[OE-core][scarthgap][PATCH 1/1] python3-requests: upgrade 2.32.0 -> 2.32.3

2024-12-19 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Changelog:
https://requests.readthedocs.io/en/latest/community/updates/#release-history

2.32.3 (2024-05-29)
  * Bugfixes - Fixed bug breaking the ability to specify custom SSLContexts
in sub-classes of HTTPAdapter. (#6716)
  * Fixed issue where Requests started failing to run on Python versions
compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)
  * Deprecations - To provide a more stable migration for custom HTTPAdapters
impacted by the CVE changes in 2.32.0, we’ve renamed _get_connection to a
new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of
Requests>=2.32.0.
  * A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)
  * Bugfixes - Add missing test certs to the sdist distributed on PyPI.

https://github.com/psf/requests/compare/v2.32.0...v2.32.3

Also transition to using python_setuptools_build_meta.

Signed-off-by: Soumya Sambu 
---
 ...{python3-requests_2.32.0.bb => python3-requests_2.32.3.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3-requests_2.32.0.bb => 
python3-requests_2.32.3.bb} (78%)

diff --git a/meta/recipes-devtools/python/python3-requests_2.32.0.bb 
b/meta/recipes-devtools/python/python3-requests_2.32.3.bb
similarity index 78%
rename from meta/recipes-devtools/python/python3-requests_2.32.0.bb
rename to meta/recipes-devtools/python/python3-requests_2.32.3.bb
index b4df4c5dc7..4f0638b50c 100644
--- a/meta/recipes-devtools/python/python3-requests_2.32.0.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.32.3.bb
@@ -3,9 +3,9 @@ HOMEPAGE = "https://requests.readthedocs.io";
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
 
-SRC_URI[sha256sum] = 
"fa5490319474c82ef1d2c9bc459d3652e3ae4ef4c4ebdd18a21145a47ca4b6b8"
+SRC_URI[sha256sum] = 
"55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
 
 RDEPENDS:${PN} += " \
 python3-certifi \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#208929): 
https://lists.openembedded.org/g/openembedded-core/message/208929
Mute This Topic: https://lists.openembedded.org/mt/110203281/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][scarthgap][PATCH 1/1] python3-requests: upgrade 2.32.1 -> 2.32.2

2024-11-22 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

https://requests.readthedocs.io/en/latest/community/updates/#id2

2.32.2 (2024-05-21)
  * Deprecations - To provide a more stable migration for custom HTTPAdapters
impacted by the CVE changes in 2.32.0, we’ve renamed _get_connection to a
new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of
Requests>=2.32.0.
  * A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)

https://github.com/psf/requests/compare/v2.32.1...v2.32.2

Signed-off-by: Soumya Sambu 
---
 .../{python3-requests_2.31.0.bb => python3-requests_2.32.0.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-requests_2.31.0.bb => 
python3-requests_2.32.0.bb} (84%)

diff --git a/meta/recipes-devtools/python/python3-requests_2.31.0.bb 
b/meta/recipes-devtools/python/python3-requests_2.32.0.bb
similarity index 84%
rename from meta/recipes-devtools/python/python3-requests_2.31.0.bb
rename to meta/recipes-devtools/python/python3-requests_2.32.0.bb
index 287b4f8eee..b4df4c5dc7 100644
--- a/meta/recipes-devtools/python/python3-requests_2.31.0.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.32.0.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://requests.readthedocs.io";
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
 
-SRC_URI[sha256sum] = 
"942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
+SRC_URI[sha256sum] = 
"fa5490319474c82ef1d2c9bc459d3652e3ae4ef4c4ebdd18a21145a47ca4b6b8"
 
 inherit pypi setuptools3
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#207603): 
https://lists.openembedded.org/g/openembedded-core/message/207603
Mute This Topic: https://lists.openembedded.org/mt/109720625/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][scarthgap][PATCH 1/1] python3-urllib3: upgrade 2.2.1 -> 2.2.2

2024-11-22 Thread Soumya via lists.openembedded.org 
From: Trevor Gamblin 

(From OE-Core rev: 32fdd5673c25084af4ba295b271455cd92ca09d5)

Signed-off-by: Trevor Gamblin 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
Signed-off-by: Soumya Sambu 
---
 .../{python3-urllib3_2.2.1.bb => python3-urllib3_2.2.2.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-urllib3_2.2.1.bb => 
python3-urllib3_2.2.2.bb} (86%)

diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.1.bb 
b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
similarity index 86%
rename from meta/recipes-devtools/python/python3-urllib3_2.2.1.bb
rename to meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
index fc1828b4ee..31a03a60b3 100644
--- a/meta/recipes-devtools/python/python3-urllib3_2.2.1.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3";
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=52d273a3054ced561275d4d15260ecda"
 
-SRC_URI[sha256sum] = 
"d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19"
+SRC_URI[sha256sum] = 
"dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"
 
 inherit pypi python_hatchling
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#207602): 
https://lists.openembedded.org/g/openembedded-core/message/207602
Mute This Topic: https://lists.openembedded.org/mt/109720612/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][scarthgap][PATCH 1/1] python3: Fix CVE-2024-8088

2024-09-03 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088

Upstream-Patch:
https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec

Signed-off-by: Soumya Sambu 
---
 .../python/python3/CVE-2024-8088.patch| 128 ++
 .../recipes-devtools/python/python3_3.12.4.bb |   1 +
 2 files changed, 129 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch 
b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
new file mode 100644
index 00..13836f1ccc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
@@ -0,0 +1,128 @@
+From dcc5182f27c156a1ef78e10613bb45788dea Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Mon, 12 Aug 2024 02:35:17 +0200
+Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906)
+ (#122923)
+
+CVE: CVE-2024-8088
+
+Upstream-Status: Backport 
[https://github.com/python/cpython/commit/dcc5182f27c156a1ef78e10613bb45788dea]
+
+Signed-off-by: Soumya Sambu 
+---
+ Lib/test/test_zipfile/_path/test_path.py  | 17 +
+ Lib/zipfile/_path/__init__.py | 64 ++-
+ ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst |  1 +
+ 3 files changed, 81 insertions(+), 1 deletion(-)
+ create mode 100644 
Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
+
+diff --git a/Lib/test/test_zipfile/_path/test_path.py 
b/Lib/test/test_zipfile/_path/test_path.py
+index 06d5aab..90885db 100644
+--- a/Lib/test/test_zipfile/_path/test_path.py
 b/Lib/test/test_zipfile/_path/test_path.py
+@@ -577,3 +577,20 @@ class TestPath(unittest.TestCase):
+ zipfile.Path(alpharep)
+ with self.assertRaises(KeyError):
+ alpharep.getinfo('does-not-exist')
++
++def test_malformed_paths(self):
++"""
++Path should handle malformed paths.
++"""
++data = io.BytesIO()
++zf = zipfile.ZipFile(data, "w")
++zf.writestr("/one-slash.txt", b"content")
++zf.writestr("//two-slash.txt", b"content")
++zf.writestr("../parent.txt", b"content")
++zf.filename = ''
++root = zipfile.Path(zf)
++assert list(map(str, root.iterdir())) == [
++'one-slash.txt',
++'two-slash.txt',
++'parent.txt',
++]
+diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
+index 78c4135..42f9fde 100644
+--- a/Lib/zipfile/_path/__init__.py
 b/Lib/zipfile/_path/__init__.py
+@@ -83,7 +83,69 @@ class InitializedState:
+ super().__init__(*args, **kwargs)
+
+
+-class CompleteDirs(InitializedState, zipfile.ZipFile):
++class SanitizedNames:
++"""
++ZipFile mix-in to ensure names are sanitized.
++"""
++
++def namelist(self):
++return list(map(self._sanitize, super().namelist()))
++
++@staticmethod
++def _sanitize(name):
++r"""
++Ensure a relative path with posix separators and no dot names.
++
++Modeled after
++
https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
++but provides consistent cross-platform behavior.
++
++>>> san = SanitizedNames._sanitize
++>>> san('/foo/bar')
++'foo/bar'
++>>> san('//foo.txt')
++'foo.txt'
++>>> san('foo/.././bar.txt')
++'foo/bar.txt'
++>>> san('foo../.bar.txt')
++'foo../.bar.txt'
++>>> san('\\foo\\bar.txt')
++'foo/bar.txt'
++>>> san('D:\\foo.txt')
++'D/foo.txt'
++>>> san('server\\share\\file.txt')
++'server/share/file.txt'
++>>> san('?\\GLOBALROOT\\Volume3')
++'?/GLOBALROOT/Volume3'
++>>> san('.\\PhysicalDrive1\\root')
++'PhysicalDrive1/root'
++
++Retain any trailing slash.
++>>> san('abc/')
++'abc/'
++
++Raises a ValueError if the result is empty.
++>>> san('../..')
++Traceback (most recent call last):
++...
++ValueError: Empty filename
++"""
++
++def allowed(part):
++return part and part not in {'..', '.'}
++
++# Remove the drive letter.
++# Don't use ntpath.splitdrive, because that also strips UNC paths
++bare = re.sub('^([A-Z]):', r'\

[OE-core][scarthgap][PATCH 1/1] python3: Fix CVE-2024-7592

2024-09-03 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592

Upstream-Patch:
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

Signed-off-by: Soumya Sambu 
---
 .../python/python3/CVE-2024-7592.patch| 143 ++
 .../recipes-devtools/python/python3_3.12.4.bb |   1 +
 2 files changed, 144 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch 
b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
new file mode 100644
index 00..7a6d63005c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
@@ -0,0 +1,143 @@
+From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Sun, 25 Aug 2024 00:37:11 +0200
+Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing  "-quoted
+ cookie values with backslashes (GH-123075) (#123104)
+
+gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with 
backslashes (GH-123075)
+
+This fixes CVE-2024-7592.
+(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
+
+Co-authored-by: Serhiy Storchaka 
+
+CVE: CVE-2024-7592
+
+Upstream-Status: Backport 
[https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1]
+
+Signed-off-by: Soumya Sambu 
+---
+ Lib/http/cookies.py   | 34 -
+ Lib/test/test_http_cookies.py | 38 +++
+ ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |  1 +
+ 3 files changed, 47 insertions(+), 26 deletions(-)
+ create mode 100644 
Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index 35ac2dc..2c1f021 100644
+--- a/Lib/http/cookies.py
 b/Lib/http/cookies.py
+@@ -184,8 +184,13 @@ def _quote(str):
+ return '"' + str.translate(_Translator) + '"'
+
+
+-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
+-_QuotePatt = re.compile(r"[\\].")
++_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
++
++def _unquote_replace(m):
++if m[1]:
++return chr(int(m[1], 8))
++else:
++return m[2]
+
+ def _unquote(str):
+ # If there aren't any doublequotes,
+@@ -205,30 +210,7 @@ def _unquote(str):
+ #\012 --> \n
+ #\"   --> "
+ #
+-i = 0
+-n = len(str)
+-res = []
+-while 0 <= i < n:
+-o_match = _OctalPatt.search(str, i)
+-q_match = _QuotePatt.search(str, i)
+-if not o_match and not q_match:  # Neither matched
+-res.append(str[i:])
+-break
+-# else:
+-j = k = -1
+-if o_match:
+-j = o_match.start(0)
+-if q_match:
+-k = q_match.start(0)
+-if q_match and (not o_match or k < j): # QuotePatt matched
+-res.append(str[i:k])
+-res.append(str[k+1])
+-i = k + 2
+-else:  # OctalPatt matched
+-res.append(str[i:j])
+-res.append(chr(int(str[j+1:j+4], 8)))
+-i = j + 4
+-return _nulljoin(res)
++return _unquote_sub(_unquote_replace, str)
+
+ # The _getdate() routine is used to set the expiration time in the cookie's 
HTTP
+ # header.  By default, _getdate() returns the current time in the appropriate
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index 925c869..8879902 100644
+--- a/Lib/test/test_http_cookies.py
 b/Lib/test/test_http_cookies.py
+@@ -5,6 +5,7 @@ import unittest
+ import doctest
+ from http import cookies
+ import pickle
++from test import support
+
+
+ class CookieTests(unittest.TestCase):
+@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
+ for k, v in sorted(case['dict'].items()):
+ self.assertEqual(C[k].value, v)
+
++def test_unquote(self):
++cases = [
++(r'a="b=\""', 'b="'),
++(r'a="b=\\"', 'b=\\'),
++(r'a="b=\="', 'b=='),
++(r'a="b=\n"', 'b=n'),
++(r'a="b=\042"', 'b="'),
++(r'a="b=\134"', 'b=\\'),
++(r'a="b=\377"', 'b=\xff'),
++(r'a="b=\400"', 'b=400'),
++(r'a="b=\42"', 'b=42'),
++(r'a="b=\\042"', 'b=\\042'),
++(r'a="b=\\134"', 'b=\\134'),
++(r'a="b=\\\""', 'b=\\"'),
++(r'a="b=\\\042"', 'b=\\"'),
++(r'a="b=\134\""', 'b=\\"'),
++(r'a="b=\134\042"', 'b=\\"

[OE-core][kirkstone][PATCH 1/1] python3-certifi: Fix CVE-2024-39689

2024-08-12 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root
certificates from `GLOBALTRUST` from the root store. These are in the
process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root
certificates are being removed pursuant to an investigation which
identified "long-running and unresolved compliance issues."Certifi is a
curated collection of Root Certificates for validating the trustworthiness
of SSL certificates while verifying the identity of TLS hosts. Certifi
starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates
from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from
`GLOBALTRUST` from the root store. These are in the process of being removed
from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being
removed pursuant to an investigation which identified "long-running and
unresolved compliance issues."

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-39689

Upstream-patch:
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463

Signed-off-by: Soumya Sambu 
---
 .../python3-certifi/CVE-2024-39689.patch  | 69 +++
 .../python/python3-certifi_2021.10.8.bb   |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 
meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch

diff --git a/meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch 
b/meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch
new file mode 100644
index 00..a2ecc15d2c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch
@@ -0,0 +1,69 @@
+From bd8153872e9c6fc98f4023df9c2deaffea2fa463 Mon Sep 17 00:00:00 2001
+From: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
+Date: Wed, 3 Jul 2024 21:34:29 -0400
+Subject: [PATCH] 2024.07.04 (#295)
+
+Co-authored-by: alex <772+a...@users.noreply.github.com>
+
+CVE: CVE-2024-39689
+
+Upstream-Status: Backport 
[https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463]
+
+Signed-off-by: Soumya Sambu 
+---
+ certifi/cacert.pem | 40 
+ 1 file changed, 40 deletions(-)
+
+diff --git a/certifi/cacert.pem b/certifi/cacert.pem
+index 1bec256..6bb8cf8 100644
+--- a/certifi/cacert.pem
 b/certifi/cacert.pem
+@@ -3857,46 +3857,6 @@ 
DgQWBBQxCpCPtsad0kRLgLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ
+ +RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAezNIm8BZ/3Hobui3A=
+ -END CERTIFICATE-
+
+-# Issuer: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+-# Subject: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+-# Label: "GLOBALTRUST 2020"
+-# Serial: 109160994242082918454945253
+-# MD5 Fingerprint: 8a:c7:6f:cb:6d:e3:cc:a2:f1:7c:83:fa:0e:78:d7:e8
+-# SHA1 Fingerprint: 
d0:67:c1:13:51:01:0c:aa:d0:c7:6a:65:37:31:16:26:4f:53:71:a2
+-# SHA256 Fingerprint: 
9a:29:6a:51:82:d1:d4:51:a2:e3:7f:43:9b:74:da:af:a2:67:52:33:29:f9:0f:9a:0d:20:07:c3:34:e2:3c:9a
+--BEGIN CERTIFICATE-
+-MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG
+-A1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkw
+-FwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYx
+-MDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9u
+-aXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMIICIjANBgkq
+-hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWiD59b
+-RatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9Z
+-YybNpyrOVPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3
+-QWPKzv9pj2gOlTblzLmMCcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPw
+-yJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCmfecqQjuCgGOlYx8ZzHyyZqjC0203b+J+
+-BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKAA1GqtH6qRNdDYfOiaxaJ
+-SaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9ORJitHHmkH
+-r96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj0
+-4KlGDfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9Me
+-dKZssCz3AwyIDMvUclOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIw
+-q7ejMZdnrY8XD2zHc+0klGvIg5rQmjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2
+-nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+-AQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1UdIwQYMBaAFNwu
+-H9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
+-VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJC
+-XtzoRlgHNQIw4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd
+-6IwPS3BD0IL/qMy/pJTAvoe9iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf
+-+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS8cE54+X1+NZK3TTN+2/BT+MAi1bi
+-kvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2HcqtbepBEX4tdJP7
+-wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxSvTOB
+-TI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0

[OE-core][scarthgap][PATCH 1/1] python3-certifi: Fix CVE-2024-39689

2024-08-11 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root
certificates from `GLOBALTRUST` from the root store. These are in the
process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root
certificates are being removed pursuant to an investigation which
identified "long-running and unresolved compliance issues."Certifi is a
curated collection of Root Certificates for validating the trustworthiness
of SSL certificates while verifying the identity of TLS hosts. Certifi
starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates
from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from
`GLOBALTRUST` from the root store. These are in the process of being removed
from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being
removed pursuant to an investigation which identified "long-running and
unresolved compliance issues."

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-39689

Upstream-patch:
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463

Signed-off-by: Soumya Sambu 
---
 .../python3-certifi/CVE-2024-39689.patch  | 69 +++
 .../python/python3-certifi_2024.2.2.bb|  3 +
 2 files changed, 72 insertions(+)
 create mode 100644 
meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch

diff --git a/meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch 
b/meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch
new file mode 100644
index 00..a2ecc15d2c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch
@@ -0,0 +1,69 @@
+From bd8153872e9c6fc98f4023df9c2deaffea2fa463 Mon Sep 17 00:00:00 2001
+From: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
+Date: Wed, 3 Jul 2024 21:34:29 -0400
+Subject: [PATCH] 2024.07.04 (#295)
+
+Co-authored-by: alex <772+a...@users.noreply.github.com>
+
+CVE: CVE-2024-39689
+
+Upstream-Status: Backport 
[https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463]
+
+Signed-off-by: Soumya Sambu 
+---
+ certifi/cacert.pem | 40 
+ 1 file changed, 40 deletions(-)
+
+diff --git a/certifi/cacert.pem b/certifi/cacert.pem
+index 1bec256..6bb8cf8 100644
+--- a/certifi/cacert.pem
 b/certifi/cacert.pem
+@@ -3857,46 +3857,6 @@ 
DgQWBBQxCpCPtsad0kRLgLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ
+ +RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAezNIm8BZ/3Hobui3A=
+ -END CERTIFICATE-
+
+-# Issuer: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+-# Subject: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+-# Label: "GLOBALTRUST 2020"
+-# Serial: 109160994242082918454945253
+-# MD5 Fingerprint: 8a:c7:6f:cb:6d:e3:cc:a2:f1:7c:83:fa:0e:78:d7:e8
+-# SHA1 Fingerprint: 
d0:67:c1:13:51:01:0c:aa:d0:c7:6a:65:37:31:16:26:4f:53:71:a2
+-# SHA256 Fingerprint: 
9a:29:6a:51:82:d1:d4:51:a2:e3:7f:43:9b:74:da:af:a2:67:52:33:29:f9:0f:9a:0d:20:07:c3:34:e2:3c:9a
+--BEGIN CERTIFICATE-
+-MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG
+-A1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkw
+-FwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYx
+-MDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9u
+-aXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMIICIjANBgkq
+-hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWiD59b
+-RatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9Z
+-YybNpyrOVPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3
+-QWPKzv9pj2gOlTblzLmMCcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPw
+-yJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCmfecqQjuCgGOlYx8ZzHyyZqjC0203b+J+
+-BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKAA1GqtH6qRNdDYfOiaxaJ
+-SaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9ORJitHHmkH
+-r96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj0
+-4KlGDfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9Me
+-dKZssCz3AwyIDMvUclOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIw
+-q7ejMZdnrY8XD2zHc+0klGvIg5rQmjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2
+-nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+-AQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1UdIwQYMBaAFNwu
+-H9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
+-VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJC
+-XtzoRlgHNQIw4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd
+-6IwPS3BD0IL/qMy/pJTAvoe9iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf
+-+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS8cE54+X1+NZK3TTN+2/BT+MAi1bi
+-kvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2HcqtbepBEX4tdJP7
+-wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxSvTOB
+-TI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0

[OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2024-24789

2024-07-31 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

The archive/zip package's handling of certain types of invalid zip files
differs from the behavior of most zip implementations. This misalignment
could be exploited to create an zip file with contents that vary depending
on the implementation reading the file. The archive/zip package now rejects
files containing these errors.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-24789

Upstream-patch:
https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |  1 +
 .../go/go-1.21/CVE-2024-24789.patch   | 78 +++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 95fb572362..e83c4dfa80 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
 file://CVE-2024-24784.patch \
 file://CVE-2024-24785.patch \
 file://CVE-2023-45288.patch \
+file://CVE-2024-24789.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch 
b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
new file mode 100644
index 00..2679109a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
@@ -0,0 +1,78 @@
+From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Tue, 14 May 2024 14:39:10 -0700
+Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
+ comment as an error
+
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+
+For #66869
+Fixes #67553
+
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai 
+Reviewed-by: Dmitri Shuralyov 
+LUCI-TryBot-Result: Go LUCI 

+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky 
+
+CVE: CVE-2024-24789
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/archive/zip/reader.go  | 8 ++--
+ src/archive/zip/reader_test.go | 8 
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index e40a2c6..987f543 100644
+--- a/src/archive/zip/reader.go
 b/src/archive/zip/reader.go
+@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
+   if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 
0x06 {
+   // n is length of comment
+   n := int(b[i+directoryEndLen-2]) | 
int(b[i+directoryEndLen-1])<<8
+-  if n+directoryEndLen+i <= len(b) {
+-  return i
++  if n+directoryEndLen+i > len(b) {
++  // Truncated comment.
++  // Some parsers (such as Info-ZIP) ignore the 
truncated comment
++  // rather than treating it as a hard error.
++  return -1
+   }
++  return i
+   }
+   }
+   return -1
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index a549153..7ac394d 100644
+--- a/src/archive/zip/reader_test.go
 b/src/archive/zip/reader_test.go
+@@ -487,6 +487,14 @@ var tests = []ZipTest{
+   },
+   },
+   },
++  // Issue 66869: Don't skip over an EOCDR with a truncated comment.
++  // The test file sneakily hides a second EOCDR before the first one;
++  // previously we would extract one file ("file") from this archive,
++  // while most other tools would reject the file or extract a different 
one ("FILE").
++  {
++  Name:  "comment-truncated.zip",
++  Error: ErrFormat,
++  },
+ }
+
+ func TestReader(t *testing.T) {
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202724): 
https://lists.openembedded.org/g/openembedded-core/message/202724
Mute This Topic: https://lists.openembedded.org/mt/107660215/21656
Group Owner: openembedded-core+ow...@lists.openembedde

[OE-core][scarthgap][PATCH 1/1] python3-idna: upgrade 3.6 -> 3.7

2024-07-26 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

License-Update: Updated copyright year

Changelog:
==
 * Fix issue where specially crafted inputs to encode() could take exceptionally
long amount of time to process. [CVE-2024-3651]

Signed-off-by: Soumya Sambu 
---
 .../python/{python3-idna_3.6.bb => python3-idna_3.7.bb}   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3-idna_3.6.bb => 
python3-idna_3.7.bb} (62%)

diff --git a/meta/recipes-devtools/python/python3-idna_3.6.bb 
b/meta/recipes-devtools/python/python3-idna_3.7.bb
similarity index 62%
rename from meta/recipes-devtools/python/python3-idna_3.6.bb
rename to meta/recipes-devtools/python/python3-idna_3.7.bb
index 47c080cdf8..729aff1c46 100644
--- a/meta/recipes-devtools/python/python3-idna_3.6.bb
+++ b/meta/recipes-devtools/python/python3-idna_3.7.bb
@@ -1,9 +1,9 @@
 SUMMARY = "Internationalised Domain Names in Applications"
 HOMEPAGE = "https://github.com/kjd/idna";
 LICENSE = "BSD-3-Clause & Python-2.0 & Unicode-TOU"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=dbec47b98e1469f6a104c82ff9698cee"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=204c0612e40a4dd46012a78d02c80fb1"
 
-SRC_URI[sha256sum] = 
"9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca"
+SRC_URI[sha256sum] = 
"028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc"
 
 inherit pypi python_flit_core
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202529): 
https://lists.openembedded.org/g/openembedded-core/message/202529
Mute This Topic: https://lists.openembedded.org/mt/107559967/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 10/11] ovmf: Fix CVE-2023-45236

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to a predictable TCP Initial
Sequence Number. This vulnerability can be exploited by an attacker
to gain unauthorized access and potentially lead to a loss of
Confidentiality.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45236

Upstream-patches:
https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45236.patch| 829 ++
 meta/recipes-core/ovmf/ovmf_git.bb|   1 +
 2 files changed, 830 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch
new file mode 100644
index 00..ac43392ce6
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch
@@ -0,0 +1,829 @@
+From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Wed, 8 May 2024 22:56:29 -0700
+Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
+REF: https://www.rfc-editor.org/rfc/rfc1948.txt
+REF: https://www.rfc-editor.org/rfc/rfc6528.txt
+REF: https://www.rfc-editor.org/rfc/rfc9293.txt
+
+Bug Overview:
+PixieFail Bug #8
+CVE-2023-45236
+CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
+
+Updates TCP ISN generation to use a cryptographic hash of the
+connection's identifying parameters and a secret key.
+This prevents an attacker from guessing the ISN used for some other
+connection.
+
+This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
+
+RFC: 9293 Section 3.4.1.  Initial Sequence Number Selection
+
+   A TCP implementation MUST use the above type of "clock" for clock-
+   driven selection of initial sequence numbers (MUST-8), and SHOULD
+   generate its initial sequence numbers with the expression:
+
+   ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+   where M is the 4 microsecond timer, and F() is a pseudorandom
+   function (PRF) of the connection's identifying parameters ("localip,
+   localport, remoteip, remoteport") and a secret key ("secretkey")
+   (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
+   an attacker could still guess at sequence numbers from the ISN used
+   for some other connection.  The PRF could be implemented as a
+   cryptographic hash of the concatenation of the TCP connection
+   parameters and some secret data.  For discussion of the selection of
+   a specific hash algorithm and management of the secret key data,
+   please see Section 3 of [42].
+
+   For each connection there is a send sequence number and a receive
+   sequence number.  The initial send sequence number (ISS) is chosen by
+   the data sending TCP peer, and the initial receive sequence number
+   (IRS) is learned during the connection-establishing procedure.
+
+   For a connection to be established or initialized, the two TCP peers
+   must synchronize on each other's initial sequence numbers.  This is
+   done in an exchange of connection-establishing segments carrying a
+   control bit called "SYN" (for synchronize) and the initial sequence
+   numbers.  As a shorthand, segments carrying the SYN bit are also
+   called "SYNs".  Hence, the solution requires a suitable mechanism for
+   picking an initial sequence number and a slightly involved handshake
+   to exchange the ISNs.
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45236
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/SecurityFixes.yaml |  22 +++
+ NetworkPkg/TcpDxe/TcpDriver.c |  92 -
+ NetworkPkg/TcpDxe/TcpDxe.inf  |   8 +-
+ NetworkPkg/TcpDxe/TcpFunc.h   |  23 ++--
+ NetworkPkg/TcpDxe/TcpInput.c  |  13 +-
+ NetworkPkg/TcpDxe/TcpMain.h   |  59 ++--
+ NetworkPkg/TcpDxe/TcpMisc.c   | 244 --
+ NetworkPkg/TcpDxe/TcpTimer.c  |   3 +-
+ 8 files changed, 415 insertions(+), 49 deletions(-)
+
+diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
+index 2b2c794697..ab355419cc 100644
+--- a/NetworkPkg/SecurityFixes.yaml
 b/NetworkPkg/SecurityFixes.yaml
+@@ -121,6 +121,28 @@ CVE_2023_45235:
+ - http://www.openwall.com/lists/oss-security/2024/01/16/2
+ - 
http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+ - 
https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45236:
++  commit_titles:
++- "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
++  cve: CVE-2023-45236
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 08 - edk2/NetworkPkg

[OE-core][kirkstone][PATCH 08/11] ovmf: Fix CVE-2023-45229

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to an out-of-bounds read
vulnerability when processing the IA_NA or IA_TA option in a DHCPv6
Advertise message. This vulnerability can be exploited by an attacker
to gain unauthorized access and potentially lead to a loss of
Confidentiality.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45229

Upstream-patches:
https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0
https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097
https://github.com/tianocore/edk2/commit/1c440a5eceedc64e892877eeac0f1a4938f5abbb
https://github.com/tianocore/edk2/commit/1d0b95f6457d225c5108302a9da74b4ed7aa5a38

