
+Avoid seg fault by checking mgf1 parameter is not NULL. This can be
+triggered during certificate verification so could be a DoS attack
+against a client or a server enabling client authentication.
+
+Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
+
+CVE-2015-3194
+
+Upstream-Status: Backport
+
+Reviewed-by: Matt Caswell <m...@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index 93e071d..c7f1148 100644
+--- a/crypto/rsa/rsa_ameth.c
 b/crypto/rsa/rsa_ameth.c
+@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR 
*alg,
+ if (pss->maskGenAlgorithm) {
+ ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+ if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
+-&& param->type == V_ASN1_SEQUENCE) {
++&& param && param->type == V_ASN1_SEQUENCE) {
+ p = param->value.sequence->data;
+ plen = param->value.sequence->length;
+ *pmaskHash = d2i_X509_ALGOR(NULL, , plen);
+-- 
+1.9.1
+
diff --git 
a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 000..be705c0
--- /dev/null
+++ 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,61 @@
+commit b29ffa392e839d05171206523e84909146f7a77c
+Author: Dr. Stephen Henson <st...@openssl.org>
+Date: Tue, 10 Nov 2015 19:03:07 +
+Subject: Fix leak with ASN.1 combine.
+
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+
+CVE-2015-3195.
+
+Upstream-Status: Backport
+
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+
+PR#4131
+
+Reviewed-by: Richard Levitte <levi...@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ crypto/asn1/tasn_dec.c | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
 b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned 
char **in, long len,
+ int otag;
+ int ret = 0;
+ ASN1_VALUE **pchptr, *ptmpval;
++int combine = aclass & ASN1_TFLG_COMBINE;
++aclass &= ~ASN1_TFLG_COMBINE;
+ if (!pval)
+ return 0;
+ if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned 
char **in, long len,
+  auxerr:
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-ASN1_item_ex_free(pval, it);
++if (combine == 0)
++ASN1_item_ex_free(pval, it);
+ if (errtt)
+ ERR_add_error_data(4, "Field=", errtt->field_name,
+", Type=&qu

Re: [OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195

[Sona Sarmadi]

Hi Armin 

I noticed that my patch does not have reference to the original  commit hash, I 
 will create a new patch and send it to you, sorry about this.

commit b29ffa392e839d05171206523e84909146f7a77c
Author: Dr. Stephen Henson <st...@openssl.org>

//Sona

> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Sona Sarmadi
> Sent: den 14 december 2015 11:25
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195
> 
> Fixes following vulnerabilities:
> Certificate verify crash with missing PSS parameter (CVE-2015-3194)
> X509_ATTRIBUTE memory leak (CVE-2015-3195)
> 
> References:
> https://openssl.org/news/secadv/20151203.txt
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
> 
> Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
> ---
>  .../CVE-2015-3194-Add-PSS-parameter-check.patch| 35 +
>  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59
> ++  .../recipes-
> connectivity/openssl/openssl_1.0.1p.bb |  2 +
>  3 files changed, 96 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-
> 3194-Add-PSS-parameter-check.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-
> 3195-Fix-leak-with-ASN.1-combine.patch
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-
> PSS-parameter-check.patch b/meta/recipes-
> connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-
> check.patch
> new file mode 100644
> index 000..3c00bc1
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-
> pa
> +++ rameter-check.patch
> @@ -0,0 +1,35 @@
> +Date: Fri, 2 Oct 2015 13:10:29 +0100
> +Subject: [PATCH] Add PSS parameter check.
> +
> +Avoid seg fault by checking mgf1 parameter is not NULL. This can be
> +triggered during certificate verification so could be a DoS attack
> +against a client or a server enabling client authentication.
> +
> +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
> +
> +CVE-2015-3194
> +
> +Upstream-Status: Backport
> +
> +Reviewed-by: Matt Caswell <m...@openssl.org>
> +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
> +---
> + crypto/rsa/rsa_ameth.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index
> +93e071d..c7f1148 100644
> +--- a/crypto/rsa/rsa_ameth.c
>  b/crypto/rsa/rsa_ameth.c
> +@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const
> X509_ALGOR *alg,
> + if (pss->maskGenAlgorithm) {
> + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
> + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
> +-&& param->type == V_ASN1_SEQUENCE) {
> ++&& param && param->type == V_ASN1_SEQUENCE) {
> + p = param->value.sequence->data;
> + plen = param->value.sequence->length;
> + *pmaskHash = d2i_X509_ALGOR(NULL, , plen);
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-
> leak-with-ASN.1-combine.patch b/meta/recipes-
> connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-
> combine.patch
> new file mode 100644
> index 000..87c4c6c
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-
> w
> +++ ith-ASN.1-combine.patch
> @@ -0,0 +1,59 @@
> +Date: Tue, 10 Nov 2015 19:03:07 +
> +Subject: [PATCH] Fix leak with ASN.1 combine.
> +
> +When parsing a combined structure pass a flag to the decode routine so
> +on error a pointer to the parent structure is not zeroed as this will
> +leak any additional components in the parent.
> +
> +This can leak memory in any application parsing PKCS#7 or CMS structures.
> +
> +CVE-2015-3195.
> +
> +Upstream-Status: Backport
> +
> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug
> +using libFuzzer.
> +
> +PR#4131
> +
> +Reviewed-by: Richard Levitte <levi...@openssl.org>
> +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
> +---
> + crypto/asn1/tasn_dec.c | 7 +--
> + 1 file changed, 5 insertions(+), 2 deletions(-)
> +
> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index
> +febf605..9256049 100644
> +--- a/crypto/asn1/tasn_dec.c
>  b/crypto/asn1/tasn_dec.c
> +@@ -180,6 +180,8 @@ int ASN

[OE-core] [PATCH][dizzy 4/6] grep2.19: CVE-2015-1345

[Sona Sarmadi]

Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21

Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch| 129 +
 meta/recipes-extended/grep/grep_2.19.bb|   4 +-
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch

diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch 
b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 000..32846f5
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypiset...@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +
+Subject: grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+  Use of uninitialised value of size 8
+ at 0x4142BE: bmexec_trans (kwset.c:657)
+ by 0x4143CA: bmexec (kwset.c:678)
+ by 0x414973: kwsexec (kwset.c:848)
+ by 0x414DC4: Fexecute (kwsearch.c:128)
+ by 0x404E2E: grepbuf (grep.c:1238)
+ by 0x4054BF: grep (grep.c:1417)
+ by 0x405CEB: grepdesc (grep.c:1645)
+ by 0x405EC1: grep_command_line_arg (grep.c:1692)
+ by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+
+Fixes CVE-2015-1345.
+Upstream-Status: Backport
+
+---
+diff --git a/NEWS b/NEWS
+index 975440d..3835d8d 100644
+--- a/NEWS
 b/NEWS
+@@ -2,6 +2,11 @@ GNU grep NEWS-*- outline 
-*-
+ 
+ * Noteworthy changes in release ?.? (-??-??) [?]
+ 
++** Bug fixes
++
++  grep no longer reads from uninitialized memory or from beyond the end
++  of the heap-allocated input buffer.
++
+ 
+ * Noteworthy changes in release 2.21 (2014-11-23) [stable]
+ 
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
 b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+ if (! tp)
+   return -1;
+ tp++;
++if (ep <= tp)
++  break;
+   }
+   }
+   }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2cba2cd..0508cd2 100644
+--- a/tests/Makefile.am
 b/tests/Makefile.am
+@@ -75,6 +75,7 @@ TESTS =  \
+   inconsistent-range  \
+   invalid-multibyte-infloop   \
+   khadafy \
++  kwset-abuse \
+   long-line-vs-2GiB-read  \
+   match-lines \
+   max-count-overread  \
+diff --git a/tests/kwset-abuse b/tests/kwset-abuse
+new file mode 100755
+index 000..6d8ec0c
+--- a/dev/null
 b/tests/kwset-abuse
+@@ -0,0 +1,32 @@
++#! /bin/sh
++# Evoke a segfault in a hard-to-reach code path of kwset.c.
++# This bug affected grep versions 2.19 through 2.21.
++#
++# Copyright (C) 2015 Free Software Foundation, Inc.
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABI

