[OE-core] [hardknott][PATCH 4/5] ffmpeg: fix CVE-2020-22021
avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer CVE: CVE-2020-22021 Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-22021.patch| 87 +++ .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch new file mode 100644 index 00..05cba736ff --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch @@ -0,0 +1,87 @@ +From 384177ca945395c8cf0ebbddd4b8b1eae64e900f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 29 May 2021 11:17:35 +0200 +Subject: [PATCH 4/5] avfilter/vf_yadif: Fix handing of tiny images + +Fixes: out of array access +Fixes: Ticket8240 +Fixes: CVE-2020-22021 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-22021 +Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] + +Signed-off-by: Tony Tascioglu +--- + libavfilter/vf_yadif.c | 32 ++-- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +index 43dea67add..06fd24ecfa 100644 +--- a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, + uint8_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN - 1; ++int offset = FFMAX(w - edge, 3); + + /* Only edge pixels need to be processed here. A constant value of false + * for is_not_edge should let the compiler ignore the whole branch. */ +-FILTER(0, 3, 0) ++FILTER(0, FFMIN(3, w), 0) + +-dst = (uint8_t*)dst1 + w - edge; +-prev = (uint8_t*)prev1 + w - edge; +-cur = (uint8_t*)cur1 + w - edge; +-next = (uint8_t*)next1 + w - edge; ++dst = (uint8_t*)dst1 + offset; ++prev = (uint8_t*)prev1 + offset; ++cur = (uint8_t*)cur1 + offset; ++next = (uint8_t*)next1 + offset; + prev2 = (uint8_t*)(parity ? prev : cur); + next2 = (uint8_t*)(parity ? cur : next); + +-FILTER(w - edge, w - 3, 1) +-FILTER(w - 3, w, 0) ++FILTER(offset, w - 3, 1) ++offset = FFMAX(offset, w - 3); ++FILTER(offset, w, 0) + } + + +@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, + uint16_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN / 2 - 1; ++int offset = FFMAX(w - edge, 3); + + mrefs /= 2; + prefs /= 2; + +-FILTER(0, 3, 0) ++FILTER(0, FFMIN(3, w), 0) + +-dst = (uint16_t*)dst1 + w - edge; +-prev = (uint16_t*)prev1 + w - edge; +-cur = (uint16_t*)cur1 + w - edge; +-next = (uint16_t*)next1 + w - edge; ++dst = (uint16_t*)dst1 + offset; ++prev = (uint16_t*)prev1 + offset; ++cur = (uint16_t*)cur1 + offset; ++next = (uint16_t*)next1 + offset; + prev2 = (uint16_t*)(parity ? prev : cur); + next2 = (uint16_t*)(parity ? cur : next); + +-FILTER(w - edge, w - 3, 1) +-FILTER(w - 3, w, 0) ++FILTER(offset, w - 3, 1) ++offset = FFMAX(offset, w - 3); ++FILTER(offset, w, 0) + } + + static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index c9c82b0398..e68589d4c3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -29,6 +29,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-20446.patch \ file://fix-CVE-2020-20453.patch \ file://fix-CVE-2020-22015.patch \ + file://fix-CVE-2020-22021.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155042): https://lists.openembedded.org/g/openembedded-core/message/155042 Mute This Topic: https://lists.openembedded.org/mt/85031437/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 5/5] ffmpeg: fix CVE-2020-22019 and CVE-2020-22033
avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer CVE: CVE-2020-22033 CVE: CVE-2020-22019 Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02] Signed-off-by: Tony Tascioglu --- .../fix-CVE-2020-22033-CVE-2020-22019.patch | 39 +++ .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch new file mode 100644 index 00..e98ddaaede --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch @@ -0,0 +1,39 @@ +From 2f3bf456fa641edf154a99c4586d7bf52c02a495 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 29 May 2021 09:58:31 +0200 +Subject: [PATCH 5/5] avfilter/vf_vmafmotion: Check dimensions + +Fixes: out of array access +Fixes: Ticket8241 +Fixes: Ticket8246 +Fixes: CVE-2020-22019 +Fixes: CVE-2020-22033 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-22033 +CVE: CVE-2020-22019 +Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02] + +Signed-off-by: Tony Tascioglu +--- + libavfilter/vf_vmafmotion.