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45229-0001.patch   | 604 ++
 .../ovmf/ovmf/CVE-2023-45229-0002.patch   | 539 
 .../ovmf/ovmf/CVE-2023-45229-0003.patch   | 244 +++
 .../ovmf/ovmf/CVE-2023-45229-0004.patch   | 157 +
 meta/recipes-core/ovmf/ovmf_git.bb|   4 +
 5 files changed, 1548 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0002.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0003.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0004.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch
new file mode 100644
index 00..9d8549b27d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch
@@ -0,0 +1,604 @@
+From 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0 Mon Sep 17 00:00:00 2001
+From: "Doug Flick via groups.io" 
+Date: Fri, 26 Jan 2024 05:54:46 +0800
+Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
+
+Bug Details:
+PixieFail Bug #1
+CVE-2023-45229
+CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+CWE-125 Out-of-bounds Read
+
+Change Overview:
+
+Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
+the Inner Option from a DHCP6 Option.
+
+>
+> EFI_STATUS
+> Dhcp6SeekInnerOptionSafe (
+>  IN  UINT16  IaType,
+>  IN  UINT8   *Option,
+>  IN  UINT32  OptionLen,
+>  OUT UINT8   **IaInnerOpt,
+>  OUT UINT16  *IaInnerLen
+>  );
+>
+
+Lots of code cleanup to improve code readability.
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45229
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c   | 203 +---
+ 2 files changed, 256 insertions(+), 85 deletions(-)
+
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+index f2422c2f28..220e7c68f1 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
 b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+@@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE  DHCP6_INSTANCE;
+ #define DHCP6_SERVICE_SIGNATURE   SIGNATURE_32 ('D', 'H', '6', 'S')
+ #define DHCP6_INSTANCE_SIGNATURE  SIGNATURE_32 ('D', 'H', '6', 'I')
+ 
++#define DHCP6_PACKET_ALL0
++#define DHCP6_PACKET_STATEFUL   1
++#define DHCP6_PACKET_STATELESS  2
++
++#define DHCP6_BASE_PACKET_SIZE  1024
++
++#define DHCP6_PORT_CLIENT  546
++#define DHCP6_PORT_SERVER  547
++
++#define DHCP_CHECK_MEDIA_WAITING_TIME  EFI_TIMER_PERIOD_SECONDS(20)
++
++#define DHCP6_INSTANCE_FROM_THIS(Instance)  CR ((Instance), DHCP6_INSTANCE, 
Dhcp6, DHCP6_INSTANCE_SIGNATURE)
++#define DHCP6_SERVICE_FROM_THIS(Service)CR ((Service), DHCP6_SERVICE, 
ServiceBinding, DHCP6_SERVICE_SIGNATURE)
++
+ //
+ // For more information on DHCP options see RFC 8415, Section 21.1
+ //
+@@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE  DHCP6_INSTANCE;
+ //|  (option-len octets)  |
+ //+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ //
+-#define DHCP6_SIZE_OF_OPT_CODE  (sizeof(UINT16))
+-#define DHCP6_SIZE_OF_OPT_LEN   (sizeof(UINT16))
++#define DHCP6_SIZE_OF_OPT_CODE  (sizeof (((EFI_DHCP6_PACKET_OPTION 
*)0)->OpCode))
++#define DHCP6_SIZE_OF_OPT_LEN   (sizeof (((EFI_DHCP6_PACKET_OPTION 
*)0)->OpLen))
+ 
+-//
+ // Combined size of Code and Length
+-//
+ #define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN  (DHCP6_SIZE_OF_OPT_CODE + \
+   DHCP6_SIZE_OF_OPT_LEN)
+ 
+@@ -73,34 +85,122 @@ STATIC_ASSERT (
+   "Combined size of Code and Length must be 4 per RFC 8415"
+   );
+ 
+-//
+ // Offset to the length is just past the code
+-//
+-#define DHCP6_OPT_LEN_OFFSET(a)  (a + DHCP6_SIZE_OF_OPT_CODE)
++#define DHCP6_OFFSET_OF_OPT_LEN(a)  (a + DHCP6_SIZE_OF_OPT_CODE)
+ STATIC_ASSERT (
+-  DHCP6_OPT_LEN_OFFSET (0) ==

[OE-core][kirkstone][PATCH 11/11] ovmf: Fix CVE-2022-36765

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2 is susceptible to a vulnerability in the CreateHob() function,
allowing a user to trigger a integer overflow to buffer overflow
via a local network. Successful exploitation of this vulnerability
may result in a compromise of confidentiality, integrity, and/or
availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-36765

Upstream-patches:
https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2
https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6
https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2022-36765-0001.patch   | 179 ++
 .../ovmf/ovmf/CVE-2022-36765-0002.patch   | 157 +++
 .../ovmf/ovmf/CVE-2022-36765-0003.patch   | 135 +
 meta/recipes-core/ovmf/ovmf_git.bb|   3 +
 4 files changed, 474 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch
new file mode 100644
index 00..120cf66f6a
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch
@@ -0,0 +1,179 @@
+From 59f024c76ee57c2bec84794536302fc770cd6ec2 Mon Sep 17 00:00:00 2001
+From: Gua Guo 
+Date: Thu, 11 Jan 2024 13:01:19 +0800
+Subject: [PATCH] UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+
+Reported-by: Marc Beatove 
+Cc: Guo Dong 
+Cc: Sean Rhodes 
+Cc: James Lu 
+Reviewed-by: Gua Guo 
+Cc: John Mathew 
+Authored-by: Gerd Hoffmann 
+Signed-off-by: Gua Guo 
+
+CVE: CVE-2022-36765
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2]
+
+Signed-off-by: Soumya Sambu 
+---
+ .../Library/PayloadEntryHobLib/Hob.c  | 43 +++
+ .../UefiPayloadEntry/UniversalPayloadEntry.c  |  8 ++--
+ 2 files changed, 48 insertions(+), 3 deletions(-)
+
+diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c 
b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+index 2c3acbbc19..51c2e28d7d 100644
+--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
 b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+@@ -110,6 +110,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
++  //
++  // Check Length to avoid data overflow.
++  //
++  if (HobLength > MAX_UINT16 - 0x7) {
++return NULL;
++  }
++
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof 
(EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++return;
++  }
+ 
+   Hob->ResourceType  = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -330,6 +340,10 @@ BuildModuleHob (
+ );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof 
(EFI_HOB_MEMORY_ALLOCATION_MODULE));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++return;
++  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), 
&gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -378,6 +392,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0x - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof 
(EFI_HOB_GUID_TYPE) + DataLength));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++return NULL;
++  }
++
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -441,6 +460,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length  = Length;
+@@ -472,6 +495,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length  = Length;
+@@ -513,6 +540,10 @@ BuildFv3Hob (
+   EFI_HOB_FIRMWARE_VOLUME3  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME

[OE-core][kirkstone][PATCH 09/11] ovmf: Fix CVE-2023-45237

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to a predictable TCP Initial Sequence
Number. This vulnerability can be exploited by an attacker to gain
unauthorized access and potentially lead to a loss of Confidentiality.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45237

Upstream-patches:
https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45237-0001.patch   |   78 +
 .../ovmf/ovmf/CVE-2023-45237-0002.patch   | 1288 +
 meta/recipes-core/ovmf/ovmf_git.bb|2 +
 3 files changed, 1368 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch
new file mode 100644
index 00..d1dcb8dc44
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch
@@ -0,0 +1,78 @@
+From cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c Mon Sep 17 00:00:00 2001
+From: Pierre Gondois 
+Date: Fri, 11 Aug 2023 16:33:06 +0200
+Subject: [PATCH] MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms
+
+BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441
+
+The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
+implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
+To allow the RngDxe to detect when such implementation is used,
+a GetRngGuid() function is added in a following patch.
+
+Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr
+to describe a Rng algorithm accessed through Arm's RNDR instruction.
+[1] states that the implementation of this algorithm should be
+compliant to NIST SP900-80. The compliance is not guaranteed.
+
+[1] Arm Architecture Reference Manual Armv8, for A-profile architecture
+sK12.1 'Properties of the generated random number'
+
+Signed-off-by: Pierre Gondois 
+Reviewed-by: Sami Mujawar 
+Reviewed-by: Liming Gao 
+Acked-by: Ard Biesheuvel 
+Tested-by: Kun Qin 
+
+CVE: CVE-2023-45237
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c]
+
+Signed-off-by: Soumya Sambu 
+---
+ MdePkg/Include/Protocol/Rng.h | 10 ++
+ MdePkg/MdePkg.dec |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h
+index baf425587b..38bde53240 100644
+--- a/MdePkg/Include/Protocol/Rng.h
 b/MdePkg/Include/Protocol/Rng.h
+@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM;
+   { \
+ 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 
0x61 } \
+   }
++///
++/// The Arm Architecture states the RNDR that the DRBG algorithm should be 
compliant
++/// with NIST SP800-90A, while not mandating a particular algorithm, so as to 
be
++/// inclusive of different geographies.
++///
++#define EFI_RNG_ALGORITHM_ARM_RNDR \
++  { \
++0x43d2fde3, 0x9d4e, 0x4d79,  {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 
0x41} \
++  }
+ 
+ /**
+   Returns information about the random number generation implementation.
+@@ -146,5 +155,6 @@ extern EFI_GUID  gEfiRngAlgorithmSp80090Ctr256Guid;
+ extern EFI_GUID  gEfiRngAlgorithmX9313DesGuid;
+ extern EFI_GUID  gEfiRngAlgorithmX931AesGuid;
+ extern EFI_GUID  gEfiRngAlgorithmRaw;
++extern EFI_GUID  gEfiRngAlgorithmArmRndr;
+ 
+ #endif
+diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
+index 59b405928b..a449dbc556 100644
+--- a/MdePkg/MdePkg.dec
 b/MdePkg/MdePkg.dec
+@@ -594,6 +594,7 @@
+   gEfiRngAlgorithmX9313DesGuid   = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 
0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }}
+   gEfiRngAlgorithmX931AesGuid= { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 
0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }}
+   gEfiRngAlgorithmRaw= { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 
0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }}
++  gEfiRngAlgorithmArmRndr= { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 
0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }}
+ 
+   ## Include/Protocol/AdapterInformation.h
+   gEfiAdapterInfoMediaStateGuid   = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 
0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }}
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch
new file mode 100644
index 00..722a6cd530
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch
@@ -0,0 +1,1288 @@
+From 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Wed, 8 May 2024 22:56:28 -0700
+Subject: [PATCH] NetworkPkg: SECURITY PATCH CVE-2023-45237
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542
+
+Bug Overview:
+PixieFail Bug #9
+CVE-2023-45237
+CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+CWE-338 Use of Cryptographically Weak Pseudo-Random Number G

[OE-core][kirkstone][PATCH 04/11] ovmf: Fix CVE-2023-45231

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to an out-of-bounds read
vulnerability when processing  Neighbor Discovery Redirect message. This
vulnerability can be exploited by an attacker to gain unauthorized access
and potentially lead to a loss of Confidentiality.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45231

Upstream-patches:
https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd
https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45231-0001.patch   |  65 +
 .../ovmf/ovmf/CVE-2023-45231-0002.patch   | 250 ++
 meta/recipes-core/ovmf/ovmf_git.bb|   2 +
 3 files changed, 317 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0002.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0001.patch
new file mode 100644
index 00..7aa9b27407
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0001.patch
@@ -0,0 +1,65 @@
+From bbfee34f4188ac00371abe1389ae9c9fb989a0cd Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Fri, 26 Jan 2024 05:54:48 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+
+Bug Overview:
+PixieFail Bug #3
+CVE-2023-45231
+CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+CWE-125 Out-of-bounds Read
+
+Out-of-bounds read when handling a ND Redirect message with truncated
+options
+
+Change Overview:
+
+Adds a check to prevent truncated options from being parsed
++  //
++  // Cannot process truncated options.
++  // Cannot process options with a length of 0 as there is no Type
+field.
++  //
++  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
++return FALSE;
++  }
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45231
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/Ip6Dxe/Ip6Option.c | 8 
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
+index 199eea124d..8718d5d875 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
 b/NetworkPkg/Ip6Dxe/Ip6Option.c
+@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
+ return FALSE;
+   }
+ 
++  //
++  // Cannot process truncated options.
++  // Cannot process options with a length of 0 as there is no Type field.
++  //
++  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
++return FALSE;
++  }
++
+   Offset = 0;
+ 
+   //
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0002.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0002.patch
new file mode 100644
index 00..fbc2c4416e
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0002.patch
@@ -0,0 +1,250 @@
+From 6f77463d72807ec7f4ed6518c3dac29a1040df9f Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Fri, 26 Jan 2024 05:54:49 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+
+Validates that the patch for...
+
+Out-of-bounds read when handling a ND Redirect message with truncated
+options
+
+.. has been fixed
+
+Tests the following function to ensure that an out of bounds read does
+not occur
+Ip6OptionValidation
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45231
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f]
+
+Signed-off-by: Soumya Sambu 
+---
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp|  20 +++
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf|  42 ++
+ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++
+ 3 files changed, 191 insertions(+)
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp 
b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+new file mode 100644
+index 00..6ebfd5fdfb
+--- /dev/null
 b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+@@ -0,0 +1,20 @@
++/** @file
++  Acts as the main entry point for the tests for the Ip6Dxe module.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include 
++
++
++// Run the tests
++///

[OE-core][kirkstone][PATCH 07/11] ovmf: Fix CVE-2023-45235

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to a buffer overflow vulnerability
when handling Server ID option from a DHCPv6 proxy Advertise message.
This vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Confidentiality, Integrity
and/or Availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45235

Upstream-patches:
https://github.com/tianocore/edk2/commit/fac297724e6cc343430cd0104e55cd7a96d1151e
https://github.com/tianocore/edk2/commit/ff2986358f75d8f58ef08a66fe673539c9c48f41

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45235-0001.patch   | 243 +++
 .../ovmf/ovmf/CVE-2023-45235-0002.patch   | 379 ++
 meta/recipes-core/ovmf/ovmf_git.bb|   2 +
 3 files changed, 624 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0002.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0001.patch
new file mode 100644
index 00..264172f623
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0001.patch
@@ -0,0 +1,243 @@
+From fac297724e6cc343430cd0104e55cd7a96d1151e Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Fri, 26 Jan 2024 05:54:55 +0800
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
+
+Bug Details:
+PixieFail Bug #7
+CVE-2023-45235
+CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
+CWE-119 Improper Restriction of Operations within the Bounds of
+ a Memory Buffer
+
+Buffer overflow when handling Server ID option from a DHCPv6 proxy
+Advertise message
+
+Change Overview:
+
+Performs two checks
+
+1. Checks that the length of the duid is accurate
+> + //
+> + // Check that the minimum and maximum requirements are met
+> + //
+> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
+(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
+> +  Status = EFI_INVALID_PARAMETER;
+> +  goto ON_ERROR;
+> + }
+
+2. Ensures that the amount of data written to the buffer is tracked and
+never exceeds that
+> + //
+> + // Check that the option length is valid.
+> + //
+> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
+ > DiscoverLenNeeded) {
+> + Status = EFI_OUT_OF_RESOURCES;
+> + goto ON_ERROR;
+> + }
+
+Additional code clean up and fix for memory leak in case Option was NULL
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45235
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/fac297724e6cc343430cd0104e55cd7a96d1151e]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 ++--
+ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++
+ 2 files changed, 78 insertions(+), 16 deletions(-)
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c 
b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+index 2b2d372889..7fd1281c11 100644
+--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
 b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+@@ -887,6 +887,7 @@ PxeBcRequestBootService (
+   EFI_STATUS   Status;
+   EFI_DHCP6_PACKET *IndexOffer;
+   UINT8*Option;
++  UINTNDiscoverLenNeeded;
+ 
+   PxeBc  = &Private->PxeBc;
+   Request= Private->Dhcp6Request;
+@@ -899,7 +900,8 @@ PxeBcRequestBootService (
+ return EFI_DEVICE_ERROR;
+   }
+ 
+-  Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
++  DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
++  Discover  = AllocateZeroPool (DiscoverLenNeeded);
+   if (Discover == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+   }
+@@ -924,16 +926,34 @@ PxeBcRequestBootService (
+DHCP6_OPT_SERVER_ID
+);
+ if (Option == NULL) {
+-  return EFI_NOT_FOUND;
++  Status = EFI_NOT_FOUND;
++  goto ON_ERROR;
+ }
+ 
+ //
+ // Add Server ID Option.
+ //
+ OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen);
+-CopyMem (DiscoverOpt, Option, OpLen + 4);
+-DiscoverOpt += (OpLen + 4);
+-DiscoverLen += (OpLen + 4);
++
++//
++// Check that the minimum and maximum requirements are met
++//
++if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) 
{
++  Status = EFI_INVALID_PARAMETER;
++  goto ON_ERROR;
++}
++
++//
++// Check that the option length is valid.
++//
++if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > 
DiscoverLenNeeded) {
++  Status = EFI_OUT_OF_RESOURCES;
++  goto ON_ERROR;
++}
++
++CopyMem (DiscoverOpt, Option, OpLen + 
PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++D

[OE-core][kirkstone][PATCH 02/11] ovmf: Fix CVE-2022-36764

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage()
function, allowing a user to trigger a heap buffer overflow via a local
network. Successful exploitation of this vulnerability may result in a
compromise of confidentiality, integrity, and/or availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-36764

Upstream-patches:
https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4
https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e
https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2022-36764-0001.patch   | 271 +
 .../ovmf/ovmf/CVE-2022-36764-0002.patch   | 281 ++
 .../ovmf/ovmf/CVE-2022-36764-0003.patch   |  48 +++
 meta/recipes-core/ovmf/ovmf_git.bb|   3 +
 4 files changed, 603 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0002.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0003.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0001.patch
new file mode 100644
index 00..a552f36b2c
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0001.patch
@@ -0,0 +1,271 @@
+From c7b27944218130cca3bbb20314ba5b88b5de4aa4 Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" 
+Date: Fri, 12 Jan 2024 02:16:04 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
+  2022-36764
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Jiewen Yao 
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4]
+
+Signed-off-by: Soumya Sambu 
+---
+ .../DxeTpm2MeasureBootLib.c   | 12 ++--
+ .../DxeTpm2MeasureBootLibSanitization.c   | 46 +-
+ .../DxeTpm2MeasureBootLibSanitization.h   | 28 -
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 60 ---
+ 4 files changed, 131 insertions(+), 15 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c 
b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 0475103d6e..714cc8e03e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
 b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -378,7 +378,6 @@ Exit:
+   @retval EFI_OUT_OF_RESOURCES   No enough resource to measure image.
+   @retval EFI_UNSUPPORTEDImageType is unsupported or PE image is 
mal-format.
+   @retval other error value
+-
+ **/
+ EFI_STATUS
+ EFIAPI
+@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
+   Status= EFI_UNSUPPORTED;
+   ImageLoad = NULL;
+   EventPtr  = NULL;
++  Tcg2Event = NULL;
+ 
+   Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+   CcProtocol   = MeasureBootProtocols->CcProtocol;
+@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
+   }
+ 
+   FilePathSize = (UINT32)GetDevicePathSize (FilePath);
++  Status   = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++return EFI_UNSUPPORTED;
++  }
+ 
+   //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + 
FilePathSize;
+-  EventPtr  = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof 
(Tcg2Event->Event));
++  // from a malicious GPT disk partition
++  EventPtr = AllocateZeroPool (EventSize);
+   if (EventPtr == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+   }
+ 
+   Tcg2Event   = (EFI_TCG2_EVENT *)EventPtr;
+-  Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - 
sizeof (Tcg2Event->Event);
++  Tcg2Event->Size = EventSize;
+   Tcg2Event->Header.HeaderSize= sizeof (EFI_TCG2_EVENT_HEADER);
+   Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+   ImageLoad   = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
+diff --git 
a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c 
b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index e2309655d3..2a4d52c6d5 100644
+--- 
a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
 
b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
+ }
+ 
+ /**
+-  This function will validate that the allocation size from the primary 
header is sane
++ This function will validate that the allocation size from the primary header 
is sane
+   It will check the following:
+ - AllocationSize does not overflow
+ 
+@@ -273,3 +273,47 @@ Sani

[OE-core][kirkstone][PATCH 06/11] ovmf: Fix CVE-2023-45234

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to a buffer overflow vulnerability
when processing DNS Servers option from a DHCPv6 Advertise message. This
vulnerability can be exploited by an attacker to gain unauthorized access
and potentially lead to a loss of Confidentiality, Integrity and/or
Availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45234

Upstream-patches:
https://github.com/tianocore/edk2/commit/1b53515d53d303166b2bbd31e2cc7f16fd0aecd7
https://github.com/tianocore/edk2/commit/458c582685fc0e8057d2511c5a0394078d988c17

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45234-0001.patch   | 154 ++
 .../ovmf/ovmf/CVE-2023-45234-0002.patch   | 485 ++
 meta/recipes-core/ovmf/ovmf_git.bb|   2 +
 3 files changed, 641 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0002.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0001.patch
new file mode 100644
index 00..463b4b824d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0001.patch
@@ -0,0 +1,154 @@
+From 1b53515d53d303166b2bbd31e2cc7f16fd0aecd7 Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Fri, 26 Jan 2024 05:54:52 +0800
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
+
+Bug Details:
+PixieFail Bug #6
+CVE-2023-45234
+CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
+CWE-119 Improper Restriction of Operations within the Bounds of
+ a Memory Buffer
+
+Buffer overflow when processing DNS Servers option in a DHCPv6
+Advertise message
+
+Change Overview:
+
+Introduces a function to cache the Dns Server and perform sanitizing
+on the incoming DnsServerLen to ensure that the length is valid
+
+> + EFI_STATUS
+> + PxeBcCacheDnsServerAddresses (
+> +  IN PXEBC_PRIVATE_DATA*Private,
+> +  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
+> +  )
+
+Additional code cleanup
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45234
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/1b53515d53d303166b2bbd31e2cc7f16fd0aecd7]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +---
+ 1 file changed, 65 insertions(+), 6 deletions(-)
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c 
b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+index 425e0cf806..2b2d372889 100644
+--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
 b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+@@ -3,6 +3,7 @@
+ 
+   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
+   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
++  Copyright (c) Microsoft Corporation
+ 
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer (
+   }
+ }
+ 
++/**
++  Cache the DHCPv6 DNS Server addresses
++
++  @param[in] Private   The pointer to PXEBC_PRIVATE_DATA.
++  @param[in] Cache6The pointer to PXEBC_DHCP6_PACKET_CACHE.
++
++  @retvalEFI_SUCCESS   Cache the DHCPv6 DNS Server address 
successfully.
++  @retvalEFI_OUT_OF_RESOURCES  Failed to allocate resources.
++  @retvalEFI_DEVICE_ERROR  The DNS Server Address Length provided by 
a untrusted
++   option is not a multiple of 16 bytes 
(sizeof (EFI_IPv6_ADDRESS)).
++**/
++EFI_STATUS
++PxeBcCacheDnsServerAddresses (
++  IN PXEBC_PRIVATE_DATA*Private,
++  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
++  )
++{
++  UINT16  DnsServerLen;
++
++  DnsServerLen = NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen);
++  //
++  // Make sure that the number is nonzero
++  //
++  if (DnsServerLen == 0) {
++return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)
++  //
++  if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) != 0) {
++return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // This code is currently written to only support a single DNS Server 
instead
++  // of multiple such as is spec defined (RFC3646, Section 3). The proper 
behavior
++  // would be to allocate the full space requested, CopyMem all of the data,
++  // and then add a DnsServerCount field to Private and update additional code
++  // that depends on this.
++  //
++  // To support multiple DNS servers the `AllocationSize` would need to be 
changed to DnsServerLen
++  //
++  // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
++  //
++  Private->DnsServer = AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));
++  if (Private->DnsServer == NULL) {
++return EFI_OUT_OF_RESOURCES;
++  }
++
++  //
++  // Intentionally only copy over the first server address.
++  // To support multipl

[OE-core][kirkstone][PATCH 05/11] ovmf: Fix CVE-2023-45232, CVE-2023-45233

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

CVE-2023-45232:
EDK2's Network Package is susceptible to an infinite loop vulnerability
when parsing unknown options in the Destination Options header of IPv6.
This vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Availability.

CVE-2023-45233:
EDK2's Network Package is susceptible to an infinite lop vulnerability
when parsing a PadN option in the Destination Options header of IPv6.
This vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45232
https://nvd.nist.gov/vuln/detail/CVE-2023-45233

Upstream-patches:
https://github.com/tianocore/edk2/commit/4df0229ef992d4f2721a8508787ebf9dc81fbd6e
https://github.com/tianocore/edk2/commit/c9c87f08dd6ace36fa843424522c3558a8374cac

Signed-off-by: Soumya Sambu 
---
 .../CVE-2023-45232-CVE-2023-45233-0001.patch  | 360 +++
 .../CVE-2023-45232-CVE-2023-45233-0002.patch  | 417 ++
 meta/recipes-core/ovmf/ovmf_git.bb|   2 +
 3 files changed, 779 insertions(+)
 create mode 100644 
meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0001.patch
 create mode 100644 
meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0002.patch

diff --git 
a/meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0001.patch
new file mode 100644
index 00..d43e971d9d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0001.patch
@@ -0,0 +1,360 @@
+From 4df0229ef992d4f2721a8508787ebf9dc81fbd6e Mon Sep 17 00:00:00 2001
+From: Doug Flick 
+Date: Fri, 26 Jan 2024 05:54:50 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
+
+Bug Details:
+PixieFail Bug #4
+CVE-2023-45232
+CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
+
+Infinite loop when parsing unknown options in the Destination Options
+header
+
+PixieFail Bug #5
+CVE-2023-45233
+CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
+
+Infinite loop when parsing a PadN option in the Destination Options
+header
+
+Change Overview:
+
+Most importantly this change corrects the following incorrect math
+and cleans up the code.
+
+>   // It is a PadN option
+>   //
+> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
+> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
+> + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
+
+> case Ip6OptionSkip:
+> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
+>   OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
+>   Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
+
+Additionally, this change also corrects incorrect math where the calling
+function was calculating the HDR EXT optionLen as a uint8 instead of a
+uint16
+
+> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
+> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
+IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;
+
+Additionally this check adds additional logic to santize the incoming
+data
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45232, CVE-2023-45233
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/4df0229ef992d4f2721a8508787ebf9dc81fbd6e]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/Ip6Dxe/Ip6Nd.h | 35 
+ NetworkPkg/Ip6Dxe/Ip6Option.c | 76 ++-
+ NetworkPkg/Ip6Dxe/Ip6Option.h | 71 
+ 3 files changed, 171 insertions(+), 11 deletions(-)
+
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
+index 860934a167..bf64e9114e 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
 b/NetworkPkg/Ip6Dxe/Ip6Nd.h
+@@ -56,13 +56,48 @@ VOID
+   VOID  *Context
+   );
+ 
++//
++// Per RFC8200 Section 4.2
++//
++//   Two of the currently-defined extension headers -- the Hop-by-Hop
++//   Options header and the Destination Options header -- carry a variable
++//   number of type-length-value (TLV) encoded "options", of the following
++//   format:
++//
++//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
++//  |  Option Type  |  Opt Data Len |  Option Data
++//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
++//
++//  Option Type  8-bit identifier of the type of option.
++//
++//  Opt Data Len 8-bit unsigned integer.  Length of the Option
++//   Data field of this option, in octets.
++//
++//  Option Data  Variable-length field.  Option-Type-specific
++//   data.
++//
+ typedef struct _IP6_

[OE-core][kirkstone][PATCH 03/11] ovmf: Fix CVE-2023-45230

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2's Network Package is susceptible to a buffer overflow vulnerability
via a long server ID option in DHCPv6 client. This vulnerability can be
exploited by an attacker to gain unauthorized access and potentially lead
to a loss of Confidentiality, Integrity and/or Availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45230

Upstream-patches:
https://github.com/tianocore/edk2/commit/f31453e8d6542461d92d835e0b79fec8b039174d
https://github.com/tianocore/edk2/commit/5f3658197bf29c83b3349b0ab1d99cdb0c3814bc