[OE-core] [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472

[Sona Sarmadi]

Fixes a heap buffer overflow in glibc wscanf.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
http://openwall.com/lists/oss-security/2015/02/04/1

Reference to upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
Signed-off-by: Tudor Florea <tudor.flo...@enea.com>
---
 ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +
 meta/recipes-core/glibc/glibc_2.20.bb  |   1 +
 2 files changed, 109 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch

diff --git 
a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
 
b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
new file mode 100644
index 000..ab513aa
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,108 @@
+CVE-2015-1472: wscanf allocates too little memory
+
+BZ #16618
+
+Under certain conditions wscanf can allocate too little memory for the
+to-be-scanned arguments and overflow the allocated buffer.  The
+implementation now correctly computes the required buffer size when
+using malloc.
+
+A regression test was added to tst-sscanf.
+
+Upstream-Status: Backport
+
+The patch is from (Paul Pluzhnikov <ppluzhni...@google.com>):
+[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
+
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog2015-09-22 10:20:14.399408389 +0200
 b/ChangeLog2015-09-22 10:33:07.374388595 +0200
+@@ -1,3 +1,12 @@
++2015-02-05  Paul Pluzhnikov  <ppluzhni...@google.com>
++
++   [BZ #16618] CVE-2015-1472
++   * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
++   * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
++   size in bytes. Store needed elements in wpmax. Use needed size
++   in bytes for extend_alloca.
++
++
+ 2014-12-16  Florian Weimer  <fwei...@redhat.com>
+ 
+[BZ #17630]
+diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
+--- a/stdio-common/tst-sscanf.c2015-09-22 10:20:09.995596201 +0200
 b/stdio-common/tst-sscanf.c2015-09-22 10:21:39.211791399 +0200
+@@ -233,5 +233,38 @@
+   }
+ }
+ 
++  /* BZ #16618
++ The test will segfault during SSCANF if the buffer overflow
++ is not fixed.  The size of `s` is such that it forces the use
++ of malloc internally and this triggers the incorrect computation.
++ Thus the value for SIZE is arbitrariy high enough that malloc
++ is used.  */
++  {
++#define SIZE 131072
++CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
++if (s == NULL)
++  abort ();
++for (size_t i = 0; i < SIZE; i++)
++  s[i] = L('0');
++s[SIZE] = L('\0');
++int i = 42;
++/* Scan multi-digit zero into `i`.  */
++if (SSCANF (s, L("%d"), ) != 1)
++  {
++  printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
++  result = 1;
++  }
++if (i != 0)
++  {
++  printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
++  result = 1;
++  }
++free (s);
++if (result != 1)
++  printf ("PASS: bug16618: Did not crash.\n");
++#undef SIZE
++  }
++
++
+   return result;
+ }
+diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
+--- a/stdio-common/vfscanf.c   2015-09-22 10:20:14.051423230 +0200
 b/stdio-common/vfscanf.c   2015-09-22 10:21:39.215791228 +0200
+@@ -279,9 +279,10 @@
+   if (__glibc_unlikely (wpsize == wpmax))   \
+   {   \
+ CHAR_T *old = wp; \
+-size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax   \
+-  ? UCHAR_MAX + 1 : 2 * wpmax);   \
+-if (use_malloc || !__libc_use_alloca (newsize))   \
++bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); 
\
++size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);   \
++size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;  \
++if (!__libc_use_alloca (newsize)) \
+   {   \
+ wp = realloc (use_malloc ? wp : NULL, newsize);   \
+ if (wp == NULL)   \
+@@ -293,14 +294,13 @@
+   }   \
+ if (! use_malloc)   

[OE-core] [PATCH][dizzy 3/6] unzip: CVE-2015-7696, CVE-2015-7697

[Sona Sarmadi]

From: Tudor Florea <tudor.flo...@enea.com>

CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
CVE-2015-7697: Fixes a denial of service with a file that never finishes 
unzipping

References:
http://www.openwall.com/lists/oss-security/2015/10/11/5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697

Signed-off-by: Tudor Florea <tudor.flo...@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../unzip/unzip/CVE-2015-7696.patch| 38 ++
 .../unzip/unzip/CVE-2015-7697.patch| 31 ++
 meta/recipes-extended/unzip/unzip_6.0.bb   |  2 ++
 3 files changed, 71 insertions(+)
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch

diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch 
b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
new file mode 100644
index 000..ea93823
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
@@ -0,0 +1,38 @@
+Upstream-Status: Backport
+Signed-off-by: Tudor Florea <tudor.fl...@enea.com>
+
+From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstod...@redhat.com>
+Date: Mon, 14 Sep 2015 18:23:17 +0200
+Subject: [PATCH 1/2] upstream fix for heap overflow
+
+https://bugzilla.redhat.com/attachment.cgi?id=1073002
+---
+ crypt.c | 12 +++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/crypt.c b/crypt.c
+index 784e411..a8975f2 100644
+--- a/crypt.c
 b/crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+ GLOBAL(pInfo->encrypted) = FALSE;
+ defer_leftover_input(__G);
+ for (n = 0; n < RAND_HEAD_LEN; n++) {
+-b = NEXTBYTE;
++/* 2012-11-23 SMS.  (OUSPG report.)
++ * Quit early if compressed size < HEAD_LEN.  The resulting
++ * error message ("unable to get password") could be improved,
++ * but it's better than trying to read nonexistent data, and
++ * then continuing with a negative G.csize.  (See
++ * fileio.c:readbyte()).
++ */
++if ((b = NEXTBYTE) == (ush)EOF)
++{
++return PK_ERR;
++}
+ h[n] = (uch)b;
+ Trace((stdout, " (%02x)", h[n]));
+ }
+-- 
+2.4.6
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch 
b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
new file mode 100644
index 000..da68988
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
@@ -0,0 +1,31 @@
+Upstream-Status: Backport
+Signed-off-by: Tudor Florea <tudor.fl...@enea.com>
+
+From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdu...@redhat.com>
+Date: Mon, 14 Sep 2015 18:24:56 +0200
+Subject: [PATCH 2/2] fix infinite loop when extracting empty bzip2 data
+
+---
+ extract.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/extract.c b/extract.c
+index 7134bfe..29db027 100644
+--- a/extract.c
 b/extract.c
+@@ -2733,6 +2733,12 @@ __GDEF
+ int repeated_buf_err;
+ bz_stream bstrm;
+ 
++if (G.incnt <= 0 && G.csize <= 0L) {
++/* avoid an infinite loop */
++Trace((stderr, "UZbunzip2() got empty input\n"));
++return 2;
++}
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+ if (G.redirect_slide)
+ wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+-- 
+2.4.6
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb 
b/meta/recipes-extended/unzip/unzip_6.0.bb
index e590f81..acbc837 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -14,6 +14,8 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz 
\
file://09-cve-2014-8139-crc-overflow.patch \
file://10-cve-2014-8140-test-compr-eb.patch \
file://11-cve-2014-8141-getzip64data.patch \
+   file://CVE-2015-7696.patch \
+   file://CVE-2015-7697.patch \
 "
 
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][dizzy 2/6] libxml2: CVE-2015-7942

[Sona Sarmadi]

Fixes heap-based buffer overflow in xmlParseConditionalSections().