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +index 88d0b35095..0730147e7d 100644 +--- a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, + int i; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + ++if (w < 3 || h < 3) ++return AVERROR(EINVAL); ++ + s->width = w; + s->height = h; + s->stride = FFALIGN(w * sizeof(uint16_t), 32); +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index e68589d4c3..0a49493abd 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-20453.patch \ file://fix-CVE-2020-22015.patch \ file://fix-CVE-2020-22021.patch \ + file://fix-CVE-2020-22033-CVE-2020-22019.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155041): https://lists.openembedded.org/g/openembedded-core/message/155041 Mute This Topic: https://lists.openembedded.org/mt/85031436/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 3/5] ffmpeg: fix CVE-2020-22015
avformat/movenc: Check pal_size before use Fixes: assertion failure Fixes: out of array read Fixes: Ticket8190 Fixes: CVE-2020-22015 Signed-off-by: Michael Niedermayer CVE: CVE-2020-22015 Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-22015.patch| 44 +++ .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch new file mode 100644 index 00..1fdb31de7d --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch @@ -0,0 +1,44 @@ +From dce5d2c2ee991f8cd96ab74d51a2d1a134a1a645 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 29 May 2021 09:22:27 +0200 +Subject: [PATCH 3/5] avformat/movenc: Check pal_size before use + +Fixes: assertion failure +Fixes: out of array read +Fixes: Ticket8190 +Fixes: CVE-2020-22015 + +Signed-off-by: Michael Niedermayer + + +CVE: CVE-2020-22015 +Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46] + +Signed-off-by: Tony Tascioglu +--- + libavformat/movenc.c | 6 -- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavformat/movenc.c b/libavformat/movenc.c +index c34d86522a..9603704083 100644 +--- a/libavformat/movenc.c b/libavformat/movenc.c +@@ -2094,11 +2094,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex + avio_wb16(pb, 0x18); /* Reserved */ + + if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { +-int pal_size = 1 << track->par->bits_per_coded_sample; +-int i; ++int pal_size, i; + avio_wb16(pb, 0); /* Color table ID */ + avio_wb32(pb, 0); /* Color table seed */ + avio_wb16(pb, 0x8000);/* Color table flags */ ++if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) ++return AVERROR(EINVAL); ++pal_size = 1 << track->par->bits_per_coded_sample; + avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ + for (i = 0; i < pal_size; i++) { + uint32_t rgb = track->palette[i]; +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index 3917ad9c2c..c9c82b0398 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ file://fix-CVE-2020-20446.patch \ file://fix-CVE-2020-20453.patch \ + file://fix-CVE-2020-22015.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155040): https://lists.openembedded.org/g/openembedded-core/message/155040 Mute This Topic: https://lists.openembedded.org/mt/85031435/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 1/5] ffmpeg: fix CVE-2020-20446
avcodec/aacpsy: Avoid floating point division by 0 of norm_fac Fixes: Ticket7995 Fixes: CVE-2020-20446 Signed-off-by: Michael Niedermayer CVE: CVE-2020-20446 Upstream-Status: Backport [223b5e8ac9f6461bb13ed365419ec485c5b2b002] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-20446.patch| 35 +++ .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch new file mode 100644 index 00..4fe80cffa1 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch @@ -0,0 +1,35 @@ +From 073bad2fcae5be78c11a1623a20319107dfae9f8 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Fri, 28 May 2021 20:18:25 +0200 +Subject: [PATCH 1/5] avcodec/aacpsy: Avoid floating point division by 0 of + norm_fac + +Fixes: Ticket7995 +Fixes: CVE-2020-20446 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-20446 +Upstream-Status: Backport [223b5e8ac9f6461bb13ed365419ec485c5b2b002] + +Signed-off-by: Tony Tascioglu +--- + libavcodec/aacpsy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c +index fca692cb15..bd444fecdc 100644 +--- a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c +@@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, + + if (pe < 1.15f * desired_pe) { + /* 6.6.1.3.6 "Final threshold modification by linearization" */ +-norm_fac = 1.0f / norm_fac; ++norm_fac = norm_fac ? 