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2023-45230-0001.patch   | 1617 +
 .../ovmf/ovmf/CVE-2023-45230-0002.patch   |  604 ++
 meta/recipes-core/ovmf/ovmf_git.bb|2 +
 3 files changed, 2223 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45230-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45230-0002.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45230-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2023-45230-0001.patch
new file mode 100644
index 00..b0e13c1613
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2023-45230-0001.patch
@@ -0,0 +1,1617 @@
+From f31453e8d6542461d92d835e0b79fec8b039174d Mon Sep 17 00:00:00 2001
+From: "Doug Flick via groups.io" 
+Date: Fri, 26 Jan 2024 05:54:43 +0800
+Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535
+
+Bug Details:
+PixieFail Bug #2
+CVE-2023-45230
+CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
+CWE-119 Improper Restriction of Operations within the Bounds
+ of a Memory Buffer
+
+Changes Overview:
+> -UINT8 *
+> +EFI_STATUS
+>  Dhcp6AppendOption (
+> -  IN OUT UINT8   *Buf,
+> -  IN UINT16  OptType,
+> -  IN UINT16  OptLen,
+> -  IN UINT8   *Data
+> +  IN OUT EFI_DHCP6_PACKET  *Packet,
+> +  IN OUT UINT8 **PacketCursor,
+> +  IN UINT16OptType,
+> +  IN UINT16OptLen,
+> +  IN UINT8 *Data
+>);
+
+Dhcp6AppendOption() and variants can return errors now.  All callsites
+are adapted accordingly.
+
+It gets passed in EFI_DHCP6_PACKET as additional parameter ...
+
+> +  //
+> +  // Verify the PacketCursor is within the packet
+> +  //
+> +  if (  (*PacketCursor < Packet->Dhcp6.Option)
+> + || (*PacketCursor >= Packet->Dhcp6.Option +
+ (Packet->Size - sizeof (EFI_DHCP6_HEADER
+> +  {
+> +return EFI_INVALID_PARAMETER;
+> +  }
+
+... so it can look at Packet->Size when checking buffer space.
+Also to allow Packet->Length updates.
+
+Lots of checks added.
+
+Cc: Saloni Kasbekar 
+Cc: Zachary Clark-williams 
+
+Signed-off-by: Doug Flick [MSFT] 
+Reviewed-by: Saloni Kasbekar 
+
+CVE: CVE-2023-45230
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/f31453e8d6542461d92d835e0b79fec8b039174d]
+
+Signed-off-by: Soumya Sambu 
+---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h|  43 +++
+ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c  | 409 +++--
+ NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +-
+ NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h |  82 +++---
+ 4 files changed, 668 insertions(+), 239 deletions(-)
+
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+index 0eb9c669b5..f2422c2f28 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
 b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+@@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE  DHCP6_INSTANCE;
+ #define DHCP6_SERVICE_SIGNATURE   SIGNATURE_32 ('D', 'H', '6', 'S')
+ #define DHCP6_INSTANCE_SIGNATURE  SIGNATURE_32 ('D', 'H', '6', 'I')
+ 
++//
++// For more information on DHCP options see RFC 8415, Section 21.1
++//
++// The format of DHCP options is:
++//
++// 0   1   2   3
++// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//|  option-code  |   option-len  |
++//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//|  option-data  |
++//|  (option-len octets)  |
++//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//
++#define DHCP6_SIZE_OF_OPT_CODE  (sizeof(UINT16))
++#define DHCP6_SIZE_OF_OPT_LEN   (sizeof(UINT16))
++
++//
++// Combined size of Code and Length
++//
++#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN  (DHCP6_SIZE_OF_OPT_CODE + \
++  DHCP6_SIZE_OF_OPT_LEN)
++
++STATIC_ASSERT (
++  DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN == 4,
++  "Combined size of Code and Length must be 4 per RFC 8415"
++  );
++
++//
++// Offset to the length is just past the code
++//
++#define DHCP6_OPT_LEN_OFFSET(a)  (a + DHCP6_SIZE_OF_OPT_CODE)
++STATIC_ASSERT (
++  DHCP6_OPT_LEN_OFFSET (0) == 2,
++  "Offset

[OE-core][kirkstone][PATCH 01/11] ovmf: Fix CVE-2022-36763

2024-07-10 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable()
function, allowing a user to trigger a heap buffer overflow via a local
network. Successful exploitation of this vulnerability may result in a
compromise of confidentiality, integrity, and/or availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-36763

Upstream-patches:
https://github.com/tianocore/edk2/commit/224446543206450ddb5830e6abd026d61d3c7f4b
https://github.com/tianocore/edk2/commit/4776a1b39ee08fc45c70c1eab5a0195f325000d3
https://github.com/tianocore/edk2/commit/1ddcb9fc6b4164e882687b031e8beacfcf7df29e

Signed-off-by: Soumya Sambu 
---
 .../ovmf/ovmf/CVE-2022-36763-0001.patch   | 985 ++
 .../ovmf/ovmf/CVE-2022-36763-0002.patch   | 889 
 .../ovmf/ovmf/CVE-2022-36763-0003.patch   |  55 +
 meta/recipes-core/ovmf/ovmf_git.bb|   3 +
 4 files changed, 1932 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0001.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0002.patch
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0003.patch

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0001.patch 
b/meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0001.patch
new file mode 100644
index 00..93cefe7740
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0001.patch
@@ -0,0 +1,985 @@
+From 224446543206450ddb5830e6abd026d61d3c7f4b Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" 
+Date: Fri, 12 Jan 2024 02:16:01 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE
+ 2022-36763
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36763.
+
+Cc: Jiewen Yao 
+
+Signed-off-by: Doug Flick [MSFT] 
+
+CVE: CVE-2022-36763
+
+Upstream-Status: Backport 
[https://github.com/tianocore/edk2/commit/224446543206450ddb5830e6abd026d61d3c7f4b]
+
+Signed-off-by: Soumya Sambu 
+---
+ .../DxeTpm2MeasureBootLib.c   |  69 ++--
+ .../DxeTpm2MeasureBootLib.inf |   4 +-
+ .../DxeTpm2MeasureBootLibSanitization.c   | 275 
+ .../DxeTpm2MeasureBootLibSanitization.h   | 113 +++
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 303 ++
+ ...Tpm2MeasureBootLibSanitizationTestHost.inf |  28 ++
+ SecurityPkg/SecurityPkg.ci.yaml   |   1 +
+ 7 files changed, 763 insertions(+), 30 deletions(-)
+ create mode 100644 
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+ create mode 100644 
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+ create mode 100644 
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+ create mode 100644 
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c 
b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 36a256a7af..0475103d6e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
 b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -20,6 +20,8 @@ Copyright (c) 2013 - 2018, Intel Corporation. All rights 
reserved.
+ (C) Copyright 2015 Hewlett Packard Enterprise Development LP
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
++Copyright (c) Microsoft Corporation.
++SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include 
+@@ -44,6 +46,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include 
+ #include 
+ 
++#include "DxeTpm2MeasureBootLibSanitization.h"
++
+ typedef struct {
+   EFI_TCG2_PROTOCOL  *Tcg2Protocol;
+   EFI_CC_MEASUREMENT_PROTOCOL*CcProtocol;
+@@ -144,10 +148,11 @@ Tcg2MeasureGptTable (
+   EFI_TCG2_EVENT   *Tcg2Event;
+   EFI_CC_EVENT *CcEvent;
+   EFI_GPT_DATA *GptData;
+-  UINT32   EventSize;
++  UINT32   TcgEventSize;
+   EFI_TCG2_PROTOCOL*Tcg2Protocol;
+   EFI_CC_MEASUREMENT_PROTOCOL  *CcProtocol;
+   EFI_CC_MR_INDEX  MrIndex;
++  UINT32   AllocSize;
+ 
+   if (mTcg2MeasureGptCount > 0) {
+ return EFI_SUCCESS;
+@@ -195,25 +200,22 @@ Tcg2MeasureGptTable (
+  BlockIo->Media->BlockSize,
+  (UINT8 *)PrimaryHeader
+  );
+-  if (EFI_ERROR (Status)) {
+-DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
++  if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader 
(PrimaryHeader, BlockIo))) {
++DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid 
Partition Table Header!\n"));
+ FreePool (PrimaryHeader);
+ return EFI_DEVICE_ERROR;
+   }
+ 
+   //
+-  // PrimaryHeader->SizeOfPartitionEntry should not be zero
++  // Read the partition entry.
+

[OE-core][scarthgap][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-06-07 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

wall in util-linux through 2.40, often installed with setgid
tty permissions, allows escape sequences to be sent to other
users' terminals through argv. (Specifically, escape sequences
received from stdin are blocked, but escape sequences received
from argv are not blocked.) There may be plausible scenarios
where this leads to account takeover.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28085

Signed-off-by: Soumya Sambu 
---
 meta/recipes-core/util-linux/util-linux.inc   |  2 ++
 .../util-linux/CVE-2024-28085-0001.patch  | 36 +++
 .../util-linux/CVE-2024-28085-0002.patch  | 34 ++
 3 files changed, 72 insertions(+)
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc 
b/meta/recipes-core/util-linux/util-linux.inc
index d506783f9a..48520ef951 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -40,6 +40,8 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://avoid_parallel_tests.patch \
file://0001-login-utils-include-libgen.h-for-basename-API.patch \
file://fcntl-lock.c \
+   file://CVE-2024-28085-0001.patch \
+   file://CVE-2024-28085-0002.patch \
"
 
 SRC_URI[sha256sum] = 
"7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch 
b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
new file mode 100644
index 00..af39931b3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,36 @@
+From 07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b Mon Sep 17 00:00:00 2001
+From: Karel Zak 
+Date: Wed, 17 Jan 2024 12:37:08 +0100
+Subject: [PATCH] wall: fix calloc cal [-Werror=calloc-transposed-args]
+
+term-utils/wall.c:143:37: error: xcalloc sizes specified with sizeof in the 
earlier argument and not in the later argument [-Werror=calloc-transposed-args]
+  143 | buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
+  | ^
+term-utils/wall.c:143:37: note: earlier argument should specify number of 
elements, later size of each element
+
+Signed-off-by: Karel Zak 
+
+CVE: CVE-2024-28085
+
+Upstream-Status: Backport 
[https://github.com/util-linux/util-linux/commit/07f0f0f5bd1e5e2268257ae1ff6d76a9b6c6ea8b]
+
+Signed-off-by: Soumya Sambu 
+---
+ term-utils/wall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 377db45..85c006a 100644
+--- a/term-utils/wall.c
 b/term-utils/wall.c
+@@ -135,7 +135,7 @@ static struct group_workspace *init_group_workspace(const 
char *group)
+
+   buf->requested_group = get_group_gid(group);
+   buf->ngroups = sysconf(_SC_NGROUPS_MAX) + 1;  /* room for the primary 
gid */
+-  buf->groups = xcalloc(sizeof(*buf->groups), buf->ngroups);
++  buf->groups = xcalloc(buf->ngroups, sizeof(*buf->groups));
+
+   return buf;
+ }
+--
+2.40.0
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch 
b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
new file mode 100644
index 00..a2b914d580
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
@@ -0,0 +1,34 @@
+From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001
+From: Karel Zak 
+Date: Thu, 21 Mar 2024 11:16:20 +0100
+Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
+
+Let's use for all cases the same output function.
+
+Reported-by: Skyler Ferrante 
+Signed-off-by: Karel Zak 
+
+CVE: CVE-2024-28085
+
+Upstream-Status: Backport 
[https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253]
+
+Signed-off-by: Soumya Sambu 
+---
+ term-utils/wall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 85c006a..0212c03 100644
+--- a/term-utils/wall.c
 b/term-utils/wall.c
+@@ -328,7 +328,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
+   int i;
+
+   for (i = 0; i < mvecsz; i++) {
+-  fputs(mvec[i], fs);
++  fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
+   if (i < mvecsz - 1)
+   fputc(' ', fs);
+   }
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#200440): 
https://lists.openembedded.org/g/openembedded-core/message/200440
Mute This Topic: https://lists.openembedded.org/mt/106541913/21656
Group Owner: openembedded-core+ow...@lists.openembedde

[OE-core][kirkstone][PATCH 1/1] git: Fix multiple CVEs

2024-05-30 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

CVE-2024-32002:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be
crafted in a way that exploits a bug in Git whereby it can be fooled into
writing files not into the submodule's worktree but into a `.git/` directory.
This allows writing a hook that will be executed while the clone operation
is still running, giving the user no opportunity to inspect the code that is
being executed. The problem has been patched in versions 2.45.1, 2.44.1,
2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is
disabled in Git (e.g. via `git config --global core.symlinks false`), the
described attack won't work. As always, it is best to avoid cloning
repositories from untrusted sources.

CVE-2024-32004:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository
in such a way that, when cloned, will execute arbitrary code during the
operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories
from untrusted sources.

CVE-2024-32020:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files
into the target repository's object database when source and target repository
reside on the same disk. If the source repository is owned by a different user,
then those hardlinked files may be rewritten at any point in time by the
untrusted user. Cloning local repositories will cause Git to either copy or
hardlink files of the source repository into the target repository. This
significantly speeds up such local clones compared to doing a "proper" clone and
saves both disk space and compute time. When cloning a repository located on the
same disk that is owned by a different user than the current user we also end up
creating such hardlinks. These files will continue to be owned and controlled by
the potentially-untrusted user and can be rewritten by them at will in the
future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2,
2.41.1, 2.40.2, and 2.39.4.

CVE-2024-32021:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that
contains symlinks via the filesystem, Git may create hardlinks to arbitrary
user-readable files on the same filesystem as the target repository in the
`objects/` directory. Cloning a local repository over the filesystem may
creating hardlinks to arbitrary user-owned files on the same filesystem in the
target Git repository's `objects/` directory. When cloning a repository over the
filesystem (without explicitly specifying the `file://` protocol or 
`--no-local`),
the optimizations for local cloning will be used, which include attempting to
hard link the object files instead of copying them. While the code includes 
checks
against symbolic links in the source repository, which were added during the fix
for CVE-2022-39253, these checks can still be raced because the hard link
operation ultimately follows symlinks. If the object on the filesystem appears 
as
a file during the check, and then a symlink during the operation, this will 
allow
the adversary to bypass the check and create hardlinks in the destination 
objects
directory to arbitrary, user-readable files. The problem has been patched in
versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

CVE-2024-32465:
Git is a revision control system. The Git project recommends to avoid working in
untrusted repositories, and instead to clone it first with `git clone 
--no-local`
to obtain a clean copy. Git has specific protections to make that a safe
operation even with an untrusted source repository, but vulnerabilities allow
those protections to be bypassed. In the context of cloning local repositories
owned by other users, this vulnerability has been covered in CVE-2024-32004. But
there are circumstances where the fixes for CVE-2024-32004 are not enough: For
example, when obtaining a `.zip` file containing a full copy of a Git 
repository,
it should not be trusted by default to be safe, as e.g. hooks could be 
configured
to run within the context of that repository. The problem has been patched in
versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a
workaround, avoid using Git in repositories that have been obtained via archives
from untrusted sources.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-32002
https://nvd.nist.gov/vuln/detail/CVE-2024-32004
https://nvd.nist.gov/vuln/detail/CVE-2024-32020
https://nvd.nist.gov/vuln/detail/CVE-2024-32021
https://nvd.nist.gov/vuln/detail/CVE-2024-32465

Signed-off-by: Soumya Sambu 
---
 .../git/git/CVE-2024-32002-0001.patch |  69 ++
 .../git

[OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-05-28 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

wall in util-linux through 2.40, often installed with setgid
tty permissions, allows escape sequences to be sent to other
users' terminals through argv. (Specifically, escape sequences
received from stdin are blocked, but escape sequences received
from argv are not blocked.) There may be plausible scenarios
where this leads to account takeover.

CVE-2024-28085-0005 is the CVE fix and CVE-2024-28085-0001,
CVE-2024-28085-0002, CVE-2024-28085-0003, CVE-2024-28085-0004
are dependent commits to fix the CVE.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28085

Signed-off-by: Soumya Sambu 
---
 meta/recipes-core/util-linux/util-linux.inc   |   5 +
 .../util-linux/CVE-2024-28085-0001.patch  | 202 
 .../util-linux/CVE-2024-28085-0002.patch  | 172 ++
 .../util-linux/CVE-2024-28085-0003.patch  | 223 ++
 .../util-linux/CVE-2024-28085-0004.patch  |  36 +++
 .../util-linux/CVE-2024-28085-0005.patch  |  34 +++
 6 files changed, 672 insertions(+)
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0003.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0004.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0005.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc 
b/meta/recipes-core/util-linux/util-linux.inc
index 982ec669a2..f8841e6be0 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -35,6 +35,11 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://run-ptest \
file://display_testname_for_subtest.patch \
file://avoid_parallel_tests.patch \
+   file://CVE-2024-28085-0001.patch \
+   file://CVE-2024-28085-0002.patch \
+   file://CVE-2024-28085-0003.patch \
+   file://CVE-2024-28085-0004.patch \
+   file://CVE-2024-28085-0005.patch \
"
 
 SRC_URI[sha256sum] = 
"634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch 
b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
new file mode 100644
index 00..7ce2d6c567
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,202 @@
+From 8a7b8456d1dc0e7ca557d1ac31f638986704757f Mon Sep 17 00:00:00 2001
+From: наб 
+Date: Wed Mar 15 16:16:31 2023 +0100
+Subject: [PATCH] write: correctly handle wide characters
+
+Do this by replacing fputc_careful() (notice that the description said
+it's locale-aware ‒ it very much is /not/), with a fputs_careful() which
+does the same thing, but if it were to output a byte in the \123 format,
+first it checks whether this byte starts a valid multibyte character.
+
+If it does, and that character is printable, write it verbatim.
+This means that
+  echo 'foo åäö ąęćźżń bar' | write nabijaczleweli pts/4
+instead of
+  foo \303\245\303\244\303\266
+  \304\205\304\231\304\207\305\272\305\274\305\204 bar
+yields
+  foo åäö ąęćźżń bar
+or, more realistically, from a message I got earlier today,
+  Filip powiedzia\305\202 \305\274e zap\305\202aci jutro
+becomes
+  Filip powiedział że zapłaci jutro
+
+Invalid/non-printable sequences get processed as before.
+
+Line reading in write must become getline() to avoid dealing with
+partial characters: for example on input consisting solely of
+ąęćźżń, where every {1} is an instance, the output would be
+  {42}ąęć\305\272żń{84}ąęćź\305\274ń{84}ąęćźż\305\204{39}
+with just fixed-512 fgets()
+
+Bug-Debian: https://bugs.debian.org/826596
+
+CVE: CVE-2024-28085
+
+Upstream-Status: Backport 
[https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f]
+
+Signed-off-by: Soumya Sambu 
+---
+ include/carefulputc.h | 62 +++
+ login-utils/last.c|  4 +--
+ term-utils/write.c| 25 +
+ 3 files changed, 53 insertions(+), 38 deletions(-)
+
+diff --git a/include/carefulputc.h b/include/carefulputc.h
+index 66a0f15..2506614 100644
+--- a/include/carefulputc.h
 b/include/carefulputc.h
+@@ -1,31 +1,59 @@
+ #ifndef UTIL_LINUX_CAREFULPUTC_H
+ #define UTIL_LINUX_CAREFULPUTC_H
+
+-/*
+- * A putc() for use in write and wall (that sometimes are sgid tty).
+- * It avoids control characters in our locale, and also ASCII control
+- * characters.   Note that the locale of the recipient is unknown.
+-*/
+ #include 
+ #include 
+ #include 
++#ifdef HAVE_WIDECHAR
++#include 
++#endif
++#include 
+
+ #include "cctype.h"
+
+-static inline int fputc_careful(int c, FILE *fp, const char fail)
++/*
++ * A puts() for use in write and wall (that sometimes are sgid t

Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-05-28 Thread Soumya via lists.openembedded.org 
Thanks for confirming.

Regards,
Soumya

From: Vijay Anusuri 
Sent: Tuesday, May 28, 2024 2:54 PM
To: Sambu, Soumya 
Cc: Marko, Peter ; 
openembedded-core@lists.openembedded.org 

Subject: Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.
Hi Soumya,

Along with Debian, Suse also fixed the issue with those 4 dependent commits 
(https://bugzilla.suse.com/show_bug.cgi?id=1221831).

Debian added the "--disable-use-tty-group" configure option during build along 
with patch for complete fix 
(https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.4).
 We already have that configure option in the recipe file.

I think we can go ahead with the debian patch fix.

Thanks & Regards,
Vijay

On Thu, Apr 25, 2024 at 8:56 AM Sambu, Soumya 
mailto:soumya.sa...@windriver.com>> wrote:
Hi Peter,

Thank you for providing the details.

Based on the information regarding the vulnerability report and the commit 
history provided, it appears that our code is indeed vulnerable as the commit 
introducing the vulnerability still exists in our codebase.

Our util-linux version in the kirkstone branch is v2.37.4, and the vulnerable 
code was introduced in commit cdd3cc7fa4 back in 2013.

I've also noted that Debian is also fixing the CVE, along with the dependent 
commits mentioned in the offending commits list. They have already added 
upstream patches to address CVE-2024-28085 (839ff33b), as detailed in their 
commit here:  
https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb.

Please review the provided information, and let me know if there's anything 
else we need to consider.

Best Regards,
Soumya

From: Marko, Peter mailto:peter.ma...@siemens.com>>
Sent: Friday, April 19, 2024 10:11 PM
To: Sambu, Soumya 
mailto:soumya.sa...@windriver.com>>; 
openembedded-core@lists.openembedded.org
 
mailto:openembedded-core@lists.openembedded.org>>;
 vanus...@mvista.com 
mailto:vanus...@mvista.com>>
Subject: RE: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Identical patch was already submitted and then requested to be ignored because 
the issue is apparently introduced by one of the added patches.
https://lists.openembedded.org/g/openembedded-core/message/197670

Since the vulnerability report claims that our version IS vulnerable, it would 
be interesting to know where the truth is...
https://github.com/skyler-ferrante/CVE-2024-28085
 -> The vulnerable code was introduced in commit cdd3cc7fa4 (2013).

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199965): 
https://lists.openembedded.org/g/openembedded-core/message/199965
Mute This Topic: https://lists.openembedded.org/mt/105617913/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][master][scarthgap][PATCH 1/1] git: upgrade 2.44.0 -> 2.44.1

2024-05-17 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Addresses the security issues - CVE-2024-32002, CVE-2024-32004,
CVE-2024-32020,CVE-2024-32021 and CVE-2024-32465

Changelog:
==
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.1.txt

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/git/{git_2.44.0.bb => git_2.44.1.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/git/{git_2.44.0.bb => git_2.44.1.bb} (98%)

diff --git a/meta/recipes-devtools/git/git_2.44.0.bb 
b/meta/recipes-devtools/git/git_2.44.1.bb
similarity index 98%
rename from meta/recipes-devtools/git/git_2.44.0.bb
rename to meta/recipes-devtools/git/git_2.44.1.bb
index 90e555eba7..438295c13e 100644
--- a/meta/recipes-devtools/git/git_2.44.0.bb
+++ b/meta/recipes-devtools/git/git_2.44.1.bb
@@ -163,4 +163,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
  "
 EXTRA_OEMAKE += "NO_GETTEXT=1"
 
-SRC_URI[tarball.sha256sum] = 
"f9e36f085458fe9688fbbe7846b8c4770b13d161fcd8953655f36b2b85f06b76"
+SRC_URI[tarball.sha256sum] = 
"118214bb8d7ba971a62741416e757562b8f5451cefc087a407e91857897c92cc"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199506): 
https://lists.openembedded.org/g/openembedded-core/message/199506
Mute This Topic: https://lists.openembedded.org/mt/106149954/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] bluez5: Fix CVE-2023-50230, CVE-2023-50229 and CVE-2023-27349

2024-05-14 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

CVE-2023-50230:
BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code
Execution Vulnerability. This vulnerability allows network-adjacent
attackers to execute arbitrary code on affected installations of BlueZ.
User interaction is required to exploit this vulnerability in that the
target must connect to a malicious Bluetooth device. The specific flaw
exists within the handling of the Phone Book Access profile. The issue
results from the lack of proper validation of the length of user-supplied
data prior to copying it to a fixed-length heap-based buffer. An attacker
can leverage this vulnerability to execute code in the context of root.
Was ZDI-CAN-20938.

CVE-2023-50229:
BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code
Execution Vulnerability. This vulnerability allows network-adjacent
attackers to execute arbitrary code on affected installations of BlueZ.
User interaction is required to exploit this vulnerability in that the
target must connect to a malicious Bluetooth device. The specific flaw
exists within the handling of the Phone Book Access profile. The issue
results from the lack of proper validation of the length of user-supplied
data prior to copying it to a fixed-length heap-based buffer. An attacker
can leverage this vulnerability to execute code in the context of root.
Was ZDI-CAN-20936.

CVE-2023-27349:
BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code
Execution Vulnerability. This vulnerability allows network-adjacent
attackers to execute arbitrary code via Bluetooth on affected installations
of BlueZ. User interaction is required to exploit this vulnerability in
that the target must connect to a malicious device. The specific flaw
exists within the handling of the AVRCP protocol. The issue results from
the lack of proper validation of user-supplied data, which can result in a
write past the end of an allocated buffer. An attacker can leverage this
vulnerability to execute code in the context of root. Was ZDI-CAN-19908.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-50230
https://nvd.nist.gov/vuln/detail/CVE-2023-50229
https://nvd.nist.gov/vuln/detail/CVE-2023-27349

Signed-off-by: Soumya Sambu 
---
 meta/recipes-connectivity/bluez5/bluez5.inc   |  4 +-
 .../bluez5/bluez5/CVE-2023-27349.patch| 52 ++
 .../CVE-2023-50230-CVE-2023-50229.patch   | 71 +++
 3 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
 create mode 100644 
meta/recipes-connectivity/bluez5/bluez5/CVE-2023-50230-CVE-2023-50229.patch

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc 
b/meta/recipes-connectivity/bluez5/bluez5.inc
index 7786b65670..a752975b3a 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -54,7 +54,9 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 
'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \

file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
-  file://CVE-2023-45866.patch \
+   file://CVE-2023-45866.patch \
+   file://CVE-2023-50230-CVE-2023-50229.patch \
+   file://CVE-2023-27349.patch \
"
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
new file mode 100644
index 00..26edb3a5cb
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
@@ -0,0 +1,52 @@
+From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Wed, 22 Mar 2023 11:34:24 -0700
+Subject: [PATCH] avrcp: Fix crash while handling unsupported events
+
+The following crash can be observed if the remote peer send and
+unsupported event:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+ at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+ WRITE of size 1 at 0x60b000148f11 thread T0
+ #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+ #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+ #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+ #3 0x7fbcb3e51c43 in g_main_context_dispatch 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+ #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+ #5 0x7fbcb3e512b2 in g_main_loop_run 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+ #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+ #7 0x559644755606 in mainloop_run_with_signal 
src/shared/mainloop-notify.c:188
+ #8 0x5596445bb963 in main src/main.c:1289
+ #9 0x7fbcb3bafd8f in __libc_start_ca

[OE-core][kirkstone][PATCH 1/1] ncurses: Fix CVE-2023-45918

2024-05-05 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in 
tinfo/lib_termcap.c.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45918

Signed-off-by: Soumya Sambu 
---
 .../ncurses/files/CVE-2023-45918.patch| 180 ++
 .../ncurses/ncurses_6.3+20220423.bb   |   1 +
 2 files changed, 181 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-45918.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-45918.patch 
b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
new file mode 100644
index 00..172b3f8859
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
@@ -0,0 +1,180 @@
+From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001
+From: Thomas E. Dickey 
+Date: Fri, 16 Jun 2023 02:54:29 +0530
+Subject: [PATCH] Fix CVE-2023-45918
+
+CVE: CVE-2023-45918
+
+Upstream-Status: Backport 
[https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d]
+
+Signed-off-by: Soumya Sambu 
+---
+ ncurses/tinfo/comp_error.c | 15 ++---
+ ncurses/tinfo/read_entry.c | 65 ++
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+
+diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
+index 48f48784..ee518e28 100644
+--- a/ncurses/tinfo/comp_error.c
 b/ncurses/tinfo/comp_error.c
+@@ -60,8 +60,15 @@ _nc_get_source(void)
+ NCURSES_EXPORT(void)
+ _nc_set_source(const char *const name)
+ {
+-FreeIfNeeded(SourceName);
+-SourceName = strdup(name);
++if (name == NULL) {
++  free(SourceName);
++  SourceName = NULL;
++} else if (SourceName == NULL) {
++  SourceName = strdup(name);
++} else if (strcmp(name, SourceName)) {
++  free(SourceName);
++  SourceName = strdup(name);
++}
+ }
+
+ NCURSES_EXPORT(void)
+@@ -95,9 +102,9 @@ static NCURSES_INLINE void
+ where_is_problem(void)
+ {
+ fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
+-if (_nc_curr_line >= 0)
++if (_nc_curr_line > 0)
+   fprintf(stderr, ", line %d", _nc_curr_line);
+-if (_nc_curr_col >= 0)
++if (_nc_curr_col > 0)
+   fprintf(stderr, ", col %d", _nc_curr_col);
+ if (TermType != 0 && TermType[0] != '\0')
+   fprintf(stderr, ", terminal '%s'", TermType);
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 8ccb1570..101bbe09 100644
+--- a/ncurses/tinfo/read_entry.c
 b/ncurses/tinfo/read_entry.c
+@@ -140,12 +140,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int 
count)
+ }
+ #endif
+
+-static void
+-convert_strings(char *buf, char **Strings, int count, int size, char *table)
++static bool
++convert_strings(char *buf, char **Strings, int count, int size,
++  char *table, bool always)
+ {
+ int i;
+ char *p;
+-bool corrupt = FALSE;
++bool success = TRUE;
+
+ for (i = 0; i < count; i++) {
+   if (IS_NEG1(buf + 2 * i)) {
+@@ -161,13 +162,10 @@ convert_strings(char *buf, char **Strings, int count, 
int size, char *table)
+   TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+   _nc_visbuf(Strings[i])));
+   } else {
+-  if (!corrupt) {
+-  corrupt = TRUE;
+-  TR(TRACE_DATABASE,
+- ("ignore out-of-range index %d to Strings[]", nn));
+-  _nc_warning("corrupt data found in convert_strings");
+-  }
+-  Strings[i] = ABSENT_STRING;
++  TR(TRACE_DATABASE,
++ ("found out-of-range index %d to Strings[%d]", nn, i));
++  success = FALSE;
++  break;
+   }
+   }
+
+@@ -177,10 +175,25 @@ convert_strings(char *buf, char **Strings, int count, 
int size, char *table)
+   if (*p == '\0')
+   break;
+   /* if there is no NUL, ignore the string */
+-  if (p >= table + size)
++  if (p >= table + size) {
+   Strings[i] = ABSENT_STRING;
++  } else if (p == Strings[i] && always) {
++  TR(TRACE_DATABASE,
++ ("found empty but required Strings[%d]", i));
++  success = FALSE;
++  break;
++  }
++  } else if (always) {/* names are always needed */
++  TR(TRACE_DATABASE,
++ ("found invalid but required Strings[%d]", i));
++  success = FALSE;
++  break;
+   }
+ }
++if (!success) {
++  _nc_warning("corrupt data found in convert_strings");
++}
++return success;
+ }
+
+ static int
+@@ -383,7 +396,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
+   if (Read(string_table, (unsigned) str_size) != str_size) {
+   returnDB(TGETENT_NO);
+   }
+-  convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
++  if (!convert_strings(buf, ptr->Strings, str_count, str_size,
++