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
Signed-off-by: Tudor Florea <tudor.flo...@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc   |  1 +
 .../libxml/libxml2/CVE-2015-7942.patch | 58 ++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc 
b/meta/recipes-core/libxml/libxml2.inc
index 840a8eb..15a2421 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -23,6 +23,7 @@ SRC_URI = 
"ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml-m4-use-pkgconfig.patch \
file://libxml2-CVE-2014-3660.patch \

file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+   file://CVE-2015-7942.patch \
   "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 000..738ae94
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,58 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veill...@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Fixes CVE-2015-7942.
+Upstream-Status: Backport
+
+Upstream patch:
+https://git.gnome.org/browse/libxml2/commit/
+?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ parser.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
 b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+   SKIP_BLANKS;
+   if (RAW != '[') {
+   xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++  xmlStopParser(ctxt);
++  return;
+   } else {
+   if (ctxt->input->id != id) {
+   xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+   SKIP_BLANKS;
+   if (RAW != '[') {
+   xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++  xmlStopParser(ctxt);
++  return;
+   } else {
+   if (ctxt->input->id != id) {
+   xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+ } else {
+   xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++  xmlStopParser(ctxt);
++  return;
+ }
+ 
+ if (RAW == 0)
+-- 
+cgit v0.11.2
+
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][dizzy 5/6] libxml2: CVE-2015-8035

[Sona Sarmadi]

Fixes DoS when parsing specially crafted XML document
if XZ support is enabled.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=757466

Upstream correction:
https://git.gnome.org/browse/libxml2/commit/?id=
f0709e3ca8f8947f2d91ed34e92e38a4c23eae63

Signed-off-by: Tudor Florea <tudor.flo...@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc   |  1 +
 .../libxml/libxml2/CVE-2015-8035.patch | 35 ++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc 
b/meta/recipes-core/libxml/libxml2.inc
index 15a2421..d5e263b 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -24,6 +24,7 @@ SRC_URI = 
"ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml2-CVE-2014-3660.patch \

file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
file://CVE-2015-7942.patch \
+   file://CVE-2015-8035.patch \
   "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 000..d08693f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,35 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veill...@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+
+---
+ xzlib.c | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
 b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+ return -1;
+ }
++if (ret == LZMA_PROG_ERROR) {
++xz_error(state, LZMA_PROG_ERROR, "compression error");
++return -1;
++}
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+ /* update available output and crc check value */
+-- 
+cgit v0.11.2
+
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][dizzy 6/6] libxml2: CVE-2015-8241

[Sona Sarmadi]

Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe

Signed-off-by: Tudor Florea <tudor.flo...@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc   |  1 +
 .../libxml/libxml2/CVE-2015-8241.patch | 41 ++
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc 
b/meta/recipes-core/libxml/libxml2.inc
index d5e263b..2dafeb4 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -25,6 +25,7 @@ SRC_URI = 
"ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \

file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
file://CVE-2015-7942.patch \
file://CVE-2015-8035.patch \
+   file://CVE-2015-8241.patch \
   "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
new file mode 100644
index 000..98b30f0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
@@ -0,0 +1,41 @@
+From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <h...@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: Avoid extra processing of MarkupDecl when EOF
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Fixes CVE-2015-8241.
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ parser.c | 8 
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d67b300..134afe7 100644
+--- a/parser.c
 b/parser.c
+@@ -6972,6 +6972,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) {
+   xmlParsePI(ctxt);
+   }
+ }
++
++/*
++ * detect requirement to exit there and act accordingly
++ * and avoid having instate overriden later on
++ */
++if (ctxt->instate == XML_PARSER_EOF)
++return;
++
+ /*
+  * This is only for internal subset. On external entities,
+  * the replacement is done before parsing stage
+-- 
+cgit v0.11.2
+
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][dizzy] openssl: CVE-2015-3194, CVE-2015-3195

[Sona Sarmadi]

Fixes following vulnerabilities:
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
X509_ATTRIBUTE memory leak (CVE-2015-3195)

References:
https://openssl.org/news/secadv/20151203.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../CVE-2015-3194-Add-PSS-parameter-check.patch| 35 +
 ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 59 ++
 .../recipes-connectivity/openssl/openssl_1.0.1p.bb |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch

diff --git 
a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
new file mode 100644
index 000..3c00bc1
--- /dev/null
+++ 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
@@ -0,0 +1,35 @@
+Date: Fri, 2 Oct 2015 13:10:29 +0100
+Subject: [PATCH] Add PSS parameter check.
+
+Avoid seg fault by checking mgf1 parameter is not NULL. This can be
+triggered during certificate verification so could be a DoS attack
+against a client or a server enabling client authentication.
+
+Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
+
+CVE-2015-3194
+
+Upstream-Status: Backport
+
+Reviewed-by: Matt Caswell <m...@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index 93e071d..c7f1148 100644
+--- a/crypto/rsa/rsa_ameth.c
 b/crypto/rsa/rsa_ameth.c
+@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR 
*alg,
+ if (pss->maskGenAlgorithm) {
+ ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+ if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
+-&& param->type == V_ASN1_SEQUENCE) {
++&& param && param->type == V_ASN1_SEQUENCE) {
+ p = param->value.sequence->data;
+ plen = param->value.sequence->length;
+ *pmaskHash = d2i_X509_ALGOR(NULL, , plen);
+-- 
+1.9.1
+
diff --git 
a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 000..87c4c6c
--- /dev/null
+++ 
b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,59 @@
+Date: Tue, 10 Nov 2015 19:03:07 +
+Subject: [PATCH] Fix leak with ASN.1 combine.
+
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+
+CVE-2015-3195.
+
+Upstream-Status: Backport
+
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+
+PR#4131
+
+Reviewed-by: Richard Levitte <levi...@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ crypto/asn1/tasn_dec.c | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
 b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned 
char **in, long len,
+ int otag;
+ int ret = 0;
+ ASN1_VALUE **pchptr, *ptmpval;
++int combine = aclass & ASN1_TFLG_COMBINE;
++aclass &= ~ASN1_TFLG_COMBINE;
+ if (!pval)
+ return 0;
+ if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned 
char **in, long len,
+  auxerr:
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-ASN1_item_ex_free(pval, it);
++if (combine == 0)
++ASN1_item_ex_free(pval, it);
+ if (errtt)
+ ERR_add_error_data(4, "Field=", errtt->field_name,
+", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+ } else {
+ /* Nothing special */
+ ret = ASN1_item_ex_d2i(val, , len, ASN1_ITEM_ptr(tt->item),
+-   -1, 0, opt, ctx);
++   -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ if (!ret) {
+ ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR

Re: [OE-core] [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-3195

[Sona Sarmadi]

Hi Fan,

dizzy branch has Openssl version 1.0.1p now:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb?h=dizzy

How can this patch be applied to dizzy branch?