1.0f / norm_fac : 0; + for (w = 0; w < wi->num_windows*16; w += 16) { + for (g = 0; g < num_bands; g++) { + AacPsyBand *band = >band[w+g]; +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index 08be38ca50..b4fbebe414 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://mips64_cpu_detection.patch \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ + file://fix-CVE-2020-20446.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155038): https://lists.openembedded.org/g/openembedded-core/message/155038 Mute This Topic: https://lists.openembedded.org/mt/85031433/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 2/5] ffmpeg: fix CVE-2020-20453
avcodec/aacenc: Avoid 0 lambda Fixes: Ticket8003 Fixes: CVE-2020-20453 Signed-off-by: Michael Niedermayer CVE: CVE-2020-20453 Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-20453.patch| 42 +++ .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch new file mode 100644 index 00..4e430726b0 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch @@ -0,0 +1,42 @@ +From 80f9cbee46757430af0769ec999ca702be652f7f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Fri, 28 May 2021 21:37:26 +0200 +Subject: [PATCH 2/5] avcodec/aacenc: Avoid 0 lambda + +Fixes: Ticket8003 +Fixes: CVE-2020-20453 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-20453 +Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8] + +Signed-off-by: Tony Tascioglu +--- + libavcodec/aacenc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c +index db11e0ca29..9c6cb75be4 100644 +--- a/libavcodec/aacenc.c b/libavcodec/aacenc.c +@@ -28,6 +28,7 @@ + * TODOs: + * add sane pulse detection + ***/ ++#include + + #include "libavutil/libm.h" + #include "libavutil/thread.h" +@@ -856,7 +857,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, + /* Not so fast though */ + ratio = sqrtf(ratio); + } +-s->lambda = FFMIN(s->lambda * ratio, 65536.f); ++s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + + /* Keep iterating if we must reduce and lambda is in the sky */ + if (ratio > 0.9f && ratio < 1.1f) { +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index b4fbebe414..3917ad9c2c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -27,6 +27,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://mips64_cpu_detection.patch \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ file://fix-CVE-2020-20446.patch \ + file://fix-CVE-2020-20453.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155039): https://lists.openembedded.org/g/openembedded-core/message/155039 Mute This Topic: https://lists.openembedded.org/mt/85031434/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] valgrind: skip broken ptests for glibc 2.34
Skip tests that are problematic for glibc-2.34. The list of problematic ptests was found by Richard after patching several to work with the new glibc version. https://bugzilla.yoctoproject.org/show_bug.cgi?id=14500 Signed-off-by: Tony Tascioglu --- meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 | 5 + meta/recipes-devtools/valgrind/valgrind/remove-for-all | 6 ++ 2 files changed, 11 insertions(+) diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 index b4fc8af333..a3c36ba383 100644 --- a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 +++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 @@ -236,3 +236,8 @@ memcheck/tests/wrapmallocstatic memcheck/tests/writev1 memcheck/tests/xml1 memcheck/tests/linux/stack_changes +gdbserver_tests/hginfo +memcheck/tests/linux/timerfd-syscall +drd/tests/thread_name_xml +massif/tests/deep-D + diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/meta/recipes-devtools/valgrind/valgrind/remove-for-all index c3fc639066..917b0b581b 100644 --- a/meta/recipes-devtools/valgrind/valgrind/remove-for-all +++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-all @@ -1 +1,7 @@ none/tests/amd64/fb_test_amd64 +gdbserver_tests/hginfo +memcheck/tests/supp_unknown +helgrind/tests/tls_threads +drd/tests/bar_bad_xml +drd/tests/pth_barrier_thr_cr + -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154703): https://lists.openembedded.org/g/openembedded-core/message/154703 Mute This Topic: https://lists.openembedded.org/mt/84805071/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 4/6] ffmpeg: fix CVE-2020-22021
avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer CVE: CVE-2020-22021 Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-22021.patch| 87 +++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch new file mode 100644 index 00..6f7fce0e4c --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch @@ -0,0 +1,87 @@ +From 7971f62120a55c141ec437aa3f0bacc1c1a3526b Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 29 May 2021 11:17:35 +0200 +Subject: [PATCH] avfilter/vf_yadif: Fix handing of tiny images + +Fixes: out of array access +Fixes: Ticket8240 +Fixes: CVE-2020-22021 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-22021 +Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] + +Signed-off-by: Tony Tascioglu +--- + libavfilter/vf_yadif.c | 32 ++-- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +index 91cc79ecc3..b0d9fbaf1f 100644 +--- a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, + uint8_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN - 1; ++int offset = FFMAX(w - edge, 3); + + /* Only edge pixels need to be processed here. A constant value of false + * for is_not_edge should let the compiler ignore the whole branch. */ +-FILTER(0, 3, 0) ++FILTER(0, FFMIN(3, w), 0) + +-dst = (uint8_t*)dst1 + w - edge; +-prev = (uint8_t*)prev1 + w - edge; +-cur = (uint8_t*)cur1 + w - edge; +-next = (uint8_t*)next1 + w - edge; ++dst = (uint8_t*)dst1 + offset; ++prev = (uint8_t*)prev1 + offset; ++cur = (uint8_t*)cur1 + offset; ++next = (uint8_t*)next1 + offset; + prev2 = (uint8_t*)(parity ? prev : cur); + next2 = (uint8_t*)(parity ? cur : next); + +-FILTER(w - edge, w - 3, 1) +-FILTER(w - 3, w, 0) ++FILTER(offset, w - 3, 1) ++offset = FFMAX(offset, w - 3); ++FILTER(offset, w, 0) + } + + +@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, + uint16_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN / 2 - 1; ++int offset = FFMAX(w - edge, 3); + + mrefs /= 2; + prefs /= 2; + +-FILTER(0, 3, 0) ++FILTER(0, FFMIN(3, w), 0) + +-dst = (uint16_t*)dst1 + w - edge; +-prev = (uint16_t*)prev1 + w - edge; +-cur = (uint16_t*)cur1 + w - edge; +-next = (uint16_t*)next1 + w - edge; ++dst = (uint16_t*)dst1 + offset; ++prev = (uint16_t*)prev1 + offset; ++cur = (uint16_t*)cur1 + offset; ++next = (uint16_t*)next1 + offset; + prev2 = (uint16_t*)(parity ? prev : cur); + next2 = (uint16_t*)(parity ? cur : next); + +-FILTER(w - edge, w - 3, 1) +-FILTER(w - 3, w, 0) ++FILTER(offset, w - 3, 1) ++offset = FFMAX(offset, w - 3); ++FILTER(offset, w, 0) + } + + static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 786f7abc20..f1b3c027e3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-20446.patch \ file://fix-CVE-2020-20453.patch \ file://fix-CVE-2020-22015.patch \ + file://fix-CVE-2020-22021.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154187): https://lists.openembedded.org/g/openembedded-core/message/154187 Mute This Topic: https://lists.openembedded.org/mt/84494526/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/6] ffmpeg: fix CVE-2020-22015
avformat/movenc: Check pal_size before use Fixes: assertion failure Fixes: out of array read Fixes: Ticket8190 Fixes: CVE-2020-22015 Signed-off-by: Michael Niedermayer CVE: CVE-2020-22015 Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-22015.patch| 44 +++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch new file mode 100644 index 00..5c911299cb --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch @@ -0,0 +1,44 @@ +From 4c1afa292520329eecd1cc7631bc59a8cca95c46 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 29 May 2021 09:22:27 +0200 +Subject: [PATCH] avformat/movenc: Check pal_size before use + +Fixes: assertion failure +Fixes: out of array read +Fixes: Ticket8190 +Fixes: CVE-2020-22015 + +Signed-off-by: Michael Niedermayer + + +CVE: CVE-2020-22015 +Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46] + +Signed-off-by: Tony Tascioglu +--- + libavformat/movenc.c | 6 -- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavformat/movenc.c b/libavformat/movenc.c +index 2ab507df15..7d839f447b 100644 +--- a/libavformat/movenc.c b/libavformat/movenc.c +@@ -2160,11 +2160,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex + avio_wb16(pb, 0x18); /* Reserved */ + + if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { +-int pal_size = 1 << track->par->bits_per_coded_sample; +-int i; ++int pal_size, i; + avio_wb16(pb, 0); /* Color table ID */ + avio_wb32(pb, 0); /* Color table seed */ + avio_wb16(pb, 0x8000);/* Color table flags */ ++if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) ++return AVERROR(EINVAL); ++pal_size = 1 << track->par->bits_per_coded_sample; + avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ + for (i = 0; i < pal_size; i++) { + uint32_t rgb = track->palette[i]; +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 198a44efec..786f7abc20 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -27,6 +27,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ file://fix-CVE-2020-20446.patch \ file://fix-CVE-2020-20453.patch \ + file://fix-CVE-2020-22015.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154189): https://lists.openembedded.org/g/openembedded-core/message/154189 Mute This Topic: https://lists.openembedded.org/mt/84494528/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 5/6] ffmpeg: fix CVE-2020-22033 and CVE-2020-22019
avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer CVE: CVE-2020-22033 CVE: CVE-2020-22019 Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02] Signed-off-by: Tony Tascioglu --- .../fix-CVE-2020-22033-CVE-2020-22019.patch | 40 +++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch new file mode 100644 index 00..5d979ca3f2 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch @@ -0,0 +1,40 @@ +From 82ad1b76751bcfad5005440db48c46a4de5d6f02 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 29 May 2021 09:58:31 +0200 +Subject: [PATCH] avfilter/vf_vmafmotion: Check dimensions + +Fixes: out of array access +Fixes: Ticket8241 +Fixes: Ticket8246 +Fixes: CVE-2020-22019 +Fixes: CVE-2020-22033 + +Signed-off-by: Michael Niedermayer + + +CVE: CVE-2020-22033 +CVE: CVE-2020-22019 +Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02] + +Signed-off-by: Tony Tascioglu +--- + libavfilter/vf_vmafmotion.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +index 2db4783d8d..454ebb8afa 100644 +--- a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, + int i; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + ++if (w < 3 || h < 3) ++return AVERROR(EINVAL); ++ + s->width = w; + s->height = h; + s->stride = FFALIGN(w * sizeof(uint16_t), 32); +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index f1b3c027e3..70b1513048 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -29,6 +29,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-20453.patch \ file://fix-CVE-2020-22015.patch \ file://fix-CVE-2020-22021.patch \ + file://fix-CVE-2020-22033-CVE-2020-22019.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154191): https://lists.openembedded.org/g/openembedded-core/message/154191 Mute This Topic: https://lists.openembedded.org/mt/84494530/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 6/6] ffmpeg: fix CVE-2021-33815
avcodec/exr: More strictly check dc_count Fixes: out of array access Fixes: exr/deneme Found-by: Burak Çarıkçı Signed-off-by: Michael Niedermayer CVE: CVE-2021-33815 Upstream-Status: Backport [26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2021-33815.patch| 44 +++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch new file mode 100644 index 00..51edb76389 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch @@ -0,0 +1,44 @@ +From 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 25 May 2021 19:29:18 +0200 +Subject: [PATCH] avcodec/exr: More strictly check dc_count +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: out of array access +Fixes: exr/deneme + +Found-by: Burak Çarıkçı +Signed-off-by: Michael Niedermayer + + +CVE: CVE-2021-33815 +Upstream-Status: Backport [26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777] + +Signed-off-by: Tony