[OE-core][PATCH 1/1] ncurses: Fix CVE-2023-45918

2024-05-05 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in 
tinfo/lib_termcap.c.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45918

Signed-off-by: Soumya Sambu 
---
 .../ncurses/files/CVE-2023-45918.patch| 180 ++
 meta/recipes-core/ncurses/ncurses_6.4.bb  |   1 +
 2 files changed, 181 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-45918.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-45918.patch 
b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
new file mode 100644
index 00..fbdae49a61
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-45918.patch
@@ -0,0 +1,180 @@
+From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001
+From: Thomas E. Dickey 
+Date: Fri, 16 Jun 2023 02:54:29 +0530
+Subject: [PATCH] Fix CVE-2023-45918
+
+CVE: CVE-2023-45918
+
+Upstream-Status: Backport 
[https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d]
+
+Signed-off-by: Soumya Sambu 
+---
+ ncurses/tinfo/comp_error.c | 15 ++---
+ ncurses/tinfo/read_entry.c | 65 ++
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+
+diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
+index 48f48784..ee518e28 100644
+--- a/ncurses/tinfo/comp_error.c
 b/ncurses/tinfo/comp_error.c
+@@ -60,8 +60,15 @@ _nc_get_source(void)
+ NCURSES_EXPORT(void)
+ _nc_set_source(const char *const name)
+ {
+-FreeIfNeeded(SourceName);
+-SourceName = strdup(name);
++if (name == NULL) {
++  free(SourceName);
++  SourceName = NULL;
++} else if (SourceName == NULL) {
++  SourceName = strdup(name);
++} else if (strcmp(name, SourceName)) {
++  free(SourceName);
++  SourceName = strdup(name);
++}
+ }
+
+ NCURSES_EXPORT(void)
+@@ -95,9 +102,9 @@ static NCURSES_INLINE void
+ where_is_problem(void)
+ {
+ fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
+-if (_nc_curr_line >= 0)
++if (_nc_curr_line > 0)
+   fprintf(stderr, ", line %d", _nc_curr_line);
+-if (_nc_curr_col >= 0)
++if (_nc_curr_col > 0)
+   fprintf(stderr, ", col %d", _nc_curr_col);
+ if (TermType != 0 && TermType[0] != '\0')
+   fprintf(stderr, ", terminal '%s'", TermType);
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 341337d2..b0c3ad26 100644
+--- a/ncurses/tinfo/read_entry.c
 b/ncurses/tinfo/read_entry.c
+@@ -138,12 +138,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int 
count)
+ }
+ #endif
+
+-static void
+-convert_strings(char *buf, char **Strings, int count, int size, char *table)
++static bool
++convert_strings(char *buf, char **Strings, int count, int size,
++  char *table, bool always)
+ {
+ int i;
+ char *p;
+-bool corrupt = FALSE;
++bool success = TRUE;
+
+ for (i = 0; i < count; i++) {
+   if (IS_NEG1(buf + 2 * i)) {
+@@ -159,13 +160,10 @@ convert_strings(char *buf, char **Strings, int count, 
int size, char *table)
+   TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+   _nc_visbuf(Strings[i])));
+   } else {
+-  if (!corrupt) {
+-  corrupt = TRUE;
+-  TR(TRACE_DATABASE,
+- ("ignore out-of-range index %d to Strings[]", nn));
+-  _nc_warning("corrupt data found in convert_strings");
+-  }
+-  Strings[i] = ABSENT_STRING;
++  TR(TRACE_DATABASE,
++ ("found out-of-range index %d to Strings[%d]", nn, i));
++  success = FALSE;
++  break;
+   }
+   }
+
+@@ -175,10 +173,25 @@ convert_strings(char *buf, char **Strings, int count, 
int size, char *table)
+   if (*p == '\0')
+   break;
+   /* if there is no NUL, ignore the string */
+-  if (p >= table + size)
++  if (p >= table + size) {
+   Strings[i] = ABSENT_STRING;
++  } else if (p == Strings[i] && always) {
++  TR(TRACE_DATABASE,
++ ("found empty but required Strings[%d]", i));
++  success = FALSE;
++  break;
++  }
++  } else if (always) {/* names are always needed */
++  TR(TRACE_DATABASE,
++ ("found invalid but required Strings[%d]", i));
++  success = FALSE;
++  break;
+   }
+ }
++if (!success) {
++  _nc_warning("corrupt data found in convert_strings");
++}
++return success;
+ }
+
+ static int
+@@ -382,7 +395,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
+   if (Read(string_table, (unsigned) str_size) != str_size) {
+   returnDB(TGETENT_NO);
+   }
+-  convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
++  if (!convert_strings(buf, ptr->Strings, str_count, str_size,
++

Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-04-24 Thread Soumya via lists.openembedded.org 
Hi Peter,

Thank you for providing the details.

Based on the information regarding the vulnerability report and the commit 
history provided, it appears that our code is indeed vulnerable as the commit 
introducing the vulnerability still exists in our codebase.

Our util-linux version in the kirkstone branch is v2.37.4, and the vulnerable 
code was introduced in commit cdd3cc7fa4 back in 2013.

I've also noted that Debian is also fixing the CVE, along with the dependent 
commits mentioned in the offending commits list. They have already added 
upstream patches to address CVE-2024-28085 (839ff33b), as detailed in their 
commit here:  
https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb.

Please review the provided information, and let me know if there's anything 
else we need to consider.

Best Regards,
Soumya

From: Marko, Peter 
Sent: Friday, April 19, 2024 10:11 PM
To: Sambu, Soumya ; 
openembedded-core@lists.openembedded.org 
; vanus...@mvista.com 

Subject: RE: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Identical patch was already submitted and then requested to be ignored because 
the issue is apparently introduced by one of the added patches.
https://lists.openembedded.org/g/openembedded-core/message/197670

Since the vulnerability report claims that our version IS vulnerable, it would 
be interesting to know where the truth is...
https://github.com/skyler-ferrante/CVE-2024-28085 -> The vulnerable code was 
introduced in commit cdd3cc7fa4 (2013).

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198693): 
https://lists.openembedded.org/g/openembedded-core/message/198693
Mute This Topic: https://lists.openembedded.org/mt/105617913/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-04-19 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

wall in util-linux through 2.40, often installed with setgid
tty permissions, allows escape sequences to be sent to other
users' terminals through argv. (Specifically, escape sequences
received from stdin are blocked, but escape sequences received
from argv are not blocked.) There may be plausible scenarios
where this leads to account takeover.

CVE-2024-28085-0004 is the CVE fix and CVE-2024-28085-0001,
CVE-2024-28085-0002, CVE-2024-28085-0003 are dependent commits
to fix the CVE.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28085

Signed-off-by: Soumya Sambu 
---
 meta/recipes-core/util-linux/util-linux.inc   |   4 +
 .../util-linux/CVE-2024-28085-0001.patch  | 202 
 .../util-linux/CVE-2024-28085-0002.patch  | 172 ++
 .../util-linux/CVE-2024-28085-0003.patch  | 223 ++
 .../util-linux/CVE-2024-28085-0004.patch  |  34 +++
 5 files changed, 635 insertions(+)
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0003.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0004.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc 
b/meta/recipes-core/util-linux/util-linux.inc
index 982ec669a2..72c028ac3d 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -35,6 +35,10 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://run-ptest \
file://display_testname_for_subtest.patch \
file://avoid_parallel_tests.patch \
+   file://CVE-2024-28085-0001.patch \
+   file://CVE-2024-28085-0002.patch \
+   file://CVE-2024-28085-0003.patch \
+   file://CVE-2024-28085-0004.patch \
"
 
 SRC_URI[sha256sum] = 
"634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch 
b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
new file mode 100644
index 00..7ce2d6c567
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
@@ -0,0 +1,202 @@
+From 8a7b8456d1dc0e7ca557d1ac31f638986704757f Mon Sep 17 00:00:00 2001
+From: наб 
+Date: Wed Mar 15 16:16:31 2023 +0100
+Subject: [PATCH] write: correctly handle wide characters
+
+Do this by replacing fputc_careful() (notice that the description said
+it's locale-aware ‒ it very much is /not/), with a fputs_careful() which
+does the same thing, but if it were to output a byte in the \123 format,
+first it checks whether this byte starts a valid multibyte character.
+
+If it does, and that character is printable, write it verbatim.
+This means that
+  echo 'foo åäö ąęćźżń bar' | write nabijaczleweli pts/4
+instead of
+  foo \303\245\303\244\303\266
+  \304\205\304\231\304\207\305\272\305\274\305\204 bar
+yields
+  foo åäö ąęćźżń bar
+or, more realistically, from a message I got earlier today,
+  Filip powiedzia\305\202 \305\274e zap\305\202aci jutro
+becomes
+  Filip powiedział że zapłaci jutro
+
+Invalid/non-printable sequences get processed as before.
+
+Line reading in write must become getline() to avoid dealing with
+partial characters: for example on input consisting solely of
+ąęćźżń, where every {1} is an instance, the output would be
+  {42}ąęć\305\272żń{84}ąęćź\305\274ń{84}ąęćźż\305\204{39}
+with just fixed-512 fgets()
+
+Bug-Debian: https://bugs.debian.org/826596
+
+CVE: CVE-2024-28085
+
+Upstream-Status: Backport 
[https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f]
+
+Signed-off-by: Soumya Sambu 
+---
+ include/carefulputc.h | 62 +++
+ login-utils/last.c|  4 +--
+ term-utils/write.c| 25 +
+ 3 files changed, 53 insertions(+), 38 deletions(-)
+
+diff --git a/include/carefulputc.h b/include/carefulputc.h
+index 66a0f15..2506614 100644
+--- a/include/carefulputc.h
 b/include/carefulputc.h
+@@ -1,31 +1,59 @@
+ #ifndef UTIL_LINUX_CAREFULPUTC_H
+ #define UTIL_LINUX_CAREFULPUTC_H
+
+-/*
+- * A putc() for use in write and wall (that sometimes are sgid tty).
+- * It avoids control characters in our locale, and also ASCII control
+- * characters.   Note that the locale of the recipient is unknown.
+-*/
+ #include 
+ #include 
+ #include 
++#ifdef HAVE_WIDECHAR
++#include 
++#endif
++#include 
+
+ #include "cctype.h"
+
+-static inline int fputc_careful(int c, FILE *fp, const char fail)
++/*
++ * A puts() for use in write and wall (that sometimes are sgid tty).
++ * It avoids control and invalid characters.
++ * The locale of the recipient is nominally unknown,
++ * but it's a solid bet that the encoding is compatible with the author's.
++ */
++static inline int fp

[OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2023-45288

2024-04-19 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of
header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS
and CONTINUATION frames on a connection. When a request's headers
exceed MaxHeaderBytes, no memory is allocated to store the excess
headers, but they are still parsed. This permits an attacker to cause
an HTTP/2 endpoint to read arbitrary amounts of header data, all
associated with a request which is going to be rejected. These headers
can include Huffman-encoded data which is significantly more expensive
for the receiver to decode than for an attacker to send. The fix sets
a limit on the amount of excess header frames we will process before
closing a connection.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45288

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |  3 +-
 .../go/go-1.22/CVE-2023-45288.patch   | 96 +++
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 768961de2c..b5566db1fe 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -1,6 +1,6 @@
 require go-common.inc
 
-FILESEXTRAPATHS:prepend := 
"${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:"
+FILESEXTRAPATHS:prepend := 
"${FILE_DIRNAME}/go-1.22:${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
 
@@ -55,6 +55,7 @@ SRC_URI += "\
 file://CVE-2023-45290.patch \
 file://CVE-2024-24784.patch \
 file://CVE-2024-24785.patch \
+file://CVE-2023-45288.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch 
b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch
new file mode 100644
index 00..ad84fb84d9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch
@@ -0,0 +1,96 @@
+From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Thu, 28 Mar 2024 16:57:51 -0700
+Subject: [PATCH] [release-branch.go1.22] net/http: update bundled
+ golang.org/x/net/http2
+
+Disable cmd/internal/moddeps test, since this update includes PRIVATE
+track fixes.
+
+Fixes CVE-2023-45288
+For #65051
+Fixes #66298
+
+Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2197227
+Reviewed-by: Tatiana Bradley 
+Run-TryBot: Damien Neil 
+Reviewed-by: Dmitri Shuralyov 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/576076
+Auto-Submit: Dmitri Shuralyov 
+TryBot-Bypass: Dmitri Shuralyov 
+Reviewed-by: Than McIntosh 
+
+CVE: CVE-2023-45288
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/cmd/internal/moddeps/moddeps_test.go |  1 +
+ src/net/http/h2_bundle.go| 31 
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go 
b/src/cmd/internal/moddeps/moddeps_test.go
+index d48d43f..ee6d455 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
 b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -36,6 +36,7 @@ import (
+ func TestAllDependencies(t *testing.T) {
+   t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored 
modules")
+   t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored 
modules")
++  t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from vendored 
modules")
+
+   goBin := testenv.GoToolPath(t)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 9d6abd8..10ff193 100644
+--- a/src/net/http/h2_bundle.go
 b/src/net/http/h2_bundle.go
+@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf 
*http2HeadersFrame) (*http2MetaHeadersFr
+   if size > remainSize {
+   hdec.SetEmitEnabled(false)
+   mh.Truncated = true
++  remainSize = 0
+   return
+   }
+   remainSize -= size
+@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf 
*http2HeadersFrame) (*http2MetaHeadersFr
+   var hc http2headersOrContinuation = hf
+   for {
+   frag := hc.HeaderBlockFragment()
++
++  // Avoid parsing large amounts of headers that we will then 
discard.
++  // If the sender exceeds the max header list size by too much,
++  // skip parsing the fragment and close the connection.
++  //
++

[OE-core][kirkstone][PATCH 1/1] nghttp2: Fix CVE-2024-28182

2024-04-16 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

nghttp2 is an implementation of the Hypertext Transfer Protocol
version 2 in C. The nghttp2 library prior to version 1.61.0 keeps
reading the unbounded number of HTTP/2 CONTINUATION frames even
after a stream is reset to keep HPACK context in sync. This
causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0
mitigates this vulnerability by limiting the number of CONTINUATION
frames it accepts per stream. There is no workaround for this
vulnerability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28182

Signed-off-by: Soumya Sambu 
---
 .../nghttp2/nghttp2/CVE-2024-28182-0001.patch | 110 ++
 .../nghttp2/nghttp2/CVE-2024-28182-0002.patch | 105 +
 .../recipes-support/nghttp2/nghttp2_1.47.0.bb |   2 +
 3 files changed, 217 insertions(+)
 create mode 100644 
meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
 create mode 100644 
meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch

diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch 
b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
new file mode 100644
index 00..e1d909b0d1
--- /dev/null
+++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
@@ -0,0 +1,110 @@
+From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa 
+Date: Sat, 9 Mar 2024 16:26:42 +0900
+Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
+
+CVE: CVE-2024-28182
+
+Upstream-Status: Backport 
[https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0]
+
+Signed-off-by: Soumya Sambu 
+---
+ lib/includes/nghttp2/nghttp2.h |  7 ++-
+ lib/nghttp2_helper.c   |  2 ++
+ lib/nghttp2_session.c  |  7 +++
+ lib/nghttp2_session.h  | 10 ++
+ 4 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index 2bd35f4..6cc8c0c 100644
+--- a/lib/includes/nghttp2/nghttp2.h
 b/lib/includes/nghttp2/nghttp2.h
+@@ -440,7 +440,12 @@ typedef enum {
+* exhaustion on server side to send these frames forever and does
+* not read network.
+*/
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+
+ /**
+diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
+index 588e269..98989f6 100644
+--- a/lib/nghttp2_helper.c
 b/lib/nghttp2_helper.c
+@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
+"closed";
+   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+ return "SETTINGS frame contained more than the maximum allowed entries";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+ return "Unknown error code";
+   }
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 5c834fa..537127c 100644
+--- a/lib/nghttp2_session.c
 b/lib/nghttp2_session.c
+@@ -464,6 +464,7 @@ static int session_new(nghttp2_session **session_ptr,
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+
+   if (option) {
+ if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6307,6 +6308,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session 
*session, const uint8_t *in,
+   }
+ }
+ session_inbound_frame_reset(session);
++
++session->num_continuations = 0;
+   }
+   break;
+ }
+@@ -6428,6 +6431,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session 
*session, const uint8_t *in,
+   }
+ #endif /* DEBUGBUILD */
+
++  if (++session->num_continuations > session->max_continuations) {
++return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++  }
++
+   readlen = inbound_frame_buf_read(iframe, in, last);
+   in += readlen;
+
+diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
+index 5f71a16..9a00b0e 100644
+--- a/lib/nghttp2_session.h
 b/lib/nghttp2_session.h
+@@ -107,6 +107,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -279,6 +283,12 @@ struct nghttp2_session {
+   size_t max_send_header_block_length;
+   /* The maximum number of settings accepted per SETTINGS frame. */
+   size_t max_settings;
++  /* The maximum number of CONTINUATION frames

[OE-core][PATCH 1/1] ovmf: update edk2-stable202308 -> edk2-stable202402

2024-04-02 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Signed-off-by: Soumya Sambu 
---
 meta/recipes-core/ovmf/ovmf_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb 
b/meta/recipes-core/ovmf/ovmf_git.bb
index 3dc031d3b6..9463ec148b 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -26,8 +26,8 @@ SRC_URI = 
"gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://0004-reproducible.patch \
"
 
-PV = "edk2-stable202308"
-SRCREV = "819cfc6b42a68790a23509e4fcc58ceb70e1965e"
+PV = "edk2-stable202402"
+SRCREV = "edc6681206c1a8791981a2f911d2fb8b3d2f5768"
 UPSTREAM_CHECK_GITTAGREGEX = "(?Pedk2-stable.*)"
 
 inherit deploy
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197904): 
https://lists.openembedded.org/g/openembedded-core/message/197904
Mute This Topic: https://lists.openembedded.org/mt/105304092/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/1] go: Upgrade 1.22.0 -> 1.22.1

2024-03-15 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Upgrade to latest 1.22.x release [1]:

$git log --oneline go1.22.0..go1.22.1
db6097f8cb (tag: go1.22.1, origin/release-branch.go1.22) 
[release-branch.go1.22] go1.22.1
041a47712e [release-branch.go1.22] net/textproto, mime/multipart: avoid 
unbounded read in MIME header
3a855208e3 [release-branch.go1.22] net/http, net/http/cookiejar: avoid 
subdomain matches on IPv6 zones
337b8e9cbf [release-branch.go1.22] crypto/x509: make sure pub key is non-nil 
before interface conversion
16830ab48a [release-branch.go1.22] net/http: add missing call to decConnsPerHost
056b0edcb8 [release-branch.go1.22] html/template: escape additional tokens in 
MarshalJSON errors
f73eba76a0 [release-branch.go1.22] net: work around runtime scheduler 
starvation on js and wasip1
5330cd225b [release-branch.go1.22] net/mail: properly handle special characters 
in phrase and obs-phrase
d8c4239f08 [release-branch.go1.22] cmd/go/internal/modcmd: correctly filter out 
main modules in verify
c33adf44ff [release-branch.go1.22] cmd/trace/v2,internal/trace: use correct 
frame for identifying goroutines
3b71998078 [release-branch.go1.22] go/types, types2: ensure that Alias.actual 
is set in NewAlias
8fe2ad6494 [release-branch.go1.22] runtime/internal/atomic: correct GOARM=7 
guard at a DMB instruction
686662f3a4 [release-branch.go1.22] cmd/compile: make jump table symbol static
6cbe522fe1 [release-branch.go1.22] cmd/compile: fail noder.LookupFunc 
gracefully if function generic
fb86598cd3 [release-branch.go1.22] cmd/compile: accept -lang=go1 as -lang=go1.0
6fbd01a711 [release-branch.go1.22] runtime: don't call traceReadCPU on the 
system stack
d6a271939f [release-branch.go1.22] cmd/cgo/internal/testsanitizers: disable 
location checking for clang
20107e05a6 [release-branch.go1.22] internal/testenv: support the LUCI mobile 
builders in tests
53d1b73dff [release-branch.go1.22] internal/testenv: allow "-noopt" anywhere in 
builder name in test
dd31ad7e9f [release-branch.go1.22] spec: fix typo in year (it's 2024 now)

[1] https://github.com/golang/go/compare/go1.22.0...go1.22.1

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/{go-1.22.0.inc => go-1.22.1.inc}   | 2 +-
 ...o-binary-native_1.22.0.bb => go-binary-native_1.22.1.bb} | 6 +++---
 ...cross-canadian_1.22.0.bb => go-cross-canadian_1.22.1.bb} | 0
 .../go/{go-cross_1.22.0.bb => go-cross_1.22.1.bb}   | 0
 .../go/{go-crosssdk_1.22.0.bb => go-crosssdk_1.22.1.bb} | 0
 .../go/{go-native_1.22.0.bb => go-native_1.22.1.bb} | 0
 .../go/{go-runtime_1.22.0.bb => go-runtime_1.22.1.bb}   | 0
 meta/recipes-devtools/go/{go_1.22.0.bb => go_1.22.1.bb} | 0
 8 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-devtools/go/{go-1.22.0.inc => go-1.22.1.inc} (89%)
 rename meta/recipes-devtools/go/{go-binary-native_1.22.0.bb => 
go-binary-native_1.22.1.bb} (78%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.22.0.bb => 
go-cross-canadian_1.22.1.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.22.0.bb => go-cross_1.22.1.bb} 
(100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.22.0.bb => 
go-crosssdk_1.22.1.bb} (100%)
 rename meta/recipes-devtools/go/{go-native_1.22.0.bb => go-native_1.22.1.bb} 
(100%)
 rename meta/recipes-devtools/go/{go-runtime_1.22.0.bb => go-runtime_1.22.1.bb} 
(100%)
 rename meta/recipes-devtools/go/{go_1.22.0.bb => go_1.22.1.bb} (100%)

diff --git a/meta/recipes-devtools/go/go-1.22.0.inc 
b/meta/recipes-devtools/go/go-1.22.1.inc
similarity index 89%
rename from meta/recipes-devtools/go/go-1.22.0.inc
rename to meta/recipes-devtools/go/go-1.22.1.inc
index 5b94051fc2..4330853450 100644
--- a/meta/recipes-devtools/go/go-1.22.0.inc
+++ b/meta/recipes-devtools/go/go-1.22.1.inc
@@ -15,4 +15,4 @@ SRC_URI += "\
 file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
 file://0001-exec.go-filter-out-build-specific-paths-from-linker-.patch \
 "
-SRC_URI[main.sha256sum] = 
"4d196c3d41a0d6c1dfc64d04e3cc1f608b0c436bd87b7060ce3e23234e1f4d5c"
+SRC_URI[main.sha256sum] = 
"79c9b91d7f109515a25fc3ecdaad125d67e6bdb54f6d4d98580f46799caea321"
diff --git a/meta/recipes-devtools/go/go-binary-native_1.22.0.bb 
b/meta/recipes-devtools/go/go-binary-native_1.22.1.bb
similarity index 78%
rename from meta/recipes-devtools/go/go-binary-native_1.22.0.bb
rename to meta/recipes-devtools/go/go-binary-native_1.22.1.bb
index acd2018dc3..8d8248df8a 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.22.0.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.22.1.bb
@@ -9,9 +9,9 @@ PROVIDES = "go-native"
 
 # Checksums available at https://go.dev/dl/
 SRC_URI = 
"https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}";
-SRC_URI[go_linux_amd64.sha256sum] = 
"f6c8a87aa03b92c4b0bf3d558e28ea03006eb29db78917daec5cfb6ec1046265"
-SRC_URI[go_linux_arm64.sha256sum] = 
"6a63fef0e050146f275bf02a0896badfe77c11b6f05499bb647e7bd613a45a10"
-SRC_URI[go_linux_ppc64le.sha256sum] = 
"0e57f421df9449066f0

[OE-core][PATCH 1/1] python3-cryptography{-vectors}: 42.0.2 -> 42.0.4

2024-02-27 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Changelog:
==
42.0.4 - 2024-02-20
* Fixed a null-pointer-dereference and segfault that could occur
when creating a PKCS#12 bundle. Credit to Alexander-Programming for
reporting the issue. CVE-2024-26130
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields
SMIMECapabilities and SignatureAlgorithmIdentifier should now be
correctly encoded according to the definitions in RFC 2633 RFC 3370.

42.0.3 - 2024-02-15
* Fixed an initialization issue that caused key loading failures for
some users.

https://cryptography.io/en/latest/changelog/#v42-0-4

Signed-off-by: Soumya Sambu 
---
 ...vectors_42.0.2.bb => python3-cryptography-vectors_42.0.4.bb} | 2 +-
 ...n3-cryptography_42.0.2.bb => python3-cryptography_42.0.4.bb} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3-cryptography-vectors_42.0.2.bb => 
python3-cryptography-vectors_42.0.4.bb} (91%)
 rename meta/recipes-devtools/python/{python3-cryptography_42.0.2.bb => 
python3-cryptography_42.0.4.bb} (95%)

diff --git 
a/meta/recipes-devtools/python/python3-cryptography-vectors_42.0.2.bb 
b/meta/recipes-devtools/python/python3-cryptography-vectors_42.0.4.bb
similarity index 91%
rename from meta/recipes-devtools/python/python3-cryptography-vectors_42.0.2.bb
rename to meta/recipes-devtools/python/python3-cryptography-vectors_42.0.4.bb
index 94fbc94c55..9500e890f3 100644
--- a/meta/recipes-devtools/python/python3-cryptography-vectors_42.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography-vectors_42.0.4.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=8c3617db4fb6fae01f1d253ab91511e4 \
 # NOTE: Make sure to keep this recipe at the same version as 
python3-cryptography
 #   Upgrade both recipes at the same time
 
-SRC_URI[sha256sum] = 
"adcdccf5d9ee661a9602ad21d2525f678ba07a6e768ce79835994e208bab0e16"
+SRC_URI[sha256sum] = 
"d6b707d238a5e2390c3dae7761b997b68c2b8c0723ed24fc13f832bcc8739945"
 
 PYPI_PACKAGE = "cryptography_vectors"
 
diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.2.bb 
b/meta/recipes-devtools/python/python3-cryptography_42.0.4.bb
similarity index 95%
rename from meta/recipes-devtools/python/python3-cryptography_42.0.2.bb
rename to meta/recipes-devtools/python/python3-cryptography_42.0.4.bb
index c21c4d1a03..e864d6ce4f 100644
--- a/meta/recipes-devtools/python/python3-cryptography_42.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_42.0.4.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=8c3617db4fb6fae01f1d253ab91511e4 \
"
 LDSHARED += "-pthread"
 
-SRC_URI[sha256sum] = 
"e0ec52ba3c7f1b7d813cd52649a5b3ef1fc0d433219dc8c93827c57eab6cf888"
+SRC_URI[sha256sum] = 
"831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb"
 
 SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
 file://check-memfree.py \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196374): 
https://lists.openembedded.org/g/openembedded-core/message/196374
Mute This Topic: https://lists.openembedded.org/mt/104619680/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] bind: Upgrade 9.18.19 -> 9.18.24

2024-02-25 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Includes security fixes for - CVE-2023-4408, CVE-2023-5517,
CVE-2023-5679, CVE-2023-50868 and CVE-2023-50387

Changelog:
=
https://gitlab.isc.org/isc-projects/bind9/-/blob/v9.18.24/CHANGES

Signed-off-by: Soumya Sambu 
---
 .../bind/{bind_9.18.19.bb => bind_9.18.24.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.19.bb => bind_9.18.24.bb} 
(97%)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.19.bb 
b/meta/recipes-connectivity/bind/bind_9.18.24.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.19.bb
rename to meta/recipes-connectivity/bind/bind_9.18.24.bb
index a829cc566d..fbbebe89ad 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.24.bb
@@ -20,7 +20,7 @@ SRC_URI = 
"https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
 
-SRC_URI[sha256sum] = 
"115e09c05439bebade1d272eda08fa88eb3b60129edef690588c87a4d27612cc"
+SRC_URI[sha256sum] = 
"709d73023c9115ddad3bab65b6c8c79a590196d0d114f5d0ca2533dbd52ddf66"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/";
 # follow the ESV versions divisible by 2
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196177): 
https://lists.openembedded.org/g/openembedded-core/message/196177
Mute This Topic: https://lists.openembedded.org/mt/104576297/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/1] bind: Upgrade 9.18.21 -> 9.18.24

2024-02-22 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Changelog:
=
9.18.24:
- Fix case insensitive setting for isc_ht hashtable.
[GL #4568]

9.18.23:
- Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
- Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
- Under some circumstances, the DoT code in client
mode could process more than one message at a time when
that was not expected. That has been fixed. [GL #4487]

9.18.22:
- Limit isc_task_send() overhead for RBTDB tree pruning.
[GL #4383]
- Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
- Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
- Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
- Address race conditions in dns_tsigkey_find().
[GL #4182]
- Conversion from NSEC3 signed to NSEC signed could
temporarily put the zone into a state where it was
treated as unsigned until the NSEC chain was built.
Additionally conversion from one set of NSEC3 parameters
to another could also temporarily put the zone into a
state where it was treated as unsigned until the new
NSEC3 chain was built. [GL #1794] [GL #4495]
- Memory leak in zone.c:sign_zone. When named signed a
zone it could leak dst_keys due to a misplaced
'continue'. [GL #4488]
- Log more details about the cause of "not exact" errors.
[GL #4500]
- The wrong time was being used to determine what RRSIGs
where to be generated when dnssec-policy was in use.
[GL #4494]
- The "trust-anchor-telemetry" statement is no longer
marked as experimental. This silences a relevant log
message that was emitted even when the feature was
explicitly disabled. [GL #4497]
- Fix statistics export to use full 64 bit signed numbers
instead of truncating values to unsigned 32 bits.
[GL #4467]
- NetBSD has added 'hmac' to libc which collides with our
use of 'hmac'. [GL #4478]

Signed-off-by: Soumya Sambu 
---
 .../bind/{bind_9.18.21.bb => bind_9.18.24.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.21.bb => bind_9.18.24.bb} 
(97%)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.21.bb 
b/meta/recipes-connectivity/bind/bind_9.18.24.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.21.bb
rename to meta/recipes-connectivity/bind/bind_9.18.24.bb
index f5fb4bd1e5..2874990320 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.21.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.24.bb
@@ -20,7 +20,7 @@ SRC_URI = 
"https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
 
-SRC_URI[sha256sum] = 
"a556be22505d9ea4f9c6717aee9c549739c68498aff3ca69035787ecc648fec5"
+SRC_URI[sha256sum] = 
"709d73023c9115ddad3bab65b6c8c79a590196d0d114f5d0ca2533dbd52ddf66"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/";
 # follow the ESV versions divisible by 2
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196048): 
https://lists.openembedded.org/g/openembedded-core/message/196048
Mute This Topic: https://lists.openembedded.org/mt/104524077/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] cpio: upgrade to 2.14

2024-01-16 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

This includes fix for CVE-2023-7207.