You have only sent patch for CVE-2015-3195, how about CVE-2015-3194?
CVE-2015-3193 does not seem to affect OpenSSL version 1.0.1 according to Mitre:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
CVE-2015-3193 (OpenSSL 1.0.2)
CVE-2015-3194 (OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e)
CVE-2015-3195 (OpenSSL before before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 
before 1.0.2e)

Regards
//Sona


> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Fan Xin
> Sent: den 11 december 2015 09:14
> To: openembedded-core@lists.openembedded.org
> Cc: Fan Xin 
> Subject: [OE-core] [PATCH][dizzy][daisy][dylan] openssl: fix for CVE-2015-
> 3195
> 
> This vulnerability  affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
> So the patch also should be merged into dizzy, daisy and dylan.
> 
> Signed-off-by: Fan Xin 
> ---
>  .../0001-Fix-leak-with-ASN.1-combine.patch | 65
> ++
>  .../recipes-connectivity/openssl/openssl_1.0.1e.bb |  1 +
>  2 files changed, 66 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl-
> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-
> with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl-
> 1.0.1e/0001-Fix-leak-with-ASN.1-combine.patch
> new file mode 100644
> index 000..5bda457
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/0001-Fix-leak-wit
> +++ h-ASN.1-combine.patch
> @@ -0,0 +1,65 @@
> +Upstream-Status: Backport
> +
> +This patch was imprted from
> +https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da57
> +66243ed55d55948637d
> +
> +Signed-off-by: Fan Xin 
> +
> +From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17
> 00:00:00 2001
> +From: Dr. Stephen Henson 
> +Date: Tue, 10 Nov 2015 19:03:07 +
> +Subject: [PATCH] Fix leak with ASN.1 combine.
> +
> +When parsing a combined structure pass a flag to the decode routine so
> +on error a pointer to the parent structure is not zeroed as this will
> +leak any additional components in the parent.
> +
> +This can leak memory in any application parsing PKCS#7 or CMS structures.
> +
> +CVE-2015-3195.
> +
> +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug
> +using libFuzzer.
> +
> +PR#4131
> +
> +Reviewed-by: Richard Levitte 
> +---
> + crypto/asn1/tasn_dec.c |7 +--
> + 1 files changed, 5 insertions(+), 2 deletions(-)
> +
> +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index
> +febf605..9256049 100644
> +--- a/crypto/asn1/tasn_dec.c
>  b/crypto/asn1/tasn_dec.c
> +@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
> unsigned char **in, long len,
> + int otag;
> + int ret = 0;
> + ASN1_VALUE **pchptr, *ptmpval;
> ++int combine = aclass & ASN1_TFLG_COMBINE;
> ++aclass &= ~ASN1_TFLG_COMBINE;
> + if (!pval)
> + return 0;
> + if (aux && aux->asn1_cb)
> +@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const
> +unsigned char **in, long len,
> +  auxerr:
> + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
> +  err:
> +-ASN1_item_ex_free(pval, it);
> ++if (combine == 0)
> ++ASN1_item_ex_free(pval, it);
> + if (errtt)
> + ERR_add_error_data(4, "Field=", errtt->field_name,
> +", Type=", it->sname); @@ -689,7 +692,7 @@
> +static int asn1_template_noexp_d2i(ASN1_VALUE **val,
> + } else {
> + /* Nothing special */
> + ret = ASN1_item_ex_d2i(val, , len, ASN1_ITEM_ptr(tt->item),
> +-   -1, 0, opt, ctx);
> ++   -1, tt->flags & ASN1_TFLG_COMBINE, opt,
> ++ ctx);
> + if (!ret) {
> + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
> ERR_R_NESTED_ASN1_ERROR);
> + goto err;
> +--
> +1.7.0.4
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> index bc1b944..dbc2da2 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> @@ -37,6 +37,7 @@ SRC_URI += "file://configure-targets.patch \
>  file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
>  file://CVE-2014-0160.patch \
>  file://openssl-CVE-2014-0198-fix.patch \
> +file://0001-Fix-leak-with-ASN.1-combine.patch \
> "
> 
>  SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
> --
> 

Re: [OE-core] [PATCH 2/5] bbclass: fix spelling mistakes

[Sona Sarmadi]

Hi Maxin,

I think the warning below " bb.warn" is incorrect, it should be " dirname" 
instead of " patch",  see below:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/classes/spdx.bbclass 
(master)

def get_ver_code(dirname):
chksums = []
for f_dir, f in list_files(dirname):
hash = hash_file(os.path.join(dirname, f_dir, f))
if not hash is None:
chksums.append(hash)
else:
bb.warn("SPDX: Could not hash file: " + patch) <<< dirname

Could you please have a look at this as well?

Regrads
//Sona

> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Maxin B. John
> Sent: den 5 november 2015 16:48
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 2/5] bbclass: fix spelling mistakes
> 
> Fix some spelling mistakes in bbclass files
> 
> Signed-off-by: Maxin B. John 
> ---
>  meta/classes/allarch.bbclass | 2 +-
>  meta/classes/archiver.bbclass| 2 +-
>  meta/classes/buildhistory.bbclass| 2 +-
>  meta/classes/chrpath.bbclass | 4 ++--
>  meta/classes/crosssdk.bbclass| 2 +-
>  meta/classes/module-base.bbclass | 2 +-
>  meta/classes/package.bbclass | 4 ++--
>  meta/classes/package_deb.bbclass | 2 +-
>  meta/classes/siteinfo.bbclass| 2 +-
>  meta/classes/spdx.bbclass| 2 +-
>  meta/classes/tinderclient.bbclass| 2 +-
>  meta/classes/update-alternatives.bbclass | 2 +-
>  12 files changed, 14 insertions(+), 14 deletions(-)
> 
> diff --git a/meta/classes/allarch.bbclass b/meta/classes/allarch.bbclass index
> 2fea7c0..3826643 100644
> --- a/meta/classes/allarch.bbclass
> +++ b/meta/classes/allarch.bbclass
> @@ -1,5 +1,5 @@
>  #
> -# This class is used for architecture independent recipes/data files (usally
> scripts)
> +# This class is used for architecture independent recipes/data files
> +(usually scripts)
>  #
> 
>  # Expand STAGING_DIR_HOST since for cross-canadian/native/nativesdk, this
> will diff --git a/meta/classes/archiver.bbclass 
> b/meta/classes/archiver.bbclass
> index 41a552c..f4a34df 100644
> --- a/meta/classes/archiver.bbclass
> +++ b/meta/classes/archiver.bbclass
> @@ -254,7 +254,7 @@ python do_unpack_and_patch() {
>  ar_outdir = d.getVar('ARCHIVER_OUTDIR', True)
>  d.setVar('WORKDIR', ar_outdir)
> 
> -# The changed 'WORKDIR' also casued 'B' changed, create dir 'B' for the
> +# The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for
> + the
>  # possibly requiring of the following tasks (such as some recipes's
>  # do_patch required 'B' existed).
>  bb.utils.mkdirhier(d.getVar('B', True)) diff --git
> a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
> index 4db0441..c3da773 100644
> --- a/meta/classes/buildhistory.bbclass
> +++ b/meta/classes/buildhistory.bbclass
> @@ -24,7 +24,7 @@ sstate_install[vardepsexclude] +=
> "buildhistory_emit_pkghistory"
>  SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "|
> buildhistory_emit_pkghistory"
> 
>  #
> -# Write out metadata about this package for comparision when writing future
> packages
> +# Write out metadata about this package for comparison when writing
> +future packages
>  #
>  python buildhistory_emit_pkghistory() {
>  if not d.getVar('BB_CURRENTTASK', True) in ['packagedata',
> 'packagedata_setscene']:
> diff --git a/meta/classes/chrpath.bbclass b/meta/classes/chrpath.bbclass index
> e9160af..9c68855 100644
> --- a/meta/classes/chrpath.bbclass
> +++ b/meta/classes/chrpath.bbclass
> @@ -6,7 +6,7 @@ def process_file_linux(cmd, fpath, rootdir, baseprefix,
> tmpdir, d):
> 
>  p = sub.Popen([cmd, '-l', fpath],stdout=sub.PIPE,stderr=sub.PIPE)
>  err, out = p.communicate()
> -# If returned succesfully, process stderr for results
> +# If returned successfully, process stderr for results
>  if p.returncode != 0:
>  return
> 
> @@ -45,7 +45,7 @@ def process_file_darwin(cmd, fpath, rootdir, baseprefix,
> tmpdir, d):
> 
>  p = sub.Popen([d.expand("${HOST_PREFIX}otool"), '-L',
> fpath],stdout=sub.PIPE,stderr=sub.PIPE)
>  err, out = p.communicate()
> -# If returned succesfully, process stderr for results
> +# If returned successfully, process stderr for results
>  if p.returncode != 0:
>  return
>  for l in err.split("\n"):
> diff --git a/meta/classes/crosssdk.bbclass b/meta/classes/crosssdk.bbclass
> index 87d5cf5..7315c38 100644
> --- a/meta/classes/crosssdk.bbclass
> +++ b/meta/classes/crosssdk.bbclass
> @@ -30,7 +30,7 @@ baselib = "lib"
>  do_populate_sysroot[stamp-extra-info] = ""
>  do_packagedata[stamp-extra-info] = ""
> 
> -# Need to force this to ensure consitency accross architectures
> +# Need to force this to ensure consitency across architectures
>  EXTRA_OECONF_GCC_FLOAT = ""
> 
>  USE_NLS = "no"
> diff 