Tascioglu +--- + libavcodec/exr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/exr.c b/libavcodec/exr.c +index 9377a89169..4648ed7d62 100644 +--- a/libavcodec/exr.c b/libavcodec/exr.c +@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size + bytestream2_skip(, ac_size); + } + +-if (dc_size > 0) { ++{ + unsigned long dest_len = dc_count * 2LL; + GetByteContext agb = gb; + +-if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64) ++if (dc_count != dc_w * dc_h * 3) + return AVERROR_INVALIDDATA; + + av_fast_padded_malloc(>dc_data, >dc_size, FFALIGN(dest_len, 64) * 2); +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 70b1513048..02af257d0f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-22015.patch \ file://fix-CVE-2020-22021.patch \ file://fix-CVE-2020-22033-CVE-2020-22019.patch \ + file://fix-CVE-2021-33815.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154192): https://lists.openembedded.org/g/openembedded-core/message/154192 Mute This Topic: https://lists.openembedded.org/mt/84494531/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 2/6] ffmpeg: fix CVE-2020-20453
avcodec/aacenc: Avoid 0 lambda Fixes: Ticket8003 Fixes: CVE-2020-20453 Signed-off-by: Michael Niedermayer CVE: CVE-2020-20453 Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-20453.patch| 42 +++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch new file mode 100644 index 00..b1c94057a3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch @@ -0,0 +1,42 @@ +From a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Fri, 28 May 2021 21:37:26 +0200 +Subject: [PATCH] avcodec/aacenc: Avoid 0 lambda + +Fixes: Ticket8003 +Fixes: CVE-2020-20453 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-20453 +Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8] + +Signed-off-by: Tony Tascioglu +--- + libavcodec/aacenc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c +index aa223cf25f..e80591ba86 100644 +--- a/libavcodec/aacenc.c b/libavcodec/aacenc.c +@@ -28,6 +28,7 @@ + * TODOs: + * add sane pulse detection + ***/ ++#include + + #include "libavutil/libm.h" + #include "libavutil/float_dsp.h" +@@ -852,7 +853,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, + /* Not so fast though */ + ratio = sqrtf(ratio); + } +-s->lambda = FFMIN(s->lambda * ratio, 65536.f); ++s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + + /* Keep iterating if we must reduce and lambda is in the sky */ + if (ratio > 0.9f && ratio < 1.1f) { +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 00640f3cb3..198a44efec 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ file://fix-CVE-2020-20446.patch \ + file://fix-CVE-2020-20453.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154190): https://lists.openembedded.org/g/openembedded-core/message/154190 Mute This Topic: https://lists.openembedded.org/mt/84494529/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/6] ffmpeg: fix-CVE-2020-20446
avcodec/aacpsy: Avoid floating point division by 0 of norm_fac Fixes: Ticket7995 Fixes: CVE-2020-20446 Signed-off-by: Michael Niedermayer CVE: CVE-2020-20446 Upstream-Status: Backport [223b5e8ac9f6461bb13ed365419ec485c5b2b002] Signed-off-by: Tony Tascioglu --- .../ffmpeg/ffmpeg/fix-CVE-2020-20446.patch| 35 +++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch new file mode 100644 index 00..f048c2e715 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch @@ -0,0 +1,35 @@ +From 223b5e8ac9f6461bb13ed365419ec485c5b2b002 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Fri, 28 May 2021 20:18:25 +0200 +Subject: [PATCH] avcodec/aacpsy: Avoid floating point division by 0 of + norm_fac + +Fixes: Ticket7995 +Fixes: CVE-2020-20446 + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2020-20446 +Upstream-Status: Backport [223b5e8ac9f6461bb13ed365419ec485c5b2b002] + +Signed-off-by: Tony Tascioglu +--- + libavcodec/aacpsy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c +index 482113d427..e51d29750b 100644 +--- a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c +@@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, + + if (pe < 1.15f * desired_pe) { + /* 6.6.1.3.6 "Final threshold modification by linearization" */ +-norm_fac = 1.0f / norm_fac; ++norm_fac = norm_fac ? 