Drop all submitted patches.

Apply a patch from git to fix the build with clang.

[ YOCTO #11674 ]

$git log --oneline release_2_13..v2.14
4a41909 (HEAD, tag: v2.14) Version 2.14
6f9e5d3 Update NEWS
807b3ea Use GNU ls algorithm for deciding timestamp format
19219d1 Fix integer overflows in timestamp output
ed28f14 Whitespace cleanup
4ab2813 Update version of gnulib
0987d63 Fix appending to archives bigger than 2G
1df0062 Fix combination of --create, --append, --directory
6a94d5e New option --ignore-dirnlink
376d663 Fix 45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca.
beba8c0 Require automake 1.16.5
70fffa7 Update for newer autotools
a1b2f78 Fix calculation of CRC in copy-out mode.
18ea636 Upgrade gnulib
1a61f62 Update copyright years
a1c97c8 Fix wording in the manpage
97fab48 Update copyright years
86dacfe Remove redundant condition check
4d16930 Use inttostr to represent integer values as strings
236684f Fix dynamic string reallocations
dfc801c Fix previous commit
dd96882 Rewrite dynamic string support.
269d204 Improve online version of the documentation.
7dd8ba9 Update gnulib
905907c Update copyright years
4a78d77 Formatting changes in the documentation.
9fe8494 Update copyright years
641d3f4 Minor fix * src/global.c: Remove superfluous declaration of program_name
0c4ffde Fix handling of device numbers (part 2)
df55fb1 Fix handling of device numbers on copy out.
b1c8583 Improve 684b7ac5
684b7ac Fix cpio header verification.

Signed-off-by: Soumya Sambu 
---
 ...charset_alias-when-building-for-musl.patch |  30 -
 ...ove-superfluous-declaration-of-progr.patch |  28 -
 ...-calculation-of-CRC-in-copy-out-mode.patch |  58 --
 ...appending-to-archives-bigger-than-2G.patch | 312 --
 .../cpio/cpio-2.13/CVE-2021-38185.patch   | 581 --
 .../cpio/{cpio_2.13.bb => cpio_2.14.bb}   |   9 +-
 ...e-needed-header-for-major-minor-macr.patch |  47 ++
 7 files changed, 49 insertions(+), 1016 deletions(-)
 delete mode 100644 
meta/recipes-extended/cpio/cpio-2.13/0001-Unset-need_charset_alias-when-building-for-musl.patch
 delete mode 100644 
meta/recipes-extended/cpio/cpio-2.13/0002-src-global.c-Remove-superfluous-declaration-of-progr.patch
 delete mode 100644 
meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
 delete mode 100644 
meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch
 rename meta/recipes-extended/cpio/{cpio_2.13.bb => cpio_2.14.bb} (74%)
 create mode 100644 
meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch

diff --git 
a/meta/recipes-extended/cpio/cpio-2.13/0001-Unset-need_charset_alias-when-building-for-musl.patch
 
b/meta/recipes-extended/cpio/cpio-2.13/0001-Unset-need_charset_alias-when-building-for-musl.patch
deleted file mode 100644
index 6ae213942c..00
--- 
a/meta/recipes-extended/cpio/cpio-2.13/0001-Unset-need_charset_alias-when-building-for-musl.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From b9565dc2fe0c4f7daaec91b7e83bc7313dee2f4a Mon Sep 17 00:00:00 2001
-From: Khem Raj 
-Date: Mon, 13 Apr 2015 17:02:13 -0700
-Subject: [PATCH] Unset need_charset_alias when building for musl
-
-localcharset uses ac_cv_gnu_library_2_1 from glibc21.m4
-which actually shoudl be fixed in gnulib and then all downstream
-projects will get it eventually. For now we apply the fix to
-coreutils
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj 

- lib/gnulib.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: cpio-2.11/gnu/Makefile.am
-===
 cpio-2.11.orig/gnu/Makefile.am
-+++ cpio-2.11/gnu/Makefile.am
-@@ -734,7 +734,7 @@ install-exec-localcharset: all-local
- case '$(host_os)' in \
-   darwin[56]*) \
- need_charset_alias=true ;; \
--  darwin* | cygwin* | mingw* | pw32* | cegcc*) \
-+  darwin* | cygwin* | mingw* | pw32* | cegcc* | linux-musl*) \
- need_charset_alias=false ;; \
-   *) \
- need_charset_alias=true ;; \
diff --git 
a/meta/recipes-extended/cpio/cpio-2.13/0002-src-global.c-Remove-superfluous-declaration-of-progr.patch
 
b/meta/recipes-extended/cpio/cpio-2.13/0002-src-global.c-Remove-superfluous-declaration-of-progr.patch
deleted file mode 100644
index 478324c1c4..00
--- 
a/meta/recipes-extended/cpio/cpio-2.13/0002-src-global.c-Remove-superfluous-declaration-of-progr.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 33e6cb5a28fab3d99bd6818f8c01e6f33805390f Mon Sep 17 00:00:00 2001
-From: Sergey Poznyakoff 
-Date: Mon, 20 Jan 2020 07:45:39 +0200
-Subject: [PATCH] src/global.c: Remove superfluous declaration of program_name
-
-Upstream-Status: Backport (commit 641d3f4)
-Signed-off-by: Richard Leitner 

- src/global.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff

[OE-core][PATCH 1/1] ncurses: Fix - tty is hung after reset

2023-12-20 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Serial tty is hung after reset command -
$echo "test " >> /dev/ttyS0
test
$stty -a < /dev/ttyS0
speed 115200 baud; rows 34; columns 153; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = ; eol2 = 
; swtch = ;
start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 hupcl -cstopb cread clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon ixoff 
-iuclc -ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon -iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt 
echoctl echoke -flusho -extproc
$reset
$echo "test " >> /dev/ttyS0
^C
$stty -a < /dev/ttyS0
^C

Updating reset_tty_settings API with latest code which fixes tty hung issue

Signed-off-by: Soumya Sambu 
---
 ...eset-code-ncurses-6.4-patch-20231104.patch | 499 ++
 meta/recipes-core/ncurses/ncurses_6.4.bb  |   1 +
 2 files changed, 500 insertions(+)
 create mode 100644 
meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch

diff --git 
a/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch
 
b/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch
new file mode 100644
index 00..121db6bffe
--- /dev/null
+++ 
b/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch
@@ -0,0 +1,499 @@
+From 135d37072755704b8d018e5de74e62ff3f28c930 Mon Sep 17 00:00:00 2001
+From: Thomas E. Dickey 
+Date: Sun, 5 Nov 2023 05:54:54 +0530
+Subject: [PATCH] Updating reset code - ncurses 6.4 - patch 20231104
+
++ modify reset command to avoid altering clocal if the terminal uses a
+  modem (prompted by discussion with Werner Fink, Michal Suchanek,
+  OpenSUSE #1201384, Debian #60377).
++ build-fixes for --with-caps variations.
++ correct a couple of section-references in INSTALL.
+
+Signed-off-by: Thomas E. Dickey 
+
+Upstream-Status: Backport 
[https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=135d37072755704b8d018e5de74e62ff3f28c930]
+
+Signed-off-by: Soumya Sambu 
+---
+ INSTALL   |   8 +-
+ include/curses.events |   2 +-
+ ncurses/tinfo/lib_tparm.c |   2 +
+ progs/reset_cmd.c | 281 +-
+ progs/tabs.c  |  10 +-
+ progs/tic.c   |   4 +
+ 6 files changed, 176 insertions(+), 131 deletions(-)
+
+diff --git a/INSTALL b/INSTALL
+index d9c1dd12..d0a39af0 100644
+--- a/INSTALL
 b/INSTALL
+@@ -47,7 +47,7 @@ If you are converting from BSD curses and do not have root 
access, be sure
+ to read the BSD CONVERSION NOTES section below.
+
+ If you are trying to build applications using gpm with ncurses,
+-read the USING NCURSES WITH GPM section below.
++read the USING GPM section below.
+
+ If you are cross-compiling, see the note below on BUILDING WITH A 
CROSS-COMPILER.
+
+@@ -79,7 +79,7 @@ INSTALLATION PROCEDURE:
+ The --prefix option to configure changes the root directory for installing
+ ncurses.  The default is normally in subdirectories of /usr/local, except
+ for systems where ncurses is normally installed as a system library (see
+-"IF YOU ARE A SYSTEM INTEGRATOR").  Use --prefix=/usr to replace your
++"FOR SYSTEM INTEGRATORS").  Use --prefix=/usr to replace your
+ default curses distribution.
+
+ The package gets installed beneath the --prefix directory as follows:
+@@ -176,7 +176,7 @@ INSTALLATION PROCEDURE:
+ You can make curses and terminfo fall back to an existing file of termcap
+ definitions by configuring with --enable-termcap.  If you do this, the
+ library will search /etc/termcap before the terminfo database, and will
+-also interpret the contents of the TERM environment variable.  See the
++also interpret the contents of the $TERM environment variable.  See the
+ section BSD CONVERSION NOTES below.
+
+ 3.  Type `make'.  Ignore any warnings, no error messages should be produced.
+@@ -1231,7 +1231,7 @@ CONFIGURE OPTIONS:
+   Specify a search-list of terminfo directories which will be compiled
+   into the ncurses library (default: DATADIR/terminfo)
+
+-  This is a colon-separated list, like the TERMINFO_DIRS environment
++  This is a colon-separated list, like the $TERMINFO_DIRS environment
+   variable.
+
+ --with-termlib[=XXX]
+diff --git a/include/curses.events b/include/curses.events
+index 25a2583f..468bde18 100644
+--- a/include/curses.events
 b/include/curses.events
+@@ -50,6 +50,6 @@ typedef struct
+ extern NCURSES_EXPORT(int) wgetch_events (WINDOW *, _nc_eventlist *) 
GCC_DEPRECATED(experimental option); /* experimental */
+ extern NCURSES_EXPORT(int) wgetnstr_events (WINDOW *,char *,int,_nc_eventlist 
*) GCC_DEPRECATED(experimental option); /* experimental */
+
+-#define KEY_EVENT 0633

[OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2023-39326

2023-12-20 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
https://security-tracker.debian.org/tracker/CVE-2023-39326

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
 .../go/go-1.20/CVE-2023-39326.patch   | 182 ++
 2 files changed, 183 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 330f571d22..95c4461d3e 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -47,6 +47,7 @@ SRC_URI += "\
 file://CVE-2023-29409.patch \
 file://CVE-2023-39319.patch \
 file://CVE-2023-39318.patch \
+file://CVE-2023-39326.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch 
b/meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch
new file mode 100644
index 00..ca78e552c2
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch
@@ -0,0 +1,182 @@
+From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Tue, 7 Nov 2023 10:47:56 -0800
+Subject: [PATCH] net/http: limit chunked data overhead
+
+The chunked transfer encoding adds some overhead to
+the content transferred. When writing one byte per
+chunk, for example, there are five bytes of overhead
+per byte of data transferred: "1\r\nX\r\n" to send "X".
+
+Chunks may include "chunk extensions",
+which we skip over and do not use.
+For example: "1;chunk extension here\r\nX\r\n".
+
+A malicious sender can use chunk extensions to add
+about 4k of overhead per byte of data.
+(The maximum chunk header line size we will accept.)
+
+Track the amount of overhead read in chunked data,
+and produce an error if it seems excessive.
+
+Updates #64433
+Fixes #64434
+Fixes CVE-2023-39326
+
+Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
+Reviewed-by: Tatiana Bradley 
+Reviewed-by: Roland Shoemaker 
+(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
+Run-TryBot: Roland Shoemaker 
+TryBot-Result: Security TryBots 

+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
+Reviewed-by: Dmitri Shuralyov 
+LUCI-TryBot-Result: Go LUCI 

+
+CVE: CVE-2023-39326
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/net/http/internal/chunked.go  | 36 +---
+ src/net/http/internal/chunked_test.go | 59 +++
+ 2 files changed, 89 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go 
b/src/net/http/internal/chunked.go
+index f06e572..ddbaacb 100644
+--- a/src/net/http/internal/chunked.go
 b/src/net/http/internal/chunked.go
+@@ -39,7 +39,8 @@ type chunkedReader struct {
+   nuint64 // unread bytes in chunk
+   err  error
+   buf  [2]byte
+-  checkEnd bool // whether need to check for \r\n chunk footer
++  checkEnd bool  // whether need to check for \r\n chunk footer
++  excess   int64 // "excessive" chunk overhead, for malicious sender 
detection
+ }
+
+ func (cr *chunkedReader) beginChunk() {
+@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
+   if cr.err != nil {
+   return
+   }
++  cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk 
data
++  line = trimTrailingWhitespace(line)
++  line, cr.err = removeChunkExtension(line)
++  if cr.err != nil {
++  return
++  }
+   cr.n, cr.err = parseHexUint(line)
+   if cr.err != nil {
+   return
+   }
++  // A sender who sends one byte per chunk will send 5 bytes of overhead
++  // for every byte of data. ("1\r\nX\r\n" to send "X".)
++  // We want to allow this, since streaming a byte at a time can be

[OE-core][kirkstone][PATCH 1/1] perl: update 5.34.1 -> 5.34.3

2023-12-12 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

This includes security fix for CVE-2023-47038

Changes:
https://metacpan.org/release/PEVANS/perl-5.34.3/changes

Signed-off-by: Soumya Sambu 
---
 .../0001-Makefile-check-the-file-if-patched-or-not.patch  | 4 ++--
 .../perl-cross/{perlcross_1.3.7.bb => perlcross_1.5.2.bb} | 2 +-
 meta/recipes-devtools/perl/{perl_5.34.1.bb => perl_5.34.3.bb} | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-devtools/perl-cross/{perlcross_1.3.7.bb => 
perlcross_1.5.2.bb} (92%)
 rename meta/recipes-devtools/perl/{perl_5.34.1.bb => perl_5.34.3.bb} (99%)

diff --git 
a/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
 
b/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
index 8c8f3b717c..0ef9b27439 100644
--- 
a/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
+++ 
b/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
@@ -21,8 +21,8 @@ index f4a26f5..7bc748e 100644
  # Original versions are not saved anymore; patch generally takes care of this,
  # and if that fails, reaching for the source tarball is the safest option.
  $(CROSSPATCHED): %.applied: %.patch
--  patch -p1 -i $< && touch $@
-+  test ! -f $@ && (patch -p1 -i $< && touch $@) || echo "$@ exist"
+-  $(cpatch) -p1 -i $< && touch $@
++  test ! -f $@ && ($(cpatch) -p1 -i $< && touch $@) || echo "$@ exist"
  
  # ---[ common 
]-
  
diff --git a/meta/recipes-devtools/perl-cross/perlcross_1.3.7.bb 
b/meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb
similarity index 92%
rename from meta/recipes-devtools/perl-cross/perlcross_1.3.7.bb
rename to meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb
index 99a9ca1027..ac4dff33bb 100644
--- a/meta/recipes-devtools/perl-cross/perlcross_1.3.7.bb
+++ b/meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb
@@ -18,7 +18,7 @@ SRC_URI = 
"https://github.com/arsv/perl-cross/releases/download/${PV}/perl-cross
"
 UPSTREAM_CHECK_URI = "https://github.com/arsv/perl-cross/releases/";
 
-SRC_URI[perl-cross.sha256sum] = 
"77f13ca84a63025053852331b72d4046c1f90ded98bd45ccedea738621907335"
+SRC_URI[perl-cross.sha256sum] = 
"584dc54c48dca25e032b676a15bef377c1fed9de318b4fc140292a5dbf326e90"
 
 S = "${WORKDIR}/perl-cross-${PV}"
 
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb 
b/meta/recipes-devtools/perl/perl_5.34.3.bb
similarity index 99%
rename from meta/recipes-devtools/perl/perl_5.34.1.bb
rename to meta/recipes-devtools/perl/perl_5.34.3.bb
index db306d0be3..e8b518adc9 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.3.bb
@@ -29,7 +29,7 @@ SRC_URI:append:class-target = " \
file://encodefix.patch \
 "
 
-SRC_URI[perl.sha256sum] = 
"357951a491b0ba1ce3611263922feec78ccd581dddc24a446b033e25acf242a1"
+SRC_URI[perl.sha256sum] = 
"5b12f62863332b2a5f54102af9cdf8c010877e4bf3294911edbd594b2a1e8ede"
 
 S = "${WORKDIR}/perl-${PV}"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192267): 
https://lists.openembedded.org/g/openembedded-core/message/192267
Mute This Topic: https://lists.openembedded.org/mt/103144638/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH v2 1/1] go: ignore CVE-2023-45283 and CVE-2023-45284

2023-12-11 Thread Soumya via lists.openembedded.org 
Hi Alexandre,

I see that current go version is 1.20.12 which is not vulnerable to these CVEs. 
Kindly ignore this patch.

Regards,
Soumya





From: Alexandre Belloni 
Sent: Saturday, December 9, 2023 5:55 PM
To: Sambu, Soumya 
Cc: openembedded-core@lists.openembedded.org 

Subject: Re: [OE-core][PATCH v2 1/1] go: ignore CVE-2023-45283 and 
CVE-2023-45284

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Hello,

We had go upgrades in between, can you rebase (and check if this is
still needed)?

On 08/12/2023 10:42:15+, Soumya via lists.openembedded.org wrote:
> From: Soumya Sambu 
>
> These CVEs affect path handling on Windows.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-45283
> https://nvd.nist.gov/vuln/detail/CVE-2023-45284
>
> Signed-off-by: Soumya Sambu 
> ---
>  meta/recipes-devtools/go/go-1.20.10.inc | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-devtools/go/go-1.20.10.inc 
> b/meta/recipes-devtools/go/go-1.20.10.inc
> index 39509ed986..0c0a736084 100644
> --- a/meta/recipes-devtools/go/go-1.20.10.inc
> +++ b/meta/recipes-devtools/go/go-1.20.10.inc
> @@ -16,3 +16,6 @@ SRC_URI += "\
>  file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
>  "
>  SRC_URI[main.sha256sum] = 
> "72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb"
> +
> +CVE_STATUS[CVE-2023-45283] = "not-applicable-platform: Issue only applies on 
> Windows"
> +CVE_STATUS[CVE-2023-45284] = "not-applicable-platform: Issue only applies on 
> Windows"
> --
> 2.40.0
>

>
> 
>


--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192158): 
https://lists.openembedded.org/g/openembedded-core/message/192158
Mute This Topic: https://lists.openembedded.org/mt/103052741/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH v2 1/1] go: ignore CVE-2023-45283 and CVE-2023-45284

2023-12-08 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

These CVEs affect path handling on Windows.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45283
https://nvd.nist.gov/vuln/detail/CVE-2023-45284

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.20.10.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/go/go-1.20.10.inc 
b/meta/recipes-devtools/go/go-1.20.10.inc
index 39509ed986..0c0a736084 100644
--- a/meta/recipes-devtools/go/go-1.20.10.inc
+++ b/meta/recipes-devtools/go/go-1.20.10.inc
@@ -16,3 +16,6 @@ SRC_URI += "\
 file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
 "
 SRC_URI[main.sha256sum] = 
"72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb"
+
+CVE_STATUS[CVE-2023-45283] = "not-applicable-platform: Issue only applies on 
Windows"
+CVE_STATUS[CVE-2023-45284] = "not-applicable-platform: Issue only applies on 
Windows"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192038): 
https://lists.openembedded.org/g/openembedded-core/message/192038
Mute This Topic: https://lists.openembedded.org/mt/103052741/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/1] go: ignore CVE-2023-45283 and CVE-2023-45284

2023-12-03 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

These CVEs affect path handling on Windows.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45283
https://nvd.nist.gov/vuln/detail/CVE-2023-45284
https://security-tracker.debian.org/tracker/CVE-2023-45283
https://security-tracker.debian.org/tracker/CVE-2023-45284

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.20.10.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/go/go-1.20.10.inc 
b/meta/recipes-devtools/go/go-1.20.10.inc
index 39509ed986..b240da3f86 100644
--- a/meta/recipes-devtools/go/go-1.20.10.inc
+++ b/meta/recipes-devtools/go/go-1.20.10.inc
@@ -16,3 +16,6 @@ SRC_URI += "\
 file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
 "
 SRC_URI[main.sha256sum] = 
"72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb"
+
+# Microsoft Windows specific CVEs
+CVE_CHECK_IGNORE += "CVE-2023-45283 CVE-2023-45284"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191720): 
https://lists.openembedded.org/g/openembedded-core/message/191720
Mute This Topic: https://lists.openembedded.org/mt/102964687/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] sudo: upgrade 1.9.13p3 -> 1.9.15p2

2023-11-17 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

License-update: file removed upstream

Drop patch as issue fixed upstream.

Changelog:
===
1.9.15p2
 * Fixed a bug on BSD systems where sudo would not restore the
   terminal settings on exit if the terminal had parity enabled.
   GitHub issue #326.

1.9.15p1
 * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
   sudoers from being able to read the ldap.conf file.
   GitHub issue #325.

1.9.15
 * Fixed an undefined symbol problem on older versions of macOS
   when "intercept" or "log_subcmds" are enabled in sudoers.
   GitHub issue #276.
 * Fixed "make check" failure related to getpwent(3) wrapping
   on NetBSD.
 * Fixed the warning message for "sudo -l command" when the command
   is not permitted.  There was a missing space between "list" and
   the actual command due to changes in sudo 1.9.14.
 * Fixed a bug where output could go to the wrong terminal if
   "use_pty" is enabled (the default) and the standard input, output
   or error is redirected to a different terminal.  Bug #1056.
 * The visudo utility will no longer create an empty file when the
   specified sudoers file does not exist and the user exits the
   editor without making any changes.  GitHub issue #294.
 * The AIX and Solaris sudo packages on www.sudo.ws now support
   "log_subcmds" and "intercept" with both 32-bit and 64-bit
   binaries.  Previously, they only worked when running binaries
   with the same word size as the sudo binary.  GitHub issue #289.
 * The sudoers source is now logged in the JSON event log.  This
   makes it possible to tell which rule resulted in a match.
 * Running "sudo -ll command" now produces verbose output that
   includes matching rule as well as the path to the sudoers file
   the matching rule came from.  For LDAP sudoers, the name of the
   matching sudoRole is printed instead.
 * The embedded copy of zlib has been updated to version 1.3.
 * The sudoers plugin has been modified to make it more resilient
   to ROWHAMMER attacks on authentication and policy matching.
   This addresses CVE-2023-42465.
 * The sudoers plugin now constructs the user time stamp file path
   name using the user-ID instead of the user name.  This avoids a
   potential problem with user names that contain a path separator
   ('/') being interpreted as part of the path name.  A similar
   issue in sudo-rs has been assigned CVE-2023-42456.
 * A path separator ('/') in a user, group or host name is now
   replaced with an underbar character ('_') when expanding escapes
   in @include and @includedir directives as well as the "iolog_file"
   and "iolog_dir" sudoers Default settings.
 * The "intercept_verify" sudoers option is now only applied when
   the "intercept" option is set in sudoers.  Previously, it was
   also applied when "log_subcmds" was enabled.  Sudo 1.9.14
   contained an incorrect fix for this.  Bug #1058.
 * Changes to terminal settings are now performed atomically, where
   possible.  If the command is being run in a pseudo-terminal and
   the user's terminal is already in raw mode, sudo will not change
   the user's terminal settings.  This prevents concurrent sudo
   processes from restoring the terminal settings to the wrong values.
   GitHub issue #312.
 * Reverted a change from sudo 1.9.4 that resulted in PAM session
   modules being called with the environment of the command to be
   run instead of the environment of the invoking user.
   GitHub issue #318.
 * New Indonesian translation from translationproject.org.
 * The sudo_logsrvd server will now raise its open file descriptor
   limit to the maximum allowed value when it starts up.  Each
   connection can require up to nine open file descriptors so the
   default soft limit may be too low.
 * Better log message when rejecting a command if the "intercept"
   option is enabled and the "intercept_allow_setid" option is
   disabled.  Previously, "command not allowed" would be logged and
   the user had no way of knowing what the actual problem was.
 * Sudo will now log the invoking user's environment as "submitenv"
   in the JSON logs.  The command's environment ("runenv") is no
   longer logged for commands rejected by the sudoers file or an
   approval plugin.

1.9.14p3
 * Fixed a crash with Python 3.12 when the sudo Python plugin is
   unloaded.  This only affects "make check" for the Python plugin.
 * Adapted the sudo Python plugin test output to match Python 3.12.

1.9.14p2
 * Fixed a crash on Linux systems introduced in version 1.9.14 when
   running a command with a NULL argv[0] if "log_subcmds" or
   "intercept" is enabled in sudoers.
 * Fixed a problem with "stair-stepped" output when piping or
   redirecting the output of a sudo command that takes user input.
 * Fixed a bug introduced in sudo 1.9.14 that affects matching
   sudoers rules containing a Runas_Spec with an empty Runas user.
   These rules should only match when sudo's -g option is used but
   were matching even without the -g option.  GitHub is

[OE-core][dunfell][PATCH 1/1] libwebp: Fix CVE-2023-4863

2023-11-03 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write via
a crafted HTML page.

Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863.