[OE-core] [PATCH][dizzy] libxml2: CVE-2015-7942

[Sona Sarmadi]

Fixes heap-based buffer overflow in xmlParseConditionalSections().

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
Signed-off-by: Tudor Florea <tudor.flo...@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc   |  1 +
 .../libxml/libxml2/CVE-2015-7942.patch | 58 ++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc 
b/meta/recipes-core/libxml/libxml2.inc
index 840a8eb..15a2421 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -23,6 +23,7 @@ SRC_URI = 
"ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml-m4-use-pkgconfig.patch \
file://libxml2-CVE-2014-3660.patch \

file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+   file://CVE-2015-7942.patch \
   "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 000..738ae94
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,58 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veill...@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Fixes CVE-2015-7942.
+Upstream-Status: Backport
+
+Upstream patch:
+https://git.gnome.org/browse/libxml2/commit/
+?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ parser.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
 b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+   SKIP_BLANKS;
+   if (RAW != '[') {
+   xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++  xmlStopParser(ctxt);
++  return;
+   } else {
+   if (ctxt->input->id != id) {
+   xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+   SKIP_BLANKS;
+   if (RAW != '[') {
+   xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++  xmlStopParser(ctxt);
++  return;
+   } else {
+   if (ctxt->input->id != id) {
+   xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+ } else {
+   xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++  xmlStopParser(ctxt);
++  return;
+ }
+ 
+ if (RAW == 0)
+-- 
+cgit v0.11.2
+
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][dizzy] grep2.19: CVE-2015-1345

[Sona Sarmadi]

Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21

Removed THANKS.in changes from upstream patch since this
file does not exist in version 2.19.
Replaced tab with spaces in SRC_URI as well.

Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=
83a95bd8c8561875b948cadd417c653dbe7ef2e2

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch| 129 +
 meta/recipes-extended/grep/grep_2.19.bb|   4 +-
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch

diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch 
b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 000..32846f5
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypiset...@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +
+Subject: grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+  Use of uninitialised value of size 8
+ at 0x4142BE: bmexec_trans (kwset.c:657)
+ by 0x4143CA: bmexec (kwset.c:678)
+ by 0x414973: kwsexec (kwset.c:848)
+ by 0x414DC4: Fexecute (kwsearch.c:128)
+ by 0x404E2E: grepbuf (grep.c:1238)
+ by 0x4054BF: grep (grep.c:1417)
+ by 0x405CEB: grepdesc (grep.c:1645)
+ by 0x405EC1: grep_command_line_arg (grep.c:1692)
+ by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+
+Fixes CVE-2015-1345.
+Upstream-Status: Backport
+
+---
+diff --git a/NEWS b/NEWS
+index 975440d..3835d8d 100644
+--- a/NEWS
 b/NEWS
+@@ -2,6 +2,11 @@ GNU grep NEWS-*- outline 
-*-
+ 
+ * Noteworthy changes in release ?.? (-??-??) [?]
+ 
++** Bug fixes
++
++  grep no longer reads from uninitialized memory or from beyond the end
++  of the heap-allocated input buffer.
++
+ 
+ * Noteworthy changes in release 2.21 (2014-11-23) [stable]
+ 
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
 b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+ if (! tp)
+   return -1;
+ tp++;
++if (ep <= tp)
++  break;
+   }
+   }
+   }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2cba2cd..0508cd2 100644
+--- a/tests/Makefile.am
 b/tests/Makefile.am
+@@ -75,6 +75,7 @@ TESTS =  \
+   inconsistent-range  \
+   invalid-multibyte-infloop   \
+   khadafy \
++  kwset-abuse \
+   long-line-vs-2GiB-read  \
+   match-lines \
+   max-count-overread  \
+diff --git a/tests/kwset-abuse b/tests/kwset-abuse
+new file mode 100755
+index 000..6d8ec0c
+--- a/dev/null
 b/tests/kwset-abuse
+@@ -0,0 +1,32 @@
++#! /bin/sh
++# Evoke a segfault in a hard-to-reach code path of kwset.c.
++# This bug affected grep versions 2.19 through 2.21.
++#
++# Copyright (C) 2015 Free Software Foundation, Inc.
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program

[OE-core] [PATCH][fido][dizzy] libtasn1: CVE-2015-3622

[Sona Sarmadi]

_asn1_extract_der_octet: prevent past of boundary access

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch;
h=f979435823a02f842c41d49cd41cc81f25b5d677

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   | 44 ++
 meta/recipes-support/gnutls/libtasn1_4.0.bb|  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 
meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch

diff --git a/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch 
b/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
new file mode 100644
index 000..0989ef6
--- /dev/null
+++ b/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
@@ -0,0 +1,44 @@
+From f979435823a02f842c41d49cd41cc81f25b5d677 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@redhat.com>
+Date: Mon, 20 Apr 2015 14:56:27 +0200
+Subject: [PATCH] _asn1_extract_der_octet: prevent past of boundary access
+
+Fixes CVE-2015-3622.
+Upstream-Status: Backport
+
+Reported by Hanno Böck.
+---
+ lib/decoding.c |3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 7fbd931..42ddc6b 100644
+--- a/lib/decoding.c
 b/lib/decoding.c
+@@ -732,6 +732,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned 
char *der,
+ return ASN1_DER_ERROR;
+ 
+   counter = len3 + 1;
++  DECR_LEN(der_len, len3);
+ 
+   if (len2 == -1)
+ counter_end = der_len - 2;
+@@ -740,6 +741,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned 
char *der,
+ 
+   while (counter < counter_end)
+ {
++  DECR_LEN(der_len, 1);
+   len2 = asn1_get_length_der (der + counter, der_len, );
+ 
+   if (IS_ERR(len2, flags))
+@@ -764,7 +766,6 @@ _asn1_extract_der_octet (asn1_node node, const unsigned 
char *der,
+ len2 = 0;
+   }
+ 
+-  DECR_LEN(der_len, 1);
+   counter += len2 + len3 + 1;
+ }
+ 
+-- 
+1.7.2.5
+
diff --git a/meta/recipes-support/gnutls/libtasn1_4.0.bb 
b/meta/recipes-support/gnutls/libtasn1_4.0.bb
index 289833ec..16cf4d6 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.0.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
 SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
file://libtasn1_fix_for_automake_1.12.patch \
file://dont-depend-on-help2man.patch \
+   file://libtasn1-CVE-2015-3622.patch \
"
 