CVE: CVE-2023-4863

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 ...23-5129.patch => CVE-2023-4863-0001.patch} | 27 --
 .../webp/files/CVE-2023-4863-0002.patch   | 53 +++
 meta/recipes-multimedia/webp/libwebp_1.1.0.bb |  3 +-
 3 files changed, 66 insertions(+), 17 deletions(-)
 rename meta/recipes-multimedia/webp/files/{CVE-2023-5129.patch => 
CVE-2023-4863-0001.patch} (95%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
similarity index 95%
rename from meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
rename to meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
index 068c56..419b12f7d9 100644
--- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
-From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001
+From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
 From: Vincent Rabaud 
 Date: Thu, 7 Sep 2023 21:16:03 +0200
-Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
 
 First, BuildHuffmanTable is called to check if the data is valid.
 If it is and the table is not big enough, more memory is allocated.
@@ -12,16 +12,11 @@ codes) streams are still decodable.
 Bug: chromium:1479274
 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
 
-Notice that it references different CVE id:
-https://nvd.nist.gov/vuln/detail/CVE-2023-5129
-which was marked as a rejected duplicate of:
-https://nvd.nist.gov/vuln/detail/CVE-2023-4863
-but it's the same issue. Hence update CVE ID CVE-2023-4863
+CVE: CVE-2023-4863
 
-CVE: CVE-2023-5129 CVE-2023-4863
-Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76]
-Signed-off-by: Colin McAllister 
-Signed-off-by: Pawan Badganchi 
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
+
+Signed-off-by: Soumya Sambu 
 ---
  src/dec/vp8l_dec.c| 46 ++-
  src/dec/vp8li_dec.h   |  2 +-
@@ -30,7 +25,7 @@ Signed-off-by: Pawan Badganchi 
  4 files changed, 129 insertions(+), 43 deletions(-)
 
 diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index 93615d4e..0d38314d 100644
+index 93615d4..0d38314 100644
 --- a/src/dec/vp8l_dec.c
 +++ b/src/dec/vp8l_dec.c
 @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -178,7 +173,7 @@ index 93615d4e..0d38314d 100644
assert(dec->hdr_.num_htree_groups_ > 0);
  
 diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
-index 72b2e861..32540a4b 100644
+index 72b2e86..32540a4 100644
 --- a/src/dec/vp8li_dec.h
 +++ b/src/dec/vp8li_dec.h
 @@ -51,7 +51,7 @@ typedef struct {
@@ -191,7 +186,7 @@ index 72b2e861..32540a4b 100644
  
  typedef struct VP8LDecoder VP8LDecoder;
 diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
-index 0cba0fbb..9efd6283 100644
+index 0cba0fb..9efd628 100644
 --- a/src/utils/huffman_utils.c
 +++ b/src/utils/huffman_utils.c
 @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const 
root_table, int root_bits,
@@ -322,7 +317,7 @@ index 0cba0fbb..9efd6283 100644
 +  }
 +}
 diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
-index 13b7ad1a..98415c53 100644
+index 13b7ad1..98415c5 100644
 --- a/src/utils/huffman_utils.h
 +++ b/src/utils/huffman_utils.h
 @@ -43,6 +43,29 @@ typedef struct {
@@ -367,5 +362,5 @@ index 13b7ad1a..98415c53 100644
  
  #ifdef __cplusplus
 -- 
-2.34.1
+2.40.0
 
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 00..c1eedb6100
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backpo

[OE-core][mickledore][PATCH 1/1] libwebp: Fix CVE-2023-4863

2023-11-03 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write via
a crafted HTML page.

Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863.

CVE: CVE-2023-4863

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 ...23-5129.patch => CVE-2023-4863-0001.patch} | 20 +++
 .../webp/files/CVE-2023-4863-0002.patch   | 53 +++
 meta/recipes-multimedia/webp/libwebp_1.3.1.bb |  3 +-
 3 files changed, 66 insertions(+), 10 deletions(-)
 rename meta/recipes-multimedia/webp/files/{CVE-2023-5129.patch => 
CVE-2023-4863-0001.patch} (97%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
similarity index 97%
rename from meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
rename to meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
index b246ed42f9..e623569352 100644
--- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
-From 6c928321f47ba69022cd4d814433f365dea63478 Mon Sep 17 00:00:00 2001
+From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
 From: Vincent Rabaud 
 Date: Thu, 7 Sep 2023 21:16:03 +0200
-Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
 
 First, BuildHuffmanTable is called to check if the data is valid.
 If it is and the table is not big enough, more memory is allocated.
@@ -12,9 +12,11 @@ codes) streams are still decodable.
 Bug: chromium:1479274
 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
 
-CVE: CVE-2023-5129
+CVE: CVE-2023-4863
+
 Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
-Signed-off-by: Colin McAllister 
+
+Signed-off-by: Soumya Sambu 
 ---
  src/dec/vp8l_dec.c| 46 ++-
  src/dec/vp8li_dec.h   |  2 +-
@@ -23,7 +25,7 @@ Signed-off-by: Colin McAllister 
  4 files changed, 129 insertions(+), 43 deletions(-)
 
 diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index c0ea0181..7995313f 100644
+index 1348055..186b0b2 100644
 --- a/src/dec/vp8l_dec.c
 +++ b/src/dec/vp8l_dec.c
 @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -171,7 +173,7 @@ index c0ea0181..7995313f 100644
assert(dec->hdr_.num_htree_groups_ > 0);
  
 diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
-index 72b2e861..32540a4b 100644
+index 72b2e86..32540a4 100644
 --- a/src/dec/vp8li_dec.h
 +++ b/src/dec/vp8li_dec.h
 @@ -51,7 +51,7 @@ typedef struct {
@@ -184,7 +186,7 @@ index 72b2e861..32540a4b 100644
  
  typedef struct VP8LDecoder VP8LDecoder;
 diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
-index 90c2fbf7..cf73abd4 100644
+index 0cba0fb..9efd628 100644
 --- a/src/utils/huffman_utils.c
 +++ b/src/utils/huffman_utils.c
 @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const 
root_table, int root_bits,
@@ -315,7 +317,7 @@ index 90c2fbf7..cf73abd4 100644
 +  }
 +}
 diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
-index 13b7ad1a..98415c53 100644
+index 13b7ad1..98415c5 100644
 --- a/src/utils/huffman_utils.h
 +++ b/src/utils/huffman_utils.h
 @@ -43,6 +43,29 @@ typedef struct {
@@ -360,5 +362,5 @@ index 13b7ad1a..98415c53 100644
  
  #ifdef __cplusplus
 -- 
-2.34.1
+2.40.0
 
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 00..231894e882
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(V

[OE-core][kirkstone][PATCH v4 1/1] libwebp: Fix CVE-2023-4863

2023-11-03 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write via
a crafted HTML page.

Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863.

CVE: CVE-2023-4863

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 ...23-5129.patch => CVE-2023-4863-0001.patch} | 20 +++
 .../webp/files/CVE-2023-4863-0002.patch   | 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  3 +-
 3 files changed, 66 insertions(+), 10 deletions(-)
 rename meta/recipes-multimedia/webp/files/{CVE-2023-5129.patch => 
CVE-2023-4863-0001.patch} (97%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
similarity index 97%
rename from meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
rename to meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
index 356806ad87..e623569352 100644
--- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
-From 383b8b4eb6780d855e8a8177fbce96ab39dba6a5 Mon Sep 17 00:00:00 2001
+From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
 From: Vincent Rabaud 
 Date: Thu, 7 Sep 2023 21:16:03 +0200
-Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
 
 First, BuildHuffmanTable is called to check if the data is valid.
 If it is and the table is not big enough, more memory is allocated.
@@ -12,9 +12,11 @@ codes) streams are still decodable.
 Bug: chromium:1479274
 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
 
-CVE: CVE-2023-5129
+CVE: CVE-2023-4863
+
 Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
-Signed-off-by: Colin McAllister 
+
+Signed-off-by: Soumya Sambu 
 ---
  src/dec/vp8l_dec.c| 46 ++-
  src/dec/vp8li_dec.h   |  2 +-
@@ -23,7 +25,7 @@ Signed-off-by: Colin McAllister 
  4 files changed, 129 insertions(+), 43 deletions(-)
 
 diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index 13480551..186b0b2f 100644
+index 1348055..186b0b2 100644
 --- a/src/dec/vp8l_dec.c
 +++ b/src/dec/vp8l_dec.c
 @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -171,7 +173,7 @@ index 13480551..186b0b2f 100644
assert(dec->hdr_.num_htree_groups_ > 0);
  
 diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
-index 72b2e861..32540a4b 100644
+index 72b2e86..32540a4 100644
 --- a/src/dec/vp8li_dec.h
 +++ b/src/dec/vp8li_dec.h
 @@ -51,7 +51,7 @@ typedef struct {
@@ -184,7 +186,7 @@ index 72b2e861..32540a4b 100644
  
  typedef struct VP8LDecoder VP8LDecoder;
 diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
-index 0cba0fbb..9efd6283 100644
+index 0cba0fb..9efd628 100644
 --- a/src/utils/huffman_utils.c
 +++ b/src/utils/huffman_utils.c
 @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const 
root_table, int root_bits,
@@ -315,7 +317,7 @@ index 0cba0fbb..9efd6283 100644
 +  }
 +}
 diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
-index 13b7ad1a..98415c53 100644
+index 13b7ad1..98415c5 100644
 --- a/src/utils/huffman_utils.h
 +++ b/src/utils/huffman_utils.h
 @@ -43,6 +43,29 @@ typedef struct {
@@ -360,5 +362,5 @@ index 13b7ad1a..98415c53 100644
  
  #ifdef __cplusplus
 -- 
-2.34.1
+2.40.0
 
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 00..231894e882
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(V

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

2023-11-02 Thread Soumya via lists.openembedded.org 
Sure Martin.

Regards,
Soumya

From: Martin Jansa 
Sent: Thursday, November 2, 2023 12:35 PM
To: Sambu, Soumya 
Cc: st...@sakoman.com ; 
openembedded-core@lists.openembedded.org 

Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.
On Thu, Nov 2, 2023 at 7:57 AM Sambu, Soumya 
mailto:soumya.sa...@windriver.com>> wrote:
Hi Martin, Steve,

Debian has mentioned 
https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0
 as followup commit for CVE-2023-4863 [Reference: 
https://security-tracker.debian.org/tracker/CVE-2023-4863].

This commit was suggested in Bugzilla SUSE as well - 
https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13

Aha, thanks for this information, can you please make sure that all supported 
branches receive this additional commit (preferably in less confusing set of 
.patch files, e.g. apply both from CVE-2023-4863.patch and remove 
CVE-2023-5129.patch)?



Regards,
Soumya

From: 
openembedded-core@lists.openembedded.org
 
mailto:openembedded-core@lists.openembedded.org>>
 on behalf of Steve Sakoman via 
lists.openembedded.org
 
mailto:sakoman@lists.openembedded.org>>
Sent: Wednesday, November 1, 2023 7:21 PM
To: Martin Jansa mailto:martin.ja...@gmail.com>>
Cc: 
openembedded-core@lists.openembedded.org
 
mailto:openembedded-core@lists.openembedded.org>>
Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Thanks for reviewing Martin!

I'll drop this patch until there is further clarification on the need for it.

Steve

On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa 
mailto:martin.ja...@gmail.com>> wrote:
>
> I'm surprised this one does apply in kirkstone as there is this security 
> issue already fixed as 2023-5129 (see dunfell commit 
> https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
>  and a bit more details in 
> https://lists.openembedded.org/g/openembedded-core/message/189262
>  )
>
> Is 
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
>  really related to CVE-2023-4863 ?
>
> On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman 
> mailto:st...@sakoman.com>> wrote:
>>
>> From: Soumya Sambu 
>> mailto:soumya.sa...@windriver.com>>
>>
>> Heap buffer overflow in WebP in Google Chrome prior to
>> 116.0.5845.187 allowed a remote attacker to perform an
>> out of bounds memory write via a crafted HTML page.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
>> https://security-tracker.debian.org/tracker/CVE-2023-4863
>> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

2023-11-01 Thread Soumya via lists.openembedded.org 
Hi Martin, Steve,

Debian has mentioned 
https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0
 as followup commit for CVE-2023-4863 [Reference: 
https://security-tracker.debian.org/tracker/CVE-2023-4863].

This commit was suggested in Bugzilla SUSE as well - 
https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13

Regards,
Soumya

From: openembedded-core@lists.openembedded.org 
 on behalf of Steve Sakoman via 
lists.openembedded.org 
Sent: Wednesday, November 1, 2023 7:21 PM
To: Martin Jansa 
Cc: openembedded-core@lists.openembedded.org 

Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Thanks for reviewing Martin!

I'll drop this patch until there is further clarification on the need for it.

Steve

On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa  wrote:
>
> I'm surprised this one does apply in kirkstone as there is this security 
> issue already fixed as 2023-5129 (see dunfell commit 
> https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
>  and a bit more details in 
> https://lists.openembedded.org/g/openembedded-core/message/189262 )
>
> Is 
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
>  really related to CVE-2023-4863 ?
>
> On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman  wrote:
>>
>> From: Soumya Sambu 
>>
>> Heap buffer overflow in WebP in Google Chrome prior to
>> 116.0.5845.187 allowed a remote attacker to perform an
>> out of bounds memory write via a crafted HTML page.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
>> https://security-tracker.debian.org/tracker/CVE-2023-4863
>> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>>
>> Signed-off-by: Soumya Sambu 
>> Signed-off-by: Steve Sakoman 
>> ---
>>  .../webp/files/CVE-2023-4863.patch| 53 +++
>>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
>>  2 files changed, 54 insertions(+)
>>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>>
>> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
>> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> new file mode 100644
>> index 00..2b1817822c
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> @@ -0,0 +1,53 @@
>> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
>> +From: Vincent Rabaud 
>> +Date: Mon, 11 Sep 2023 16:06:08 +0200
>> +Subject: [PATCH] Fix invalid incremental decoding check.
>> +
>> +The first condition is only necessary if we have not read enough
>> +(enough being defined by src_last, not src_end which is the end
>> +of the image).
>> +The second condition now fits the comment below: "if not
>> +incremental, and we are past the end of buffer".
>> +
>> +BUG=oss-fuzz:62136
>> +
>> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
>> +
>> +CVE: CVE-2023-4863
>> +
>> +Upstream-Status: Backport 
>> [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
>> +
>> +Signed-off-by: Soumya Sambu 
>> +---
>> + src/dec/vp8l_dec.c | 15 +--
>> + 1 file changed, 13 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
>> +index 186b0b2..59a9e64 100644
>> +--- a/src/dec/vp8l_dec.c
>>  b/src/dec/vp8l_dec.c
>> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
>> uint32_t* const data,
>> +   }
>> +
>> +   br->eos_ = VP8LIsEndOfStream(br);
>> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
>> ++  // In incremental decoding:
>> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
>> ++  // 'src_last' has not been reached yet, there is not enough data. 'dec' 
>> has to
>> ++  // be reset until there is more data.
>> ++  // !br->eos_ && src < src_last: this cannot happen as either the buffer 
>> is
>> ++  // fully read, either enough has been read to reach 'src_last'.
>> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can 
>> actually go
>> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes 
>> further.
>> ++  // The buffer might have been enough or there is some left. 'br->eos_' 
>> does
>> ++  // not matter.
>> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
>> src_last);
>> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
>> + RestoreState(dec);
>> +-  } else if (!br->eos_) {
>> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
>> + // Process the remaining rows corresponding to last row-block.
>> + if (process_func != NULL) {
>> +   process_func(dec, row > last_row ? last_row : row);
>> +--
>> +2.40.0
>> diff --git a/meta

[OE-core][kirkstone][PATCH v3 1/1] libwebp: Fix CVE-2023-4863

2023-10-31 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

CVE: CVE-2023-4863

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189862): 
https://lists.openembedded.org/g/openembedded-core/message/189862
Mute This Topic: https://lists.openembedded.org/mt/102299989/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

2023-10-31 Thread Soumya via lists.openembedded.org 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-v2-1-1-libwebp-Fix-CVE-2023-4863.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189848): 
https://lists.openembedded.org/g/openembedded-core/message/189848
Mute This Topic: https://lists.openembedded.org/mt/102293418/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

2023-10-31 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189846): 
https://lists.openembedded.org/g/openembedded-core/message/189846
Mute This Topic: https://lists.openembedded.org/mt/102293347/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

2023-10-31 Thread Soumya via lists.openembedded.org 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-v2-1-1-libwebp-Fix-CVE-2023-4863.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189833): 
https://lists.openembedded.org/g/openembedded-core/message/189833
Mute This Topic: https://lists.openembedded.org/mt/102293418/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

2023-10-31 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189831): 
https://lists.openembedded.org/g/openembedded-core/message/189831
Mute This Topic: https://lists.openembedded.org/mt/102293347/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863

2023-10-31 Thread Soumya via lists.openembedded.org 
Yes Anuj, I will correct it and will send v2.

Regards,
Soumya

From: Mittal, Anuj 
Sent: Tuesday, October 31, 2023 10:25 AM
To: openembedded-core@lists.openembedded.org 
; Sambu, Soumya 

Subject: Re: [OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Tue, 2023-10-31 at 04:37 +, Soumya via lists.openembedded.org
wrote:
> From: Soumya Sambu 
>
> Heap buffer overflow in WebP in Google Chrome prior to
> 116.0.5845.187 allowed a remote attacker to perform an
> out of bounds memory write via a crafted HTML page.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> https://security-tracker.debian.org/tracker/CVE-2023-4863
> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>
> Signed-off-by: Soumya Sambu 
> ---
>  .../webp/files/CVE-2023-4863.patch| 109
> ++
>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |   1 +
>  2 files changed, 110 insertions(+)
>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-
> 4863.patch
>
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> new file mode 100644
> index 00..4c60cbc9a1
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> @@ -0,0 +1,109 @@
> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00
> 2001
> +From: Vincent Rabaud 
> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> +Subject: [PATCH] Fix invalid incremental decoding check.
> +
> +The first condition is only necessary if we have not read enough
> +(enough being defined by src_last, not src_end which is the end
> +of the image).
> +The second condition now fits the comment below: "if not
> +incremental, and we are past the end of buffer".
> +
> +BUG=oss-fuzz:62136
> +
> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> +
> +CVE: CVE-2023-4863
> +
> +Upstream-Status: Backport
> [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240c
> cff26f0b006037c520]
> +
> +Signed-off-by: Soumya Sambu 
> +---
> + ...x-invalid-incremental-decoding-check.patch | 48
> +++

Patch file included by mistake?

Thanks,

Anuj

> + src/dec/vp8l_dec.c| 15 +-
> + 2 files changed, 61 insertions(+), 2 deletions(-)
> + create mode 100644 0001-Fix-invalid-incremental-decoding-
> check.patch
> +
> +diff --git a/0001-Fix-invalid-incremental-decoding-check.patch
> b/0001-Fix-invalid-incremental-decoding-check.patch
> +new file mode 100644
> +index 000..21f67f4
> +--- /dev/null
>  b/0001-Fix-invalid-incremental-decoding-check.patch
> +@@ -0,0 +1,48 @@
> ++From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00
> 2001
> ++From: Vincent Rabaud 
> ++Date: Mon, 11 Sep 2023 16:06:08 +0200
> ++Subject: [PATCH] Fix invalid incremental decoding check.
> ++
> ++The first condition is only necessary if we have not read enough
> ++(enough being defined by src_last, not src_end which is the end
> ++of the image).
> ++The second condition now fits the comment below: "if not
> ++incremental, and we are past the end of buffer".
> ++
> ++BUG=oss-fuzz:62136
> ++
> ++Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> ++---
> ++ src/dec/vp8l_dec.c | 15 +--
> ++ 1 file changed, 13 insertions(+), 2 deletions(-)
> ++
> ++diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> ++index 5ab34f56..809b1aa9 100644
> ++--- a/src/dec/vp8l_dec.c
> + b/src/dec/vp8l_dec.c
> ++@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder*
> const dec, uint32_t* const data,
> ++   }
> ++
> ++   br->eos_ = VP8LIsEndOfStream(br);
> ++-  if (dec->incremental_ && br->eos_ && src < src_end) {
> +++  // In incremental decoding:
> +++  // br->eos_ && src < src_last: if 'br' reached the end of the
> buffer and
> +++  // 'src_last' has not been reached yet, there is not enough
> data. 'dec' has to
> +++  // be reset until there is more data.
> +++  // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> +++  // fully read, either enough has been read to reach 'src_last'.
> +++  // src >= src_last: 'src_last' is reached, all is fine. 'src'
> can actually go
> +++  // beyond 'src_last' in case the image is cropped and an LZ77
> goes further.
> +++  // The buffer might have been enough or there is some

Patchtest results for [OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863

2023-10-30 Thread Soumya via lists.openembedded.org 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-1-1-libwebp-Fix-CVE-2023-4863.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189827): 
https://lists.openembedded.org/g/openembedded-core/message/189827
Mute This Topic: https://lists.openembedded.org/mt/102291842/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863

2023-10-30 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 109 ++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |   1 +
 2 files changed, 110 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..4c60cbc9a1
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,109 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ ...x-invalid-incremental-decoding-check.patch | 48 +++
+ src/dec/vp8l_dec.c| 15 +-
+ 2 files changed, 61 insertions(+), 2 deletions(-)
+ create mode 100644 0001-Fix-invalid-incremental-decoding-check.patch
+
+diff --git a/0001-Fix-invalid-incremental-decoding-check.patch 
b/0001-Fix-invalid-incremental-decoding-check.patch
+new file mode 100644
+index 000..21f67f4
+--- /dev/null
 b/0001-Fix-invalid-incremental-decoding-check.patch
+@@ -0,0 +1,48 @@
++From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
++From: Vincent Rabaud 
++Date: Mon, 11 Sep 2023 16:06:08 +0200
++Subject: [PATCH] Fix invalid incremental decoding check.
++
++The first condition is only necessary if we have not read enough
++(enough being defined by src_last, not src_end which is the end
++of the image).
++The second condition now fits the comment below: "if not
++incremental, and we are past the end of buffer".
++
++BUG=oss-fuzz:62136
++
++Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
++---
++ src/dec/vp8l_dec.c | 15 +--
++ 1 file changed, 13 insertions(+), 2 deletions(-)
++
++diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
++index 5ab34f56..809b1aa9 100644
++--- a/src/dec/vp8l_dec.c
+ b/src/dec/vp8l_dec.c
++@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
++   }
++
++   br->eos_ = VP8LIsEndOfStream(br);
++-  if (dec->incremental_ && br->eos_ && src < src_end) {
+++  // In incremental decoding:
+++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+++  // 'src_last' has not been reached yet, there is not enough data. 'dec' 
has to
+++  // be reset until there is more data.
+++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+++  // fully read, either enough has been read to reach 'src_last'.
+++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
+++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+++  // The buffer might have been enough or there is some left. 'br->eos_' does
+++  // not matter.
+++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
+++  if (dec->incremental_ && br->eos_ && src < src_last) {
++ RestoreState(dec);
++-  } else if (!br->eos_) {
+++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
++ // Process the remaining rows corresponding to last row-block.
++ if (process_func != NULL) {
++   process_func(dec, row > last_row ? last_row : row);
++--
++2.40.0
++
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine.

[OE-core][mickledore][PATCH 1/1] qemu: Fix CVE-2023-3180

2023-10-04 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

A flaw was found in the QEMU virtual crypto device while handling
data encryption/decryption requests in virtio_crypto_handle_sym_req.
There is no check for the value of `src_len` and `dst_len` in
virtio_crypto_sym_op_helper, potentially leading to a heap buffer
overflow when the two values differ.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3180

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3180.patch | 52 +++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index c8e1d28654..cd17a11335 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -41,6 +41,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2023-3255.patch \
   file://CVE-2023-2861.patch \
   file://CVE-2023-3354.patch \
+  file://CVE-2023-3180.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
new file mode 100644
index 00..cd9f85fd43
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
@@ -0,0 +1,52 @@
+From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001
+From: zhenwei pi 
+Date: Thu, 3 Aug 2023 10:43:13 +0800
+Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request
+
+For symmetric algorithms, the length of ciphertext must be as same
+as the plaintext.
+The missing verification of the src_len and the dst_len in
+virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
+
+This patch is originally written by Yiming Tao for QEMU-SECURITY,
+resend it(a few changes of error message) in qemu-devel.
+
+Fixes: CVE-2023-3180
+Fixes: 04b9b37e
+
+("virtio-crypto: add data queue processing handler")
+Cc: Gonglei 
+Cc: Mauro Matteo Cascella 
+Cc: Yiming Tao 
+Signed-off-by: zhenwei pi 
+Message-Id: <20230803024314.29962-2-pizhen...@bytedance.com>
+Reviewed-by: Michael S. Tsirkin 
+Signed-off-by: Michael S. Tsirkin 
+
+CVE: CVE-2023-3180
+
+Upstream-Status: Backport from 
[https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
+
+Signed-off-by: Soumya Sambu 
+---
+ hw/virtio/virtio-crypto.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 97da74e71..fdb592861 100644
+--- a/hw/virtio/virtio-crypto.c
 b/hw/virtio/virtio-crypto.c
+@@ -633,6 +633,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+ return NULL;
+ }
+
++if (unlikely(src_len != dst_len)) {
++virtio_error(vdev, "sym request src len is different from dst len");
++return NULL;
++}
++
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + 
hash_result_len;
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto too big length");
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188673): 
https://lists.openembedded.org/g/openembedded-core/message/188673
Mute This Topic: https://lists.openembedded.org/mt/101752638/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH v2 1/1] glibc: Update to latest on stable 2.35 branch

2023-10-04 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Adresses CVE-2023-4813, CVE-2023-4806, CVE-2023-5156. Added these to 
CVE_CHECK_IGNORE
to avoid in cve-check reports since the recipe version did not change.

These are the complete list of changes this brings

* 73d4ce728a Document CVE-2023-4806 and CVE-2023-5156 in NEWS
* 17092c0311 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 
[BZ #30843]*
* 762a747fae io: Fix record locking contants for powerpc64 with 
__USE_FILE_OFFSET64
* e3ccb230a9 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
* 1b9087dcec gethosts: Return EAI_MEMORY on allocation failure
* f5f88f142a gaih_inet: Split result generation into its own function
* a6da106892 gaih_inet: split loopback lookup into its own function
* 8b70d97b08 gaih_inet: make gethosts into a function
* 9098deb96a gaih_inet: separate nss lookup loop into its own function
* ce64e72b7d gaih_inet: Split nscd lookup code into its own function.
* 4897bf7968 gaih_inet: Split simple gethostbyname into its own function
* 571c531b3b gaih_inet: make numeric lookup a separate routine
* 9aad91abe6 gaih_inet: Simplify service resolution
* d02808dee9 getaddrinfo: Fix leak with AI_ALL [BZ #28852]
* f366eaa608 gaih_inet: Simplify canon name resolution
* b126325fc7 nss: Sort tests and tests-container and put one test per line
* 6e867146ee Simplify allocations and fix merge and continue actions [BZ #28931]
* 59ee83b0c2 elf: Move l_init_called_next to old place of l_text_end in link map
* 34b07bdbdd elf: Remove unused l_text_end field from struct link_map
* 02a67e102f elf: Always call destructors in reverse constructor order (bug 
30785)
* aeea91fd15 elf: Do not run constructors for proxy objects
* 1d828d5855 elf: Introduce to _dl_call_fini

Signed-off-by: Soumya Sambu 
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 meta/recipes-core/glibc/glibc_2.35.bb | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index f23ceb5a25..c23a43576c 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "561e9dadc02f46a7ba2190c0a04259583479f6c9"
+SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
b/meta/recipes-core/glibc/glibc_2.35.bb
index df847e76bf..b4bad5b7ac 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -16,6 +16,9 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 
CVE-2019-1010024"
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
 CVE_CHECK_IGNORE += "CVE-2019-1010025"
 
+# To avoid these in cve-check reports since the recipe version did not change
+CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156"
+
 DEPENDS += "gperf-native bison-native"
 
 NATIVESDKFIXES ?= ""
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188672): 
https://lists.openembedded.org/g/openembedded-core/message/188672
Mute This Topic: https://lists.openembedded.org/mt/101752602/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35 branch

2023-09-27 Thread Soumya via lists.openembedded.org 
Sure, will send v2.

Regards,
Soumya


From: Marko, Peter 
Sent: Wednesday, September 27, 2023 7:50 PM
To: Sambu, Soumya 
Cc: openembedded-core@lists.openembedded.org 

Subject: RE: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 
2.35 branch

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Soumya via 
lists.openembedded.org
Sent: Wednesday, September 27, 2023 9:46
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35 
branch

> From: Soumya Sambu 
>
> Adresses CVE-2023-4813, CVE-2023-4806

Could you also add these to CVE_CHECK_IGNORE?
Otherwise they will stay in cve-check reports since the recipe version did not 
change.