 SRC_URI[md5sum] = "d3d2d9bce3b6668b9827a9df52635be1"
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH][fido] bind: CVE-2015-1349 CVE-2015-4620 CVE-2015-5722

[Sona Sarmadi]

Hi Armin,

I guess you will backport these to dizzy as well. I created Bug 8281 just to 
have track of 
recent bind vulnerabilities:
CVEs, CVE-2015-1349, CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986.

I think all have been addressed in master and fido, remaining are only these 
three 
patches in dizzy branch.

//Sona

> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf Of
> Armin Kuster
> Sent: den 8 september 2015 01:22
> To: openembedded-core@lists.openembedded.org;
> joshua.l...@collabora.co.uk
> Cc: Armin Kuster 
> Subject: [OE-core] [PATCH][fido] bind: CVE-2015-1349 CVE-2015-4620 CVE-
> 2015-5722
> 
> From: Armin Kuster 
> 
> three security fixes.
> 
> Signed-off-by: Armin Kuster 
> ---
>  .../bind/bind/CVE-2015-1349.patch  |  60 +++
>  .../bind/bind/CVE-2015-4620.patch  |  36 ++
>  .../bind/bind/CVE-2015-5722.patch  | 490 
> +
>  meta/recipes-connectivity/bind/bind_9.9.5.bb   |   3 +
>  4 files changed, 589 insertions(+)
>  create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-
> 1349.patch
>  create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-
> 4620.patch
>  create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-
> 5722.patch
> 
> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
> b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
> new file mode 100644
> index 000..dea7aae
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-1349.patch
> @@ -0,0 +1,60 @@
> +CVE-2015-1349 bind: issue in trust anchor management can cause named to
> +crash
> +
> +commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
> +Author: Evan Hunt 
> +Date:   Tue Feb 3 18:30:38 2015 -0800
> +
> +[v9_9_6_patch] avoid crash due to managed-key rollover
> +
> +4053.[security]  Revoking a managed trust anchor and
> supplying
> + an untrusted replacement could cause named
> + to crash with an assertion failure.
> + (CVE-2015-1349) [RT #38344]
> +
> +Upstream Status: Backport from Redhat
> +
> +https://bugzilla.redhat.com/attachment.cgi?id=993045
> +
> +Signed-off-by: Armin Kuster 
> +
> +Index: bind-9.9.5/CHANGES
> +===
> 
> +--- bind-9.9.5.orig/CHANGES
>  bind-9.9.5/CHANGES
> +@@ -1,3 +1,10 @@
> ++--- 9.9.6-P2 released ---
> ++
> ++4053.   [security]  Revoking a managed trust anchor and
> supplying
> ++an untrusted replacement could cause named
> ++to crash with an assertion failure.
> ++(CVE-2015-1349) [RT #38344]
> ++
> + --- 9.9.5 released ---
> +
> + --- 9.9.5rc2 released ---
> +Index: bind-9.9.5/lib/dns/zone.c
> +===
> 
> +--- bind-9.9.5.orig/lib/dns/zone.c
>  bind-9.9.5/lib/dns/zone.c
> +@@ -8496,6 +8496,12 @@ keyfetch_done(isc_task_t *task, isc_even
> +  namebuf, tag);
> + trustkey = ISC_TRUE;
> + }
> ++} else {
> ++/*
> ++ * No previously known key, and the key is not
> ++ * secure, so skip it.
> ++ */
> ++continue;
> + }
> +
> + /* Delete old version */
> +@@ -8544,7 +8550,7 @@ keyfetch_done(isc_task_t *task, isc_even
> + trust_key(zone, keyname, , mctx);
> + }
> +
> +-if (!deletekey)
> ++if (secure && !deletekey)
> + set_refreshkeytimer(zone, , now);
> + }
> +
> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
> b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
> new file mode 100644
> index 000..1a5051e
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind/CVE-2015-4620.patch
> @@ -0,0 +1,36 @@
> +CVE-2015-4620 bind: abort DoS caused by uninitialized value use in
> +isselfsigned()
> +
> +issue introduced by git commit
> +
> +https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=44
> +f175a90a855326725439b2f1178f0dcca8f67d
> +
> +which is in this version of bind.
> +
> +Upstream Status: Backport from Redhat
> +
> +https://bugzilla.redhat.com/attachment.cgi?id=1044719
> +
> +Signed-off-by: Armin Kuster 
> +
> +Index: bind-9.9.5/lib/dns/validator.c
> +===
> 
> +--- bind-9.9.5.orig/lib/dns/validator.c
>  bind-9.9.5/lib/dns/validator.c
> +@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
> +  */
> + static isc_boolean_t
> + 

[OE-core] [PATCH][dizzy] icu: CVE-2014-8146-CVE-2014-8147

[Sona Sarmadi]

CVE-2014-8146 icu: heap overflow via incorrect isolateCount
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function

References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch  | 49 ++
 meta/recipes-support/icu/icu_53.1.bb   |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 
meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch

diff --git a/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch 
b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
new file mode 100644
index 000..2460357
--- /dev/null
+++ b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
@@ -0,0 +1,49 @@
+icu: CVE-2014-8146-CVE-2014-8147
+
+CVE-2014-8146 icu: heap overflow via incorrect isolateCount
+CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
+
+References:
+[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
+[2] https://www.kb.cert.org/vuls/id/602540
+[3] http://bugs.icu-project.org/trac/changeset/37080
+[4] http://bugs.icu-project.org/trac/changeset/37162
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+diff -ruN a/common/ubidi.c b/common/ubidi.c
+--- a/common/ubidi.c   2014-10-03 18:11:20.0 +0200
 b/common/ubidi.c   2015-08-28 08:22:39.455906194 +0200
+@@ -2138,7 +2138,7 @@
+ /* The isolates[] entries contain enough information to
+resume the bidi algorithm in the same state as it was
+when it was interrupted by an isolate sequence. */
+-if(dirProps[start]==PDI) {
++if(dirProps[start]==PDI  && pBiDi->isolateCount >= 0) {
+ levState.startON=pBiDi->isolates[pBiDi->isolateCount].startON;
+ start1=pBiDi->isolates[pBiDi->isolateCount].start1;
+ stateImp=pBiDi->isolates[pBiDi->isolateCount].stateImp;
+diff -ruN a/common/ubidiimp.h b/common/ubidiimp.h
+--- a/common/ubidiimp.h2014-10-03 18:11:16.0 +0200
 b/common/ubidiimp.h2015-08-28 08:28:24.069163845 +0200
+@@ -1,7 +1,7 @@
+ /*
+ **
+ *
+-*   Copyright (C) 1999-2014, International Business Machines
++*   Copyright (C) 1999-2015, International Business Machines
+ *   Corporation and others.  All Rights Reserved.
+ *
+ **
+@@ -184,8 +184,8 @@
+ typedef struct Isolate {
+ int32_t startON;
+ int32_t start1;
++int32_t state;
+ int16_t stateImp;
+-int16_t state;
+ } Isolate;
+
+ typedef struct Run {
diff --git a/meta/recipes-support/icu/icu_53.1.bb 
b/meta/recipes-support/icu/icu_53.1.bb
index d93af68..2906e8f 100644
--- a/meta/recipes-support/icu/icu_53.1.bb
+++ b/meta/recipes-support/icu/icu_53.1.bb
@@ -11,6 +11,7 @@ ICU_PV = "${@icu_download_version(d)}"
 BASE_SRC_URI = 
"http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV}-src.tgz;
 SRC_URI = "${BASE_SRC_URI} \
file://icu-pkgdata-large-cmd.patch \
+   file://icu-CVE-2014-8146-CVE-2014-8147.patch \
   "
 