Thanks,
Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188327): 
https://lists.openembedded.org/g/openembedded-core/message/188327
Mute This Topic: https://lists.openembedded.org/mt/101613417/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35 branch

2023-09-27 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Adresses CVE-2023-4813, CVE-2023-4806

These are the complete list of changes this brings

* 73d4ce728a Document CVE-2023-4806 and CVE-2023-5156 in NEWS
* 17092c0311 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 
[BZ #30843]*
* 762a747fae io: Fix record locking contants for powerpc64 with 
__USE_FILE_OFFSET64
* e3ccb230a9 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
* 1b9087dcec gethosts: Return EAI_MEMORY on allocation failure
* f5f88f142a gaih_inet: Split result generation into its own function
* a6da106892 gaih_inet: split loopback lookup into its own function
* 8b70d97b08 gaih_inet: make gethosts into a function
* 9098deb96a gaih_inet: separate nss lookup loop into its own function
* ce64e72b7d gaih_inet: Split nscd lookup code into its own function.
* 4897bf7968 gaih_inet: Split simple gethostbyname into its own function
* 571c531b3b gaih_inet: make numeric lookup a separate routine
* 9aad91abe6 gaih_inet: Simplify service resolution
* d02808dee9 getaddrinfo: Fix leak with AI_ALL [BZ #28852]
* f366eaa608 gaih_inet: Simplify canon name resolution
* b126325fc7 nss: Sort tests and tests-container and put one test per line
* 6e867146ee Simplify allocations and fix merge and continue actions [BZ #28931]
* 59ee83b0c2 elf: Move l_init_called_next to old place of l_text_end in link map
* 34b07bdbdd elf: Remove unused l_text_end field from struct link_map
* 02a67e102f elf: Always call destructors in reverse constructor order (bug 
30785)
* aeea91fd15 elf: Do not run constructors for proxy objects
* 1d828d5855 elf: Introduce to _dl_call_fini

Signed-off-by: Soumya Sambu 
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index f23ceb5a25..c23a43576c 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "561e9dadc02f46a7ba2190c0a04259583479f6c9"
+SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188294): 
https://lists.openembedded.org/g/openembedded-core/message/188294
Mute This Topic: https://lists.openembedded.org/mt/101613417/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] shadow: Fix CVE-2023-4641

2023-09-21 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

shadow-utils: possible password leak during passwd(1) change

Signed-off-by: Soumya Sambu 
---
 .../shadow/files/CVE-2023-4641-0001.patch |  36 +
 .../shadow/files/CVE-2023-4641-0002.patch | 147 ++
 meta/recipes-extended/shadow/shadow.inc   |   2 +
 3 files changed, 185 insertions(+)
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch

diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch 
b/meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch
new file mode 100644
index 00..2d3c462f4d
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch
@@ -0,0 +1,36 @@
+From 58b6e97a9eef866e9e479fb781aaaf59fb11ef36 Mon Sep 17 00:00:00 2001
+From: Christian Göttsche 
+Date: Mon Apr 25 12:17:40 2022 +0200
+Subject: [PATCH 1/2] passwd: erase password copy on all error branches
+
+CVE: CVE-2023-4641
+
+Upstream-Status: Backport 
[https://github.com/shadow-maint/shadow/commit/58b6e97a9eef866e9e479fb781aaaf59fb11ef36]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/passwd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/passwd.c b/src/passwd.c
+index 80531ec..8c6f81a 100644
+--- a/src/passwd.c
 b/src/passwd.c
+@@ -289,6 +289,7 @@ static int new_password (const struct passwd *pw)
+   cp = getpass (_("New password: "));
+   if (NULL == cp) {
+   memzero (orig, sizeof orig);
++  memzero (pass, sizeof pass);
+   return -1;
+   }
+   if (warned && (strcmp (pass, cp) != 0)) {
+@@ -316,6 +317,7 @@ static int new_password (const struct passwd *pw)
+   cp = getpass (_("Re-enter new password: "));
+   if (NULL == cp) {
+   memzero (orig, sizeof orig);
++  memzero (pass, sizeof pass);
+   return -1;
+   }
+   if (strcmp (cp, pass) != 0) {
+--
+2.40.0
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch 
b/meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch
new file mode 100644
index 00..a37379d7a0
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch
@@ -0,0 +1,147 @@
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar 
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH 2/2] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZ

[OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2023-39319

2023-09-14 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

The html/template package does not apply the proper rules for handling
occurrences of " contexts. This may cause the template parser to improperly
consider script contexts to be terminated early, causing actions to be
improperly escaped. This could be leveraged to perform an XSS attack.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39319

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   3 +-
 .../go/go-1.20/CVE-2023-39319.patch   | 254 ++
 2 files changed, 256 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 91dd886cd0..c753a26a7e 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -1,6 +1,6 @@
 require go-common.inc
 
-FILESEXTRAPATHS:prepend := 
"${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:"
+FILESEXTRAPATHS:prepend := 
"${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
 
@@ -43,6 +43,7 @@ SRC_URI += "\
 file://CVE-2023-24531_1.patch \
 file://CVE-2023-24531_2.patch \
 file://CVE-2023-29409.patch \
+file://CVE-2023-39319.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch 
b/meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch
new file mode 100644
index 00..1554aa975c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch
@@ -0,0 +1,254 @@
+From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker 
+Date: Thu Aug 3 12:28:28 2023 -0700
+Subject: [PATCH] html/template: properly handle special tags within the script
+ context
+
+The HTML specification has incredibly complex rules for how to handle
+"

[OE-core][kirkstone][PATCH 1/1] libxml2: Fix CVE-2023-39615

2023-09-07 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML
file.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39615

Signed-off-by: Soumya Sambu 
---
 .../libxml/libxml2/CVE-2023-39615-0001.patch  | 37 ++
 .../libxml/libxml2/CVE-2023-39615-0002.patch  | 72 +++
 meta/recipes-core/libxml/libxml2_2.9.14.bb|  2 +
 3 files changed, 111 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
new file mode 100644
index 00..3506779c4c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
@@ -0,0 +1,37 @@
+From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Sat May 6 17:47:37 2023 +0200
+Subject: [PATCH 1/2] parser: Fix old SAX1 parser with custom callbacks
+
+For some reason, xmlCtxtUseOptionsInternal set the start and end element
+SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
+was specified. This means that custom SAX handlers could never work with
+that flag because these functions would receive the wrong user data
+argument and crash immediately.
+
+Fixes #535.
+
+CVE: CVE-2023-39615
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9]
+
+Signed-off-by: Soumya Sambu 
+---
+ parser.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 0f76577..b781c80 100644
+--- a/parser.c
 b/parser.c
+@@ -15069,8 +15069,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int 
options, const char *encodi
+ }
+ #ifdef LIBXML_SAX1_ENABLED
+ if (options & XML_PARSE_SAX1) {
+-ctxt->sax->startElement = xmlSAX2StartElement;
+-ctxt->sax->endElement = xmlSAX2EndElement;
+ ctxt->sax->startElementNs = NULL;
+ ctxt->sax->endElementNs = NULL;
+ ctxt->sax->initialized = 1;
+--
+2.40.0
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
new file mode 100644
index 00..d922ddc730
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
@@ -0,0 +1,72 @@
+From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Mon May 8 17:58:02 2023 +0200
+Subject: [PATCH 2/2] SAX: Always initialize SAX1 element handlers
+
+Follow-up to commit d0c3f01e. A parser context will be initialized to
+SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
+so we must initialize the SAX1 element handlers as well.
+
+Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
+we don't switch to SAX1 if the SAX2 element handlers are NULL.
+
+CVE: CVE-2023-39615
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129]
+
+Signed-off-by: Soumya Sambu 
+---
+ SAX2.c   | 11 +++
+ parser.c |  5 +
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/SAX2.c b/SAX2.c
+index 0319246..f7c77c2 100644
+--- a/SAX2.c
 b/SAX2.c
+@@ -2842,20 +2842,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version)
+ {
+ if (hdlr == NULL) return(-1);
+ if (version == 2) {
+-  hdlr->startElement = NULL;
+-  hdlr->endElement = NULL;
+   hdlr->startElementNs = xmlSAX2StartElementNs;
+   hdlr->endElementNs = xmlSAX2EndElementNs;
+   hdlr->serror = NULL;
+   hdlr->initialized = XML_SAX2_MAGIC;
+ #ifdef LIBXML_SAX1_ENABLED
+ } else if (version == 1) {
+-  hdlr->startElement = xmlSAX2StartElement;
+-  hdlr->endElement = xmlSAX2EndElement;
+   hdlr->initialized = 1;
+ #endif /* LIBXML_SAX1_ENABLED */
+ } else
+ return(-1);
++#ifdef LIBXML_SAX1_ENABLED
++hdlr->startElement = xmlSAX2StartElement;
++hdlr->endElement = xmlSAX2EndElement;
++#else
++hdlr->startElement = NULL;
++hdlr->endElement = NULL;
++#endif /* LIBXML_SAX1_ENABLED */
+ hdlr->internalSubset = xmlSAX2InternalSubset;
+ hdlr->externalSubset = xmlSAX2ExternalSubset;
+ hdlr->isStandalone = xmlSAX2IsStandalone;
+diff --git a/parser.c b/parser.c
+index b781c80..738dbee 100644
+--- a/parser.c
 b/parser.c
+@@ -1109,10 +1109,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL) return;
+ sax = ctxt->sax;
+ #ifdef LIBXML_SAX1_ENABLED
+-if ((sax) &&  (sax->initialized == XML_SAX2_MAGIC) &&
+-((sax->startElementNs != NULL) ||
+- (sax->endElementNs != NULL) ||
+- ((sax->startElement == NULL) && (sax->endElement == NULL
+

[oe-core][kirkstone][PATCH 1/1] ncurses: fix CVE-2023-29491

2023-09-01 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Backport patch to fix CVE-2023-29491.

Signed-off-by: Soumya Sambu 
---
 .../ncurses/files/CVE-2023-29491.patch| 464 ++
 .../ncurses/ncurses_6.3+20220423.bb   |   1 +
 2 files changed, 465 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-29491.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch 
b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
new file mode 100644
index 00..957ff9b8b2
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,464 @@
+From eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 Mon Sep 17 00:00:00 2001
+From: Thomas E. Dickey 
+Date: Sun, 9 Apr 2023 05:38:25 +0530
+Subject: [PATCH] Fix CVE-2023-29491
+
+CVE: CVE-2023-29491
+
+Upstream-Status: Backport 
[http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56]
+
+Signed-off-by: Chen Qi 
+
+Signed-off-by: Soumya Sambu 
+---
+ ncurses/tinfo/lib_tgoto.c  |  10 +++-
+ ncurses/tinfo/lib_tparm.c  | 116 -
+ ncurses/tinfo/read_entry.c |   3 +
+ progs/tic.c|   6 ++
+ progs/tparm_type.c |   9 +++
+ progs/tparm_type.h |   2 +
+ progs/tput.c   |  61 ---
+ 7 files changed, 185 insertions(+), 22 deletions(-)
+
+diff --git a/ncurses/tinfo/lib_tgoto.c b/ncurses/tinfo/lib_tgoto.c
+index 9cf5e100..c50ed4df 100644
+--- a/ncurses/tinfo/lib_tgoto.c
 b/ncurses/tinfo/lib_tgoto.c
+@@ -207,6 +207,14 @@ tgoto(const char *string, int x, int y)
+   result = tgoto_internal(string, x, y);
+ else
+ #endif
+-  result = TIPARM_2(string, y, x);
++if ((result = TIPARM_2(string, y, x)) == NULL) {
++  /*
++   * Because termcap did not provide a more general solution such as
++   * tparm(), it was necessary to handle single-parameter capabilities
++   * using tgoto().  The internal _nc_tiparm() function returns a NULL
++   * for that case; retry for the single-parameter case.
++   */
++  result = TIPARM_1(string, y);
++}
+ returnPtr(result);
+ }
+diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c
+index d9bdfd8f..a10a3877 100644
+--- a/ncurses/tinfo/lib_tparm.c
 b/ncurses/tinfo/lib_tparm.c
+@@ -1086,6 +1086,64 @@ tparam_internal(TPARM_STATE *tps, const char *string, 
TPARM_DATA *data)
+ return (TPS(out_buff));
+ }
+ 
++#ifdef CUR
++/*
++ * Only a few standard capabilities accept string parameters.  The others that
++ * are parameterized accept only numeric parameters.
++ */
++static bool
++check_string_caps(TPARM_DATA *data, const char *string)
++{
++bool result = FALSE;
++
++#define CHECK_CAP(name) (VALID_STRING(name) && !strcmp(name, string))
++
++/*
++ * Disallow string parameters unless we can check them against a terminal
++ * description.
++ */
++if (cur_term != NULL) {
++  int want_type = 0;
++
++  if (CHECK_CAP(pkey_key))
++  want_type = 2;  /* function key #1, type string #2 */
++  else if (CHECK_CAP(pkey_local))
++  want_type = 2;  /* function key #1, execute string #2 */
++  else if (CHECK_CAP(pkey_xmit))
++  want_type = 2;  /* function key #1, transmit string #2 */
++  else if (CHECK_CAP(plab_norm))
++  want_type = 2;  /* label #1, show string #2 */
++  else if (CHECK_CAP(pkey_plab))
++  want_type = 6;  /* function key #1, type string #2, show string 
#3 */
++#if NCURSES_XNAMES
++  else {
++  char *check;
++
++  check = tigetstr("Cs");
++  if (CHECK_CAP(check))
++  want_type = 1;  /* style #1 */
++
++  check = tigetstr("Ms");
++  if (CHECK_CAP(check))
++  want_type = 3;  /* storage unit #1, content #2 */
++  }
++#endif
++
++  if (want_type == data->tparm_type) {
++  result = TRUE;
++  } else {
++  T(("unexpected string-parameter"));
++  }
++}
++return result;
++}
++
++#define ValidCap() (myData.tparm_type == 0 || \
++  check_string_caps(&myData, string))
++#else
++#define ValidCap() 1
++#endif
++
+ #if NCURSES_TPARM_VARARGS
+ 
+ NCURSES_EXPORT(char *)
+@@ -1100,7 +1158,7 @@ tparm(const char *string, ...)
+ tps->tname = "tparm";
+ #endif /* TRACE */
+ 
+-if (tparm_setup(cur_term, string, &myData) == OK) {
++if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) {
+   va_list ap;
+ 
+   va_start(ap, string);
+@@ -1135,7 +1193,7 @@ tparm(const char *string,
+ tps->tname = "tparm";
+ #endif /* TRACE */
+ 
+-if (tparm_setup(cur_term, string, &myData) == OK) {
++if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) {
+ 
+   myData.param[0] = a1;
+   myData.param[1] = a2;
+@@ -1166,7 +1224,7 @@ tiparm(const char *string, ...)
+ tps->tname = "tiparm";
+ #endif /* TRACE */
+ 
+-if (tparm_setup(cur_term, string, &myData) == OK)

[OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2023-29409

2023-08-25 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

Extremely large RSA keys in certificate chains can cause a
client/server to expend significant CPU time verifying
signatures. With fix, the size of RSA keys transmitted
during handshakes is restricted to <= 8192 bits. Based on
a survey of publicly trusted RSA keys, there are currently
only three certificates in circulation with keys larger than
this, and all three appear to be test certificates that are
not actively deployed. It is possible there are larger keys
in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default
safety of users of crypto/tls seems reasonable.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29409

Signed-off-by: Soumya Sambu 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
 .../go/go-1.19/CVE-2023-29409.patch   | 175 ++
 2 files changed, 176 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index e0f02f3e28..91dd886cd0 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -42,6 +42,7 @@ SRC_URI += "\
 file://CVE-2023-24536_3.patch \
 file://CVE-2023-24531_1.patch \
 file://CVE-2023-24531_2.patch \
+file://CVE-2023-29409.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch 
b/meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch
new file mode 100644
index 00..38451f7555
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch
@@ -0,0 +1,175 @@
+From 2300f7ef07718f6be4d8aa8486c7de99836e233f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker 
+Date: Wed, 23 Aug 2023 12:03:43 +
+Subject: [PATCH] crypto/tls: restrict RSA keys in certificates to <= 8192 bits
+
+Extremely large RSA keys in certificate chains can cause a client/server
+to expend significant CPU time verifying signatures. Limit this by
+restricting the size of RSA keys transmitted during handshakes to <=
+8192 bits.
+
+Based on a survey of publicly trusted RSA keys, there are currently only
+three certificates in circulation with keys larger than this, and all
+three appear to be test certificates that are not actively deployed. It
+is possible there are larger keys in use in private PKIs, but we target
+the web PKI, so causing breakage here in the interests of increasing the
+default safety of users of crypto/tls seems reasonable.
+
+Thanks to Mateusz Poliwczak for reporting this issue.
+
+Updates #61460
+Fixes #61579
+Fixes CVE-2023-29409
+
+Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
+Reviewed-by: Damien Neil 
+Reviewed-by: Tatiana Bradley 
+Run-TryBot: Roland Shoemaker 
+(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1965487
+Reviewed-on: https://go-review.googlesource.com/c/go/+/514915
+Run-TryBot: David Chase 
+Reviewed-by: Matthew Dempsky 
+TryBot-Bypass: David Chase 
+
+CVE: CVE-2023-29409
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/crypto/tls/handshake_client.go  |  8 +++
+ src/crypto/tls/handshake_client_test.go | 78 +
+ src/crypto/tls/handshake_server.go  |  4 ++
+ 3 files changed, 90 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_client.go 
b/src/crypto/tls/handshake_client.go
+index 85622f1..828d2cb 100644
+--- a/src/crypto/tls/handshake_client.go
 b/src/crypto/tls/handshake_client.go
+@@ -852,6 +852,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) 
error {
+   return nil
+ }
+
++// maxRSAKeySize is the maximum RSA key size in bits that we are willing
++// to verify the signatures of during a TLS handshake.
++const maxRSAKeySize = 8192
++
+ // verifyServerCertificate parses and verifies the provided chain, setting
+ // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
+ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+@@ -862,6 +866,10 @@ func (c *Conn) verifyServerCertificate(certificates 
[][]byte) error {
+   c.sendAlert(alertBadCertificate)
+   return errors.New("tls: failed to parse certificate 
from server: " + err.Error())
+   }
++  if cert.PublicKeyAlgorithm == x509.RSA && 
cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
++  c.sendAlert(alertBadCertificate)
++  return fmt.Errorf("tls: server sent certificate 
containing RSA key larger than %d bits", maxRSAKeySize)
++  }
+   certs[i] = cert
+   }
+
+

[oe-core][kirkstone][PATCH 1/1] glib-2.0: Fix CVE-2023-32643 and CVE-2023-32636

2023-08-22 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

fuzz_variant_binary_byteswap: Heap-buffer-overflow in 
g_variant_serialised_get_child

fuzz_variant_text: Timeout in fuzz_variant_text

Signed-off-by: Soumya Sambu 
---
 .../glib-2.0/glib-2.0/CVE-2023-32636.patch|  50 ++
 .../glib-2.0/glib-2.0/CVE-2023-32643.patch| 155 ++
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |   2 +
 3 files changed, 207 insertions(+)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
new file mode 100644
index 00..311993625a
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
@@ -0,0 +1,50 @@
+From 21a204147b16539b3eda3143b32844c49e29f4d4 Mon Sep 17 00:00:00 2001
+From: Philip Withnall 
+Date: Thu, 17 Aug 2023 11:33:49 +
+Subject: [PATCH] gvariant: Propagate trust when getting a child of a
+ serialised variant
+
+If a variant is trusted, that means all its children are trusted, so
+ensure that their checked offsets are set as such.
+
+This allows a lot of the offset table checks to be avoided when getting
+children from trusted serialised tuples, which speeds things up.
+
+No unit test is included because this is just a performance fix. If
+there are other slownesses, or regressions, in serialised `GVariant`
+performance, the fuzzing setup will catch them like it did this one.
+
+This change does reduce the time to run the oss-fuzz reproducer from 80s
+to about 0.7s on my machine.
+
+Signed-off-by: Philip Withnall 
+
+Fixes: #2841
+oss-fuzz#54314
+
+CVE: CVE-2023-32636
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/glib/-/commit/21a204147b16539b3eda3143b32844c49e29f4d4]
+
+Signed-off-by: Soumya Sambu 
+---
+ glib/gvariant-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index 7b71efc..a2c7d2d 100644
+--- a/glib/gvariant-core.c
 b/glib/gvariant-core.c
+@@ -1195,8 +1195,8 @@ g_variant_get_child_value (GVariant *value,
+ child->contents.serialised.bytes =
+   g_bytes_ref (value->contents.serialised.bytes);
+ child->contents.serialised.data = s_child.data;
+-child->contents.serialised.ordered_offsets_up_to = 
s_child.ordered_offsets_up_to;
+-child->contents.serialised.checked_offsets_up_to = 
s_child.checked_offsets_up_to;
++child->contents.serialised.ordered_offsets_up_to = (value->state & 
STATE_TRUSTED) ? G_MAXSIZE : s_child.ordered_offsets_up_to;
++child->contents.serialised.checked_offsets_up_to = (value->state & 
STATE_TRUSTED) ? G_MAXSIZE : s_child.checked_offsets_up_to;
+
+ return child;
+   }
+--
+2.40.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
new file mode 100644
index 00..b5cb4273b6
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
@@ -0,0 +1,155 @@
+From 78da5faccb3e065116b75b3ff87ff55381da6c76 Mon Sep 17 00:00:00 2001
+From: Philip Withnall 
+Date: Thu, 17 Aug 2023 11:24:43 +
+Subject: [PATCH] gvariant: Check offset table doesn't fall outside variant
+ bounds
+
+When dereferencing the first entry in the offset table for a tuple,
+check that it doesn’t fall outside the bounds of the variant first.
+
+This prevents an out-of-bounds read from some non-normal tuples.
+
+This bug was introduced in commit 73d0aa81c2575a5c9ae77d.
+
+Includes a unit test, although the test will likely only catch the
+original bug if run with asan enabled.
+
+Signed-off-by: Philip Withnall 
+
+Fixes: #2840
+oss-fuzz#54302
+
+CVE: CVE-2023-32643
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/glib/-/commit/78da5faccb3e065116b75b3ff87ff55381da6c76]
+
+Signed-off-by: Soumya Sambu 
+---
+ glib/gvariant-serialiser.c | 12 ++--
+ glib/tests/gvariant.c  | 63 ++
+ 2 files changed, 72 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 3d6e7b8..5abb87e 100644
+--- a/glib/gvariant-serialiser.c
 b/glib/gvariant-serialiser.c
+@@ -979,7 +979,8 @@ gvs_tuple_get_member_bounds (GVariantSerialised  value,
+
+   member_info = g_variant_type_info_member_info (value.type_info, index_);
+
+-  if (member_info->i + 1)
++  if (member_info->i + 1 &&
++  offset_size * (member_info->i + 1) <= value.size)
+ member_start = gvs_read_unaligned_le (value.data + value.size -
+   offset_size * (member_info->i + 1),
+   offset_size);
+@@ -990,7 +991,8 @@ gvs_tuple_get_member_bounds (GVariantSerialised  value,
+   member_start &= member_info->b;
+   member_start |= member_info->c;
+
+-  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
++  if (member

[oe-core][kirkstone][PATCH 1/1] glib-2.0: Fix CVE-2023-29499 and CVE-2023-32611

2023-08-22 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

GVariant offset table entry size is not checked in is_normal()

g_variant_byteswap() can take a long time with some non-normal inputs

Signed-off-by: Soumya Sambu 
---
 .../glib-2.0/glib-2.0/CVE-2023-29499.patch| 291 ++
 .../glib-2.0/CVE-2023-32611-0001.patch|  97 ++
 .../glib-2.0/CVE-2023-32611-0002.patch| 282 +
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |   3 +
 4 files changed, 673 insertions(+)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
new file mode 100644
index 00..65174efa6d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
@@ -0,0 +1,291 @@
+From 5f4485c4ff57fdefb1661531788def7ca5a47328 Mon Sep 17 00:00:00 2001
+From: Philip Withnall 
+Date: Thu, 17 Aug 2023 04:19:44 +
+Subject: [PATCH] gvariant-serialiser: Check offset table entry size is minimal
+
+The entries in an offset table (which is used for variable sized arrays
+and tuples containing variable sized members) are sized so that they can
+address every byte in the overall variant.
+
+The specification requires that for a variant to be in normal form, its
+offset table entries must be the minimum width such that they can
+address every byte in the variant.
+
+That minimality requirement was not checked in
+`g_variant_is_normal_form()`, leading to two different byte arrays being
+interpreted as the normal form of a given variant tree. That kind of
+confusion could potentially be exploited, and is certainly a bug.
+
+Fix it by adding the necessary checks on offset table entry width, and
+unit tests.
+
+Spotted by William Manley.
+
+Signed-off-by: Philip Withnall 
+
+Fixes: #2794
+
+CVE: CVE-2023-29499
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/glib/-/commit/5f4485c4ff57fdefb1661531788def7ca5a47328]
+
+Signed-off-by: Soumya Sambu 
+---
+ glib/gvariant-serialiser.c |  19 +++-
+ glib/tests/gvariant.c  | 176 +
+ 2 files changed, 194 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 9c7f12a..3d6e7b8 100644
+--- a/glib/gvariant-serialiser.c
 b/glib/gvariant-serialiser.c
+@@ -694,6 +694,10 @@ gvs_variable_sized_array_get_frame_offsets 
(GVariantSerialised value)
+   out.data_size = last_end;
+   out.array = value.data + last_end;
+   out.length = offsets_array_size / out.offset_size;
++
++  if (out.length > 0 && gvs_calculate_total_size (last_end, out.length) != 
value.size)
++return out;  /* offset size not minimal */
++
+   out.is_normal = TRUE;
+
+   return out;
+@@ -1201,6 +1205,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
+   gsize length;
+   gsize offset;
+   gsize i;
++  gsize offset_table_size;
+
+   /* as per the comment in gvs_tuple_get_child() */
+   if G_UNLIKELY (value.data == NULL && value.size != 0)
+@@ -1305,7 +1310,19 @@ gvs_tuple_is_normal (GVariantSerialised value)
+   }
+   }
+
+-  return offset_ptr == offset;
++  /* @offset_ptr has been counting backwards from the end of the variant, to
++   * find the beginning of the offset table. @offset has been counting 
forwards
++   * from the beginning of the variant to find the end of the data. They 
should
++   * have met in the middle. */
++  if (offset_ptr != offset)
++return FALSE;
++
++  offset_table_size = value.size - offset_ptr;
++  if (value.size > 0 &&
++  gvs_calculate_total_size (offset, offset_table_size / offset_size) != 
value.size)
++return FALSE;  /* offset size not minimal */
++
++  return TRUE;
+ }
+
+ /* Variants {{{2
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 44e4451..ad45043 100644
+--- a/glib/tests/gvariant.c
 b/glib/tests/gvariant.c
+@@ -5076,6 +5076,86 @@ test_normal_checking_array_offsets2 (void)
+   g_variant_unref (variant);
+ }
+
++/* Test that an otherwise-valid serialised GVariant is considered non-normal 
if
++ * its offset table entries are too wide.
++ *
++ * See §2.3.6 (Framing Offsets) of the GVariant specification. */
++static void
++test_normal_checking_array_offsets_minimal_sized (void)
++{
++  GVariantBuilder builder;
++  gsize i;
++  GVariant *aay_constructed = NULL;
++  const guint8 *data = NULL;
++  guint8 *data_owned = NULL;
++  GVariant *aay_deserialised = NULL;
++  GVariant *aay_normalised = NULL;
++
++  /* Construct an array of type aay, consisting of 128 elements which are each
++   * an empty array, i.e. `[[] * 128]`. This is chosen because the inner
++   * elements are variable sized (making the outer array variable sized, so it
++   * must have an offset table), but they are also zero-sized when serialised.
++   * So the se

[oe-core][kirkstone][PATCH 1/1] glib-2.0: Fix CVE-2023-32665

2023-08-22 Thread Soumya via lists.openembedded.org 
From: Soumya Sambu 

GVariant deserialisation does not match spec for non-normal data

Signed-off-by: Soumya Sambu 
---
 .../glib-2.0/CVE-2023-32665-0001.patch| 104 +
 .../glib-2.0/CVE-2023-32665-0002.patch| 211 +
 .../glib-2.0/CVE-2023-32665-0003.patch| 418 ++
 .../glib-2.0/CVE-2023-32665-0004.patch| 114 +
 .../glib-2.0/CVE-2023-32665-0005.patch|  81 
 .../glib-2.0/CVE-2023-32665-0006.patch| 397 +
 .../glib-2.0/CVE-2023-32665-0007.patch|  50 +++
 .../glib-2.0/CVE-2023-32665-0008.patch| 395 +
 .../glib-2.0/CVE-2023-32665-0009.patch|  98 
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |   9 +
 10 files changed, 1877 insertions(+)
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch
 create mode 100644 
meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
new file mode 100644
index 00..2b7536c42d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
@@ -0,0 +1,104 @@
+From 1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1 Mon Sep 17 00:00:00 2001
+From: William Manley 
+Date: Wed, 9 Aug 2023 10:04:49 +
+Subject: [PATCH] gvariant-core: Consolidate construction of
+ `GVariantSerialised`
+
+So I only need to change it in one place.
+
+This introduces no functional changes.
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/glib/-/commit/1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1]
+
+Signed-off-by: Soumya 
+---
+ glib/gvariant-core.c | 49 ++--
+ 1 file changed, 25 insertions(+), 24 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index a31d396..496f2e2 100644
+--- a/glib/gvariant-core.c
 b/glib/gvariant-core.c
+@@ -349,6 +349,27 @@ g_variant_ensure_size (GVariant *value)
+ }
+ }
+
++/* < private >
++ * g_variant_to_serialised:
++ * @value: a #GVariant
++ *
++ * Gets a GVariantSerialised for a GVariant in state STATE_SERIALISED.
++ */
++inline static GVariantSerialised
++g_variant_to_serialised (GVariant *value)
++{
++  g_assert (value->state & STATE_SERIALISED);
++  {
++GVariantSerialised serialised = {
++  value->type_info,
++  (gpointer) value->contents.serialised.data,
++  value->size,
++  value->depth,
++};
++return serialised;
++  }
++}
++
+ /* < private >
+  * g_variant_serialise:
+  * @value: a #GVariant
+@@ -1007,16 +1028,8 @@ g_variant_n_children (GVariant *value)
+   g_variant_lock (value);
+
+   if (value->state & STATE_SERIALISED)
+-{
+-  GVariantSerialised serialised = {
+-value->type_info,
+-(gpointer) value->contents.serialised.data,
+-value->size,
+-value->depth,
+-  };
+-
+-  n_children = g_variant_serialised_n_children (serialised);
+-}
++n_children = g_variant_serialised_n_children (
++g_variant_to_serialised (value));
+   else
+ n_children = value->contents.tree.n_children;
+
+@@ -1083,12 +1096,7 @@ g_variant_get_child_value (GVariant *value,
+ }
+
+   {
+-GVariantSerialised serialised = {
+-  value->type_info,
+-  (gpointer) value->contents.serialised.data,
+-  value->size,
+-  value->depth,
+-};
++GVariantSerialised serialised = g_variant_to_serialised (value);
+ GVariantSerialised s_child;
+ GVariant *child;
+
+@@ -1201,14 +1209,7 @@ g_variant_is_normal_form (GVariant *value)
+
+   if (value->state & STATE_SERIALISED)
+ {
+-  GVariantSerialised serialised = {
+-value->type_info,
+-(gpointer) value->contents.serialised.data,
+-value->size,
+-value->depth
+-  };
+-
+-  if (g_variant_serialised_is_normal (serialised))
++  if (g_variant_serialised_is_normal (g_variant_to_serialised (value)))
+ value->state |= STATE_TRUSTED;
+ }
+   else
+--
+2.40.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
new file mode 100644
index 00..4eff85a5f3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
@@ -0,0 +1,211 @@
+From 446e69f5edd72deb2196de

Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486

2023-07-17 Thread Soumya via lists.openembedded.org 
Sent v2 - 
https://lore.kernel.org/openembedded-core/20230718030636.1418247-1-soumya.sa...@windriver.com/T/#u

Regards,
Soumya

From: Alexandre Belloni 
Sent: Monday, July 17, 2023 7:14 PM
To: Sambu, Soumya 
Cc: openembedded-core@lists.openembedded.org 
; st...@sakoman.com 
; G Pillai, Hari 
Subject: Re: [oe-core][PATCH 1/1] perl: Fix CVE-2023-31486

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Hello,

you pressed y instead of enter when git asked you what wharset to use,
so the patch doesn't apply. Can you resend?