 SRC_URI_append_class-target = "\
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 1/1] qemu: backport patches to fix CVE issues

[Sona Sarmadi]

Hi guys,

These qemu/xen patches have been backported to fido branch: 
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-devtools/qemu/qemu_2.2.0.bb?h=fido

but not dizzy:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-devtools/qemu/qemu_2.1.0.bb?h=dizzy

Do you know why? 
I backported these to my local dizzy branch and build qemu 2.1, all patches 
apply. I guess 
these patches are applicable for dizzy branch as well. Any comments on this?

Armin, I have patches for dizzy, I can send them if you think that they should 
be backported to dizzy as well.

//Sona


> -Original Message-
> From: openembedded-core-boun...@lists.openembedded.org
> [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf
> Of Kai Kang
> Sent: den 18 juni 2015 11:03
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 1/1] qemu: backport patches to fix CVE issues
> 
> Backport patches to fix CVE-2015-4103, CVE-2015-4104, CVE-2015-4105 and
> CVE-2015-4106. These patches are from debian, but they are originally
> from:
> 
> http://git.qemu.org/?p=qemu.git;a=shortlog;h=c25bbf1
> 
> Signed-off-by: Kai Kang 
> ---
>  ...f-modified-PCI-CFG-contents-CVE-2015-4103.patch | 140 +++
>  ...o-control-MSI-mask-register-CVE-2015-4104.patch | 194
> +++
>  ...-MSI-X-limit-error-messages-CVE-2015-4105.patch |  90 +++
>  ...s-through-of-enable-bit-mod-CVE-2015-4106.patch |  76 ++
>  ...date-PM-capability-emu_mask-CVE-2015-4106.patch |  86 +++
>  ...rectly-handle-PM-status-bit-CVE-2015-4106.patch |  38 +++
>  ...ulation-of-throughable-mask-CVE-2015-4106.patch | 265
> +
>  ...e-capability-bits-read-only-CVE-2015-4106.patch |  38 +++
>  ...-in-PCI-config-space-fields-CVE-2015-4106.patch |  94 
>  ...ig-space-field-descriptions-CVE-2015-4106.patch |  77 ++
>  ...e-fields-should-be-readonly-CVE-2015-4106.patch | 137 +++
>  meta/recipes-devtools/qemu/qemu_2.3.0.bb   |  13 +-
>  12 files changed, 1247 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/qemu/qemu/01-xen-properly-
> gate-host-writes-of-modified-PCI-CFG-contents-CVE-2015-4103.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/02-xen-dont-
> allow-guest-to-control-MSI-mask-register-CVE-2015-4104.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/03-xen-MSI-X-
> limit-error-messages-CVE-2015-4105.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-
> open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/05-xen-pt-
> consolidate-PM-capability-emu_mask-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/06-xen-pt-
> correctly-handle-PM-status-bit-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/07-xen-pt-split-
> out-calculation-of-throughable-mask-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/08-xen-pt-mark-
> all-PCIe-capability-bits-read-only-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-
> reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/10-xen-pt-add-a-
> few-PCI-config-space-field-descriptions-CVE-2015-4106.patch
>  create mode 100644 meta/recipes-devtools/qemu/qemu/11-xen-pt-
> unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch
> 
> diff --git a/meta/recipes-devtools/qemu/qemu/01-xen-properly-gate-host-
> writes-of-modified-PCI-CFG-contents-CVE-2015-4103.patch b/meta/recipes-
> devtools/qemu/qemu/01-xen-properly-gate-host-writes-of-modified-PCI-
> CFG-contents-CVE-2015-4103.patch
> new file mode 100644
> index 000..42a4960
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/01-xen-properly-gate-host-
> writes-of-modified-PCI-CFG-contents-CVE-2015-4103.patch
> @@ -0,0 +1,140 @@
> +Upstream-Status: Backport
> +
> +Signed-off-by: Kai Kang 
> +
> +From 5c83b2f5b4b956e91dd6e5711f14df7ab800aefb Mon Sep 17 00:00:00
> 2001
> +From: Jan Beulich 
> +Date: Tue, 2 Jun 2015 15:07:00 +
> +Subject: xen: properly gate host writes of modified PCI CFG contents
> +Bug-Debian: http://bugs.debian.org/787547
> +
> +The old logic didn't work as intended when an access spanned multiple
> +fields (for example a 32-bit access to the location of the MSI Message
> +Data field with the high 16 bits not being covered by any known field).
> +Remove it and derive which fields not to write to from the accessed
> +fields' emulation masks: When they're all ones, there's no point in
> +doing any host write.
> +
> +This fixes a secondary issue at once: We obviously shouldn't make any
> +host write attempt when already the host read failed.
> +
> +This is XSA-128.
> +
> +Signed-off-by: Jan Beulich 
> +Reviewed-by: Stefano Stabellini 

[OE-core] [PATCH][fido] gnutls: CVE-2015-3308

[Sona Sarmadi]

Fixes use-after-free flaw in CRL distribution points parsing

Reference:
https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02

http://www.openwall.com/lists/oss-security/2015/04/15/6

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../better-fix-for-double-free-CVE-2015-3308.patch | 65 ++
 .../eliminated-double-free-CVE-2015-3308.patch | 33 +++
 meta/recipes-support/gnutls/gnutls_3.3.12.bb   |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 
meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
 create mode 100644 
meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch

diff --git 
a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
 
b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
new file mode 100644
index 000..8824729
--- /dev/null
+++ 
b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
@@ -0,0 +1,65 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/x509/x509_ext.c | 10 ++
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
 b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+   int len, ret;
+   uint8_t reasons[2];
+   unsigned i, type, rflags, j;
+-  gnutls_datum_t san;
++  gnutls_datum_t san = {NULL, 0};
+ 
+   result = asn1_create_element
+   (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", );
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   i = 0;
+   do {
+-  san.data = NULL;
+-  san.size = 0;
+-
+   snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+ 
+   len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   j = 0;
+   do {
++  san.data = NULL;
++  san.size = 0;
++
+   ret =
+   _gnutls_parse_general_name2(c2, name, j, ,
+   , 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+   ret = crl_dist_points_set(cdp, type, , rflags);
+   if (ret < 0)
+   break;
++  san.data = NULL; /* it is now in cdp */
+ 
+   j++;
+   } while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+   gnutls_assert();
++  gnutls_free(san.data);
+   goto cleanup;
+   }
+ 
+-- 
+1.9.1
+
diff --git 
a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch 
b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
new file mode 100644
index 000..628103f
--- /dev/null
+++ 
b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
@@ -0,0 +1,33 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert Święcki.
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
 b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+   gnutls_assert();
+-  gnutls_free(san.data);
+   goto cleanup;
+   }
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.3.12.bb 
b/meta/recipes-support/gnutls/gnutls_3.3.12.bb
index b310be0..62cd2d0 100644
--- a/meta/recipes-support/gnutls/gn

[OE-core] [PATCH][dizzy] gnutls: CVE-2015-3308

[Sona Sarmadi]

Fixes use-after-free flaw in CRL distribution points parsing

Reference:
https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02

http://www.openwall.com/lists/oss-security/2015/04/15/6

Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
---
 .../better-fix-for-double-free-CVE-2015-3308.patch | 65 ++
 .../eliminated-double-free-CVE-2015-3308.patch | 33 +++
 meta/recipes-support/gnutls/gnutls_3.3.5.bb|  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 
meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
 create mode 100644 
meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch

diff --git 
a/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
 
b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
new file mode 100644
index 000..8824729
--- /dev/null
+++ 
b/meta/recipes-support/gnutls/gnutls/better-fix-for-double-free-CVE-2015-3308.patch
@@ -0,0 +1,65 @@
+From 053ae65403216acdb0a4e78b25ad66ee9f444f02 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Sat, 28 Mar 2015 22:41:03 +0100
+Subject: [PATCH] Better fix for the double free in dist point parsing
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/x509/x509_ext.c | 10 ++
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 2e69ed0..f974b02 100644
+--- a/lib/x509/x509_ext.c
 b/lib/x509/x509_ext.c
+@@ -2287,7 +2287,7 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+   int len, ret;
+   uint8_t reasons[2];
+   unsigned i, type, rflags, j;
+-  gnutls_datum_t san;
++  gnutls_datum_t san = {NULL, 0};
+ 
+   result = asn1_create_element
+   (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", );
+@@ -2310,9 +2310,6 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   i = 0;
+   do {
+-  san.data = NULL;
+-  san.size = 0;
+-
+   snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
+ 
+   len = sizeof(reasons);
+@@ -2337,6 +2334,9 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   j = 0;
+   do {
++  san.data = NULL;
++  san.size = 0;
++
+   ret =
+   _gnutls_parse_general_name2(c2, name, j, ,
+   , 0);
+@@ -2351,6 +2351,7 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+   ret = crl_dist_points_set(cdp, type, , rflags);
+   if (ret < 0)
+   break;
++  san.data = NULL; /* it is now in cdp */
+ 
+   j++;
+   } while (ret >= 0);
+@@ -2360,6 +2361,7 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+   gnutls_assert();
++  gnutls_free(san.data);
+   goto cleanup;
+   }
+ 
+-- 
+1.9.1
+
diff --git 
a/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch 
b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
new file mode 100644
index 000..628103f
--- /dev/null
+++ 
b/meta/recipes-support/gnutls/gnutls/eliminated-double-free-CVE-2015-3308.patch
@@ -0,0 +1,33 @@
+From d6972be33264ecc49a86cd0958209cd7363af1e9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <n...@gnutls.org>
+Date: Mon, 23 Mar 2015 22:55:29 +0100
+Subject: [PATCH] eliminated double-free in the parsing of dist points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Robert ??wi??cki.
+
+Fixes CVE-2015-3308
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com>
+---
+ lib/x509/x509_ext.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index c8d5867..6f09438 100644
+--- a/lib/x509/x509_ext.c
 b/lib/x509/x509_ext.c
+@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const 
gnutls_datum_t * ext,
+ 
+   if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+   gnutls_assert();
+-  gnutls_free(san.data);
+   goto cleanup;
+   }
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.3.5.bb 
b/meta/recipes-support/gnutls/gnutls_3.3.5.bb
index b3daa49..9f26470 100644
--- a/meta/recipes-support/gnutls/

[OE-core] [PATCH][fido] icu: CVE-2014-8146-CVE-2014-8147

[Sona Sarmadi]

CVE-2014-8146 icu: heap overflow via incorrect isolateCount
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function

References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162

Signed-off-by: Sona Sarmadi sona.sarm...@enea.com
---
 .../icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch  | 49 ++
 meta/recipes-support/icu/icu_54.1.bb   |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 
meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch

diff --git a/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch 
b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
new file mode 100644
index 000..cf32d13c
--- /dev/null
+++ b/meta/recipes-support/icu/icu/icu-CVE-2014-8146-CVE-2014-8147.patch
@@ -0,0 +1,49 @@
+ICU: CVE-2014-8146-CVE-2014-8147
+
+CVE-2014-8146 icu: heap overflow via incorrect isolateCount
+CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function
+
+References:
+[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
+[2] https://www.kb.cert.org/vuls/id/602540
+[3] http://bugs.icu-project.org/trac/changeset/37080
+[4] http://bugs.icu-project.org/trac/changeset/37162
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi sona.sarm...@enea.com
+---
+diff -ruN a/common/ubidi.c b/common/ubidi.c
+--- a/common/ubidi.c   2014-10-03 18:11:20.0 +0200
 b/common/ubidi.c   2015-08-28 08:22:39.455906194 +0200
+@@ -2138,7 +2138,7 @@
+ /* The isolates[] entries contain enough information to
+resume the bidi algorithm in the same state as it was
+when it was interrupted by an isolate sequence. */
+-if(dirProps[start]==PDI) {
++if(dirProps[start]==PDI   pBiDi-isolateCount = 0) {
+ levState.startON=pBiDi-isolates[pBiDi-isolateCount].startON;
+ start1=pBiDi-isolates[pBiDi-isolateCount].start1;
+ stateImp=pBiDi-isolates[pBiDi-isolateCount].stateImp;
+diff -ruN a/common/ubidiimp.h b/common/ubidiimp.h
+--- a/common/ubidiimp.h2014-10-03 18:11:16.0 +0200
 b/common/ubidiimp.h2015-08-28 08:28:24.069163845 +0200
+@@ -1,7 +1,7 @@
+ /*
+ **
+ *
+-*   Copyright (C) 1999-2014, International Business Machines
++*   Copyright (C) 1999-2015, International Business Machines
+ *   Corporation and others.  All Rights Reserved.
+ *
+ **
+@@ -184,8 +184,8 @@
+ typedef struct Isolate {
+ int32_t startON;
+ int32_t start1;
++int32_t state;
+ int16_t stateImp;
+-int16_t state;
+ } Isolate;
+
+ typedef struct Run {
diff --git a/meta/recipes-support/icu/icu_54.1.bb 
b/meta/recipes-support/icu/icu_54.1.bb
index 45b5cb6..9f10beb 100644
--- a/meta/recipes-support/icu/icu_54.1.bb
+++ b/meta/recipes-support/icu/icu_54.1.bb
@@ -11,6 +11,7 @@ ICU_PV = ${@icu_download_version(d)}
 BASE_SRC_URI = 
http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV}-src.tgz;
 SRC_URI = ${BASE_SRC_URI} \
file://icu-pkgdata-large-cmd.patch \
+   file://icu-CVE-2014-8146-CVE-2014-8147.patch \
   
 
 SRC_URI_append_class-target = \
-- 
1.9.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core