On 14/07/2023 03:25:10+0000, Soumya via lists.openembedded.org wrote:
> HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
> standalone on CPAN, has an insecure default TLS configuration where
> users must opt in to verify certificates.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-31486
>
> Upstream patches:
> https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
> https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d
>
> Signed-off-by: Soumya 
> ---
>  .../perl/files/CVE-2023-31486-0001.patch  | 217 ++
>  .../perl/files/CVE-2023-31486-0002.patch  |  36 +++
>  meta/recipes-devtools/perl/perl_5.36.1.bb |   2 +
>  3 files changed, 255 insertions(+)
>  create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
>  create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch
>
> diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch 
> b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> new file mode 100644
> index 00..1074e0848d
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
> @@ -0,0 +1,217 @@
> +From 77f557ef84698efeb6eed04e4a9704eaf85b741d
> +From: Stig Palmquist 
> +Date: Mon Jun 5 16:46:22 2023 +0200
> +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
> + insecure default
> +
> +- Changes the `verify_SSL` default parameter from `0` to `1`
> +
> +  Based on patch by Dominic Hargreaves:
> +  
> https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
> +
> +  CVE: CVE-2023-31486
> +
> +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
> +  enables the previous insecure default behaviour if set to `1`.
> +
> +  This provides a workaround for users who encounter problems with the
> +  new `verify_SSL` default.
> +
> +  Example to disable certificate checks:
> +  ```
> +$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
> +  ```
> +
> +- Updates to documentation:
> +  - Describe changing the verify_SSL value
> +  - Describe the escape-hatch environment variable
> +  - Remove rationale for not enabling verify_SSL
> +  - Add missing certificate search paths
> +  - Replace "SSL" with "TLS/SSL" where appropriate
> +  - Use "machine-in-the-middle" instead of "man-in-the-middle"
> +
> +Upstream-Status: Backport 
> [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
> +
> +Signed-off-by: Soumya 
> +---
> + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
> + 1 file changed, 57 insertions(+), 29 deletions(-)
> +
> +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm 
> b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> +index 83ca06d..ebc34a1 100644
> +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
>  b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
> +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
> + #pod * C — Request timeout in seconds (default is 60) If a socket 
> open,
> + #pod   read or write takes longer than the timeout, the request response 
> status code
> + #pod   will be 599.
> +-#pod * C — A boolean that indicates whether to validate the SSL
> +-#pod   certificate of an C — connection (default is false)
> ++#pod * C — A boolean that indicates whether to validate the 
> TLS/SSL
> ++#pod   certificate of an C — connection (default is true). Changed 
> from false
> ++#pod   to true in version 0.083.
> + #pod * C — A hashref of C — options to pass through to
> + #pod   L
> ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
> ++#pod   certificate verification behavior to not check server identity if 
> set to 1.
> ++#pod   Only effective if C is not set. Added in version 0.083.
> + #pod
> + #pod An accessor/mutator method exists for each attribute.
> + #pod
> +@@ -111,11 +115,17 @@ sub timeout {
> + sub new {
> +

[oe-core][PATCH v2 1/1] perl: Fix CVE-2023-31486

2023-07-17 Thread Soumya via lists.openembedded.org 
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486

Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31486-0001.patch  | 217 ++
 .../perl/files/CVE-2023-31486-0002.patch  |  36 +++
 meta/recipes-devtools/perl/perl_5.36.1.bb |   2 +
 3 files changed, 255 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 00..1074e0848d
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,217 @@
+From 77f557ef84698efeb6eed04e4a9704eaf85b741d
+From: Stig Palmquist 
+Date: Mon Jun 5 16:46:22 2023 +0200
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default
+
+- Changes the `verify_SSL` default parameter from `0` to `1`
+
+  Based on patch by Dominic Hargreaves:
+  
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+  CVE: CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+  enables the previous insecure default behaviour if set to `1`.
+
+  This provides a workaround for users who encounter problems with the
+  new `verify_SSL` default.
+
+  Example to disable certificate checks:
+  ```
+$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+  ```
+
+- Updates to documentation:
+  - Describe changing the verify_SSL value
+  - Describe the escape-hatch environment variable
+  - Remove rationale for not enabling verify_SSL
+  - Add missing certificate search paths
+  - Replace "SSL" with "TLS/SSL" where appropriate
+  - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport 
[https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya 
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 83ca06d..ebc34a1 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod * C — Request timeout in seconds (default is 60) If a socket 
open,
+ #pod   read or write takes longer than the timeout, the request response 
status code
+ #pod   will be 599.
+-#pod * C — A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C — connection (default is false)
++#pod * C — A boolean that indicates whether to validate the 
TLS/SSL
++#pod   certificate of an C — connection (default is true). Changed 
from false
++#pod   to true in version 0.083.
+ #pod * C — A hashref of C — options to pass through to
+ #pod   L
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod   certificate verification behavior to not check server identity if set 
to 1.
++#pod   Only effective if C is not set. Added in version 0.083.
+ #pod
+ #pod An accessor/mutator method exists for each attribute.
+ #pod
+@@ -111,11 +115,17 @@ sub timeout {
+ sub new {
+ my($class, %args) = @_;
+
++# Support lower case verify_ssl argument, but only if verify_SSL is not
++# true.
++if ( exists $args{verify_ssl} ) {
++$args{verify_SSL}  ||= $args{verify_ssl};
++}
++
+ my $self = {
+ max_redirect => 5,
+ timeout  => defined $args{timeout} ? $args{timeout} : 60,
+ keep_alive   => 1,
+-verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no 
verification by default
++verify_SSL   => defined $args{verify_SSL} ? $args{verify_SSL} : 
_verify_SSL_default(),
+ no_proxy => $ENV{no_proxy},
+ };
+
+@@ -134,6 +144,13 @@ sub new {
+ return $self;
+ }
+
++sub _verify_SSL_default {
++my ($self) = @_;
++# Check if insecure default certificate verification behaviour has been
++# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
++return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++}
++
+ sub _set_proxies {
+ my ($self) = @_;
+
+@@ -1055,7 +1072,7 @@ sub new {
+ timeout  => 60,
+ max_line_size=> 16384,
+ max_header_lines => 64,
+-verify_SSL   => 0,
++verify_SSL   => HTTP::Tiny::_verify_SSL_default(),
+ SSL_options

[OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-1999

2023-07-16 Thread Soumya via lists.openembedded.org 
There exists a use after free/double free in libwebp. An attacker can
use the ApplyFiltersAndEncode() function and loop through to free
best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer
is still assigned to trial and the AddressSanitizer will attempt a double free.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-1999

Upstream patch:
https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129

Signed-off-by: Soumya 
---
 .../webp/files/CVE-2023-1999.patch| 60 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  4 +-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-1999.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
new file mode 100644
index 00..895d01ea7d
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
@@ -0,0 +1,60 @@
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern 
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+This avoids a double free should the function fail prior to
+VP8BitWriterInit() and a previous trial result's buffer carried over.
+Previously in ApplyFiltersAndEncode() trial.bw (with a previous
+iteration's buffer) would be freed, followed by best.bw pointing to the
+same buffer.
+
+Since:
+187d379d add a fallback to ALPHA_NO_COMPRESSION
+
+In addition, check the return value of VP8BitWriterInit() in this
+function.
+
+Bug: webp:603
+Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
+
+CVE: CVE-2023-1999
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129]
+
+Signed-off-by: Soumya 
+---
+ src/enc/alpha_enc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
+index f7c0269..7d20558 100644
+--- a/src/enc/alpha_enc.c
 b/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+
+ #include 
+ #include 
++#include 
+
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, 
int width, int height,
+   }
+ } else {
+   VP8LBitWriterWipeOut(&tmp_bw);
++  memset(&result->bw, 0, sizeof(result->bw));
+   return 0;
+ }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, 
int width, int height,
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
+
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 263589846a..5d868b3b96 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -13,7 +13,9 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"
 
-SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz";
+SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
+   file://CVE-2023-1999.patch \
+   "
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
 UPSTREAM_CHECK_URI = 
"http://downloads.webmproject.org/releases/webp/index.html";
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184426): 
https://lists.openembedded.org/g/openembedded-core/message/184426
Mute This Topic: https://lists.openembedded.org/mt/100188605/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][PATCH 1/1] perl: Fix CVE-2023-31486

2023-07-13 Thread Soumya via lists.openembedded.org 
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486

Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31486-0001.patch  | 217 ++
 .../perl/files/CVE-2023-31486-0002.patch  |  36 +++
 meta/recipes-devtools/perl/perl_5.36.1.bb |   2 +
 3 files changed, 255 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 00..1074e0848d
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,217 @@
+From 77f557ef84698efeb6eed04e4a9704eaf85b741d
+From: Stig Palmquist 
+Date: Mon Jun 5 16:46:22 2023 +0200
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default
+
+- Changes the `verify_SSL` default parameter from `0` to `1`
+
+  Based on patch by Dominic Hargreaves:
+  
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+  CVE: CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+  enables the previous insecure default behaviour if set to `1`.
+
+  This provides a workaround for users who encounter problems with the
+  new `verify_SSL` default.
+
+  Example to disable certificate checks:
+  ```
+$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+  ```
+
+- Updates to documentation:
+  - Describe changing the verify_SSL value
+  - Describe the escape-hatch environment variable
+  - Remove rationale for not enabling verify_SSL
+  - Add missing certificate search paths
+  - Replace "SSL" with "TLS/SSL" where appropriate
+  - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport 
[https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya 
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 83ca06d..ebc34a1 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod * C ??? Request timeout in seconds (default is 60) If a socket 
open,
+ #pod   read or write takes longer than the timeout, the request response 
status code
+ #pod   will be 599.
+-#pod * C ??? A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C ??? connection (default is false)
++#pod * C ??? A boolean that indicates whether to validate the 
TLS/SSL
++#pod   certificate of an C ??? connection (default is true). Changed 
from false
++#pod   to true in version 0.083.
+ #pod * C ??? A hashref of C ??? options to pass through to
+ #pod   L
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod   certificate verification behavior to not check server identity if set 
to 1.
++#pod   Only effective if C is not set. Added in version 0.083.
+ #pod
+ #pod An accessor/mutator method exists for each attribute.
+ #pod
+@@ -111,11 +115,17 @@ sub timeout {
+ sub new {
+ my($class, %args) = @_;
+
++# Support lower case verify_ssl argument, but only if verify_SSL is not
++# true.
++if ( exists $args{verify_ssl} ) {
++$args{verify_SSL}  ||= $args{verify_ssl};
++}
++
+ my $self = {
+ max_redirect => 5,
+ timeout  => defined $args{timeout} ? $args{timeout} : 60,
+ keep_alive   => 1,
+-verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no 
verification by default
++verify_SSL   => defined $args{verify_SSL} ? $args{verify_SSL} : 
_verify_SSL_default(),
+ no_proxy => $ENV{no_proxy},
+ };
+
+@@ -134,6 +144,13 @@ sub new {
+ return $self;
+ }
+
++sub _verify_SSL_default {
++my ($self) = @_;
++# Check if insecure default certificate verification behaviour has been
++# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
++return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++}
++
+ sub _set_proxies {
+ my ($self) = @_;
+
+@@ -1055,7 +1072,7 @@ sub new {
+ timeout  => 60,
+ max_line_size=> 16384,
+ max_header_lines => 64,
+-verify_SSL   => 0,
++verify_SSL   => HTTP::Tiny::_verify_SSL_default(),
+ SSL

[oe-core][kirkstone][PATCH 1/1] perl: Fix CVE-2023-31486

2023-07-13 Thread Soumya via lists.openembedded.org 
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486

Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31486-0001.patch  | 215 ++
 .../perl/files/CVE-2023-31486-0002.patch  |  36 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |   2 +
 3 files changed, 253 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 00..59caf1a129
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,215 @@
+From 77f557ef84698efeb6eed04e4a9704eaf85b741d
+From: Stig Palmquist 
+Date: Mon Jun 5 16:46:22 2023 +0200
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default - Changes the `verify_SSL` default parameter from `0` to `1`
+
+  Based on patch by Dominic Hargreaves:
+  
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+  CVE: CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+  enables the previous insecure default behaviour if set to `1`.
+
+  This provides a workaround for users who encounter problems with the
+  new `verify_SSL` default.
+
+  Example to disable certificate checks:
+  ```
+$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+  ```
+
+- Updates to documentation:
+  - Describe changing the verify_SSL value
+  - Describe the escape-hatch environment variable
+  - Remove rationale for not enabling verify_SSL
+  - Add missing certificate search paths
+  - Replace "SSL" with "TLS/SSL" where appropriate
+  - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport 
[https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya 
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 5803e45..1808c41 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -39,10 +39,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod   C<$ENV{no_proxy}> ???)
+ #pod * C ??? Request timeout in seconds (default is 60) If a socket 
open,
+ #pod   read or write takes longer than the timeout, an exception is thrown.
+-#pod * C ??? A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C ??? connection (default is false)
++#pod * C ??? A boolean that indicates whether to validate the 
TLS/SSL
++#pod   certificate of an C ??? connection (default is true). Changed 
from false
++#pod   to true in version 0.083.
+ #pod * C ??? A hashref of C ??? options to pass through to
+ #pod   L
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod   certificate verification behavior to not check server identity if set 
to 1.
++#pod   Only effective if C is not set. Added in version 0.083.
+ #pod
+ #pod Passing an explicit C for C, C or 
C will
+ #pod prevent getting the corresponding proxies from the environment.
+@@ -108,11 +112,17 @@ sub timeout {
+ sub new {
+ my($class, %args) = @_;
+
++# Support lower case verify_ssl argument, but only if verify_SSL is not
++# true.
++if ( exists $args{verify_ssl} ) {
++$args{verify_SSL}  ||= $args{verify_ssl};
++}
++
+ my $self = {
+ max_redirect => 5,
+ timeout  => defined $args{timeout} ? $args{timeout} : 60,
+ keep_alive   => 1,
+-verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no 
verification by default
++verify_SSL   => defined $args{verify_SSL} ? $args{verify_SSL} : 
_verify_SSL_default(),
+ no_proxy => $ENV{no_proxy},
+ };
+
+@@ -131,6 +141,13 @@ sub new {
+ return $self;
+ }
+
++sub _verify_SSL_default {
++my ($self) = @_;
++# Check if insecure default certificate verification behaviour has been
++# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
++return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++}
++
+ sub _set_proxies {
+ my ($self) = @_;
+
+@@ -1038,7 +1055,7 @@ sub new {
+ timeout  => 60,
+ max_line_size=> 16384,
+ max_header_lines => 64,
+-verify_SSL   => 0,
++verify_SSL   =>

[oe-core][mickledore][PATCH 1/1] perl: Fix CVE-2023-31484 & CVE-2023-31486

2023-06-30 Thread Soumya via lists.openembedded.org 
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and
available standalone on CPAN, has an insecure default TLS
configuration where users must opt in to verify certificates.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31484
https://nvd.nist.gov/vuln/detail/CVE-2023-31486

Upstream patches:
https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31484.patch   |  29 +++
 .../perl/files/CVE-2023-31486-0001.patch  | 217 ++
 .../perl/files/CVE-2023-31486-0002.patch  |  30 +++
 meta/recipes-devtools/perl/perl_5.36.0.bb |   3 +
 4 files changed, 279 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 00..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist 
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport 
[https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya 
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm 
b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
 b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 00..e2a2216a0d
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,217 @@
+From e1ca8defeff496000fc96600ebfca7250065c1f1 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist 
+Date: Thu, 29 Jun 2023 14:36:05 +
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default
+
+- Changes the `verify_SSL` default parameter from `0` to `1`
+
+  Based on patch by Dominic Hargreaves:
+  
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+  Fixes CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+  enables the previous insecure default behaviour if set to `1`.
+
+  This provides a workaround for users who encounter problems with the
+  new `verify_SSL` default.
+
+  Example to disable certificate checks:
+  ```
+$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+  ```
+
+- Updates to documentation:
+  - Describe changing the verify_SSL value
+  - Describe the escape-hatch environment variable
+  - Remove rationale for not enabling verify_SSL
+  - Add missing certificate search paths
+  - Replace "SSL" with "TLS/SSL" where appropriate
+  - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport 
[https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya 
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 83ca06d..5f6ced8 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod * C ??? Request timeout in seconds (default is 60) If a socket 
open,
+ #pod   read or write takes longer than the timeout, the request response 
status code
+ #pod   will be 599.
+-#pod * C ??? A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C ??? connection (default is false)
++#pod * C ??? A boolean that indicates whether to validate the 
TLS/SSL
++#pod   certificate of an C ??? connection (default is true). Changed 
from false
++#pod   to true in version 0.083.
+ #pod * C ??? A hashref of C ??? options to pass through to
+ #pod   L
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod   certificate ver

[oe-core][PATCH 1/1] perl: fix CVE-2023-31484

2023-06-11 Thread Soumya via lists.openembedded.org 
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31484.patch   | 29 +++
 meta/recipes-devtools/perl/perl_5.36.1.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 00..9a9117c53a
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist 
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+CVE: CVE-2023-31484
+
+Upstream-Status: Backport 
[https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+Signed-off-by: Soumya 
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm 
b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
 b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.36.1.bb 
b/meta/recipes-devtools/perl/perl_5.36.1.bb
index f7d66e6ed9..3db1d9c6ae 100644
--- a/meta/recipes-devtools/perl/perl_5.36.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.36.1.bb
@@ -17,6 +17,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://0002-Constant-Fix-up-shebang.patch \
file://determinism.patch \

file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
+   file://CVE-2023-31484.patch \
"
 SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182654): 
https://lists.openembedded.org/g/openembedded-core/message/182654
Mute This Topic: https://lists.openembedded.org/mt/99476360/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] perl: fix CVE-2023-31484

2023-06-06 Thread Soumya via lists.openembedded.org 
Sorry for the typo/misled with attachment and I have already sent v2 patch with 
kirkstone branch mentioned - [oe-core][kirkstone][PATCH v2 1/1] perl: fix 
CVE-2023-31484<https://lore.kernel.org/openembedded-core/20230606092535.767943-1-soumya.sa...@windriver.com/>

Regards,
Soumya


From: MacLeod, Randy 
Sent: Tuesday, June 6, 2023 11:42 PM
To: Sambu, Soumya ; Richard Purdie 
; openembedded-core@lists.openembedded.org 
; st...@sakoman.com 

Cc: Polampalli, Archana 
Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484

On 2023-06-06 07:38, Soumya via lists.openembedded.org wrote:
This is for kirkstone branch. Attached is the updated patch.



Soumya,


We don't usually take patches as attachments since we
like to see the changes in email easily for review so

unless Steve makes an exception this time, please
resend following the workflow documented here:


   https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded


See and read the section mentioning:


   git send-email  ...  --subject-prefix="][PATCH"


and the rest of the document and links therein.


../Randy








Regards,
Soumya


From: Richard Purdie 
<mailto:richard.pur...@linuxfoundation.org>
Sent: Tuesday, June 6, 2023 4:35 PM
To: Sambu, Soumya 
<mailto:soumya.sa...@windriver.com>; 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
 
<mailto:openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Mon, 2023-06-05 at 17:46 +, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
>
> Signed-off-by: Soumya 
> <mailto:soumya.sa...@windriver.com>
> ---
>  .../perl/files/CVE-2023-31484.patch   | 29 +++
>  meta/recipes-devtools/perl/perl_5.34.1.bb |  1 +
>  2 files changed, 30 insertions(+)
>  create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

Which release is this patch against?

Cheers,

Richard








--
# Randy MacLeod
# Wind River Linux

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182455): 
https://lists.openembedded.org/g/openembedded-core/message/182455
Mute This Topic: https://lists.openembedded.org/mt/99345985/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] perl: fix CVE-2023-31484

2023-06-06 Thread Soumya via lists.openembedded.org 
This is for kirkstone branch. Attached is the updated patch.

Regards,
Soumya


From: Richard Purdie 
Sent: Tuesday, June 6, 2023 4:35 PM
To: Sambu, Soumya ; 
openembedded-core@lists.openembedded.org 

Subject: Re: [OE-core] [PATCH] perl: fix CVE-2023-31484

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Mon, 2023-06-05 at 17:46 +, Soumya via lists.openembedded.org
wrote:
> CPAN.pm before 2.35 does not verify TLS certificates when downloading
> distributions over HTTPS.
>
> Signed-off-by: Soumya 
> ---
>  .../perl/files/CVE-2023-31484.patch   | 29 +++
>  meta/recipes-devtools/perl/perl_5.34.1.bb |  1 +
>  2 files changed, 30 insertions(+)
>  create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

Which release is this patch against?

Cheers,

Richard
--- Begin Message ---
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31484.patch   | 29 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 00..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist 
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport 
[https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya 
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm 
b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
 b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb 
b/meta/recipes-devtools/perl/perl_5.34.1.bb
index af4660091b..1fa8482bcd 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -19,6 +19,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \

file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
file://CVE-2023-31486.patch \
+   file://CVE-2023-31484.patch \
"
 SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182417): 
https://lists.openembedded.org/g/openembedded-core/message/182417
Mute This Topic: https://lists.openembedded.org/mt/99359707/7320427
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[soumya.sa...@windriver.com]
-=-=-=-=-=-=-=-=-=-=-=-

--- End Message ---

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182426): 
https://lists.openembedded.org/g/openembedded-core/message/182426
Mute This Topic: https://lists.openembedded.org/mt/99345985/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH v2 1/1] perl: fix CVE-2023-31484

2023-06-06 Thread Soumya via lists.openembedded.org 
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31484.patch   | 29 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 00..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist 
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport 
[https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya 
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm 
b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
 b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb 
b/meta/recipes-devtools/perl/perl_5.34.1.bb
index af4660091b..1fa8482bcd 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -19,6 +19,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \

file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
file://CVE-2023-31486.patch \
+   file://CVE-2023-31484.patch \
"
 SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182417): 
https://lists.openembedded.org/g/openembedded-core/message/182417
Mute This Topic: https://lists.openembedded.org/mt/99359707/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] perl: fix CVE-2023-31484

2023-06-05 Thread Soumya via lists.openembedded.org 
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31484.patch   | 29 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 00..1f7cbd0da1
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,29 @@
+From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist 
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+Upstream-Status: Backport 
[https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0]
+
+CVE: CVE-2023-31484
+
+Signed-off-by: Soumya 
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm 
b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
 b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+
+ my $want_proxy = $self->_want_proxy($uri);
+ my $http = HTTP::Tiny->new(
++verify_SSL => 1,
+ $want_proxy ? (proxy => $self->{proxy}) : ()
+ );
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb 
b/meta/recipes-devtools/perl/perl_5.34.1.bb
index 42bcb8b1bc..e0ee006e50 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -18,6 +18,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://determinism.patch \

file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
+   file://CVE-2023-31484.patch \
"
 SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182399): 
https://lists.openembedded.org/g/openembedded-core/message/182399
Mute This Topic: https://lists.openembedded.org/mt/99345985/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] perl: Fix CVE-2023-31486

2023-06-04 Thread Soumya via lists.openembedded.org 
HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on 
CPAN,
has an insecure default TLS configuration where users must opt in to verify 
certificates.

Signed-off-by: Soumya 
---
 .../perl/files/CVE-2023-31486.patch   | 89 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31486.patch
new file mode 100644
index 00..55c4bd1d47
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486.patch
@@ -0,0 +1,89 @@
+From 1490431e40e22052f75a0b3449f1f53cbd27ba92 Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves 
+Date: Thu, 21 May 2020 22:53:37 +0100
+Subject: [PATCH] Enable SSL by default in HTTP::Tiny
+
+Gbp-Pq: Topic debian
+Gbp-Pq: Name http-tiny-ssl.diff
+
+CVE: CVE-2023-31486
+
+Upstream-Status: Backport 
[https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92.patch]
+
+Signed-off-by: Soumya 
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 20 +---
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 5803e45..88ba514 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -40,7 +40,7 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod * C ??? Request timeout in seconds (default is 60) If a socket 
open,
+ #pod   read or write takes longer than the timeout, an exception is thrown.
+ #pod * C ??? A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C ??? connection (default is false)
++#pod   certificate of an C ??? connection (default is true)
+ #pod * C ??? A hashref of C ??? options to pass through to
+ #pod   L
+ #pod
+@@ -112,7 +112,7 @@ sub new {
+ max_redirect => 5,
+ timeout  => defined $args{timeout} ? $args{timeout} : 60,
+ keep_alive   => 1,
+-verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no 
verification by default
++verify_SSL   => $args{verify_SSL} // $args{verify_ssl} // 1, # 
verification by default
+ no_proxy => $ENV{no_proxy},
+ };
+
+@@ -1038,7 +1038,7 @@ sub new {
+ timeout  => 60,
+ max_line_size=> 16384,
+ max_header_lines => 64,
+-verify_SSL   => 0,
++verify_SSL   => 1,
+ SSL_options  => {},
+ %args
+ }, $class;
+@@ -1765,7 +1765,7 @@ C ??? Request timeout in seconds (default is 
60) If a socket open, read
+
+ =item *
+
+-C ??? A boolean that indicates whether to validate the SSL 
certificate of an C ??? connection (default is false)
++C ??? A boolean that indicates whether to validate the SSL 
certificate of an C ??? connection (default is true)
+
+ =item *
+
+@@ -2035,7 +2035,7 @@ Verification of server identity
+
+ =back
+
+-B.
++Bhttp://cacert.org>.
+
+-By default, HTTP::Tiny does not make any assumptions about your trust model,
+-threat level or risk tolerance.  It just aims to give you an encrypted channel
+-when you need one.
+-
+ Setting the C attribute to a true value will make HTTP::Tiny 
verify
+ that an SSL connection has a valid SSL certificate corresponding to the host
+ name of the connection and that the SSL certificate has been verified by a CA.
+ Assuming you trust the CA, this will protect against a Lhttp://en.wikipedia.org/wiki/Man-in-the-middle_attack>.  If you are
+-concerned about security, you should enable this option.
++attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>.
++
++If you are not concerned about security, and this default in Debian causes
++problems, you should disable this option.
+
+ Certificate verification requires a file containing trusted CA certificates.
+
+--
+2.40.0
diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb 
b/meta/recipes-devtools/perl/perl_5.34.1.bb
index 42bcb8b1bc..af4660091b 100644
--- a/meta/recipes-devtools/perl/perl_5.34.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.1.bb
@@ -18,6 +18,7 @@ SRC_URI = 
"https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://determinism.patch \

file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \
file://0001-Fix-build-with-gcc-12.patch \
+   file://CVE-2023-31486.patch \
"
 SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182370): 
https://lists.openembedded.org/g/openembedded-core/message/182370
Mute This Topic: https://lists.openembedded.org/mt/99333636/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-arc