1.0f / norm_fac : 0; + for (w = 0; w < wi->num_windows*16; w += 16) { + for (g = 0; g < num_bands; g++) { + AacPsyBand *band = >band[w+g]; +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 3ed009bbb7..00640f3cb3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -25,6 +25,7 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ + file://fix-CVE-2020-20446.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154188): https://lists.openembedded.org/g/openembedded-core/message/154188 Mute This Topic: https://lists.openembedded.org/mt/84494527/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] valgrind: skip flaky ptest fb_test_amd64
Recently, the none/tests/amd64/fb_test_amd64 test had been flaky and causing failures on the auto-builder. Until we can get to the root cause of the issue, we are going to skip the test to reduce the noise from the ptests. Signed-off-by: Tony Tascioglu --- meta/recipes-devtools/valgrind/valgrind/remove-for-all | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/meta/recipes-devtools/valgrind/valgrind/remove-for-all index e69de29bb2..c3fc639066 100644 --- a/meta/recipes-devtools/valgrind/valgrind/remove-for-all +++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-all @@ -0,0 +1 @@ +none/tests/amd64/fb_test_amd64 -- 2.32.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153860): https://lists.openembedded.org/g/openembedded-core/message/153860 Mute This Topic: https://lists.openembedded.org/mt/84215801/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] FFmpeg CVE's to be patched
Hello, I am working on back-porting some of the CVE fixes for FFmpeg to oe-core. As there are 36 CVEs to patch (6 patches for master and hardknott and an additional 5 for hardknott), I have attached a list of recent CVEs in FFmpeg so we can avoid duplicating work. I have also included the patch/fix commit hashes for the patching commits and branches/tags that are safe. Please reply here if you are going to work on any of these ffmpeg CVEs. Thanks, Tony Summary,Ticket,Fix/patch commit,Fixed in branches,Fixed in tags,Vulnerable versions Security Advisory - ffmpeg - CVE-2020-22021,https://trac.ffmpeg.org/ticket/8240,7971f62120a55c141ec437aa3f0bacc1c1a3526b, remotes/origin/master,NONE,all Security Advisory - ffmpeg - CVE-2020-22024,https://trac.ffmpeg.org/ticket/8310,723d69f99cd26db9687ed2d24d06afaff624daf3,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-20448,https://trac.ffmpeg.org/ticket/7990,8802e329c8317ca5ceb929df48a23eb0f9e852b2,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22022,https://trac.ffmpeg.org/ticket/8264,07050d7bdc32d82e53ee5bb727f5882323d00dba,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22033,"Duplicate of CVE-2020-22019 https://trac.ffmpeg.org/ticket/8246",82ad1b76751bcfad5005440db48c46a4de5d6f02, remotes/origin/master ,NONE,all Security Advisory - ffmpeg - CVE-2020-22035,https://trac.ffmpeg.org/ticket/8262,0749082eb93ea02fa4b770da86597450cec84054,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22034,https://trac.ffmpeg.org/ticket/8236,1331e001796c656a4a3c770a16121c15ec1db2ac,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22044,https://trac.ffmpeg.org/ticket/8295,1d479300cbe0522c233b7d51148aea2b29bd29ad,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-20445,"https://trac.ffmpeg.org/ticket/7996 Closed as duplicate of: https://trac.ffmpeg.org/ticket/7980","E4fdeb3fcefeb98f2225f7ccded156fb175959c5 def04022f4a7058f99e669bfd978d431d79aec18 ea56af88956061d700043c5c4b026ac57834b0c8"," remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22036,https://trac.ffmpeg.org/ticket/8261,8c3166e1c302c3ba80d9742ae46161c0fa8e2606,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-20453,https://trac.ffmpeg.org/ticket/8003,a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8, remotes/origin/master,NONE,all Security Advisory - ffmpeg - CVE-2020-20450,https://trac.ffmpeg.org/ticket/7993,5400e4a50c61e53e1bc50b3e77201649bbe9c510,; remotes/origin/master remotes/origin/release/4.4","n4.4 n4.5-dev",4.3 and below Security Advisory - ffmpeg - CVE-2020-22037,https://trac.ffmpeg.org/ticket/8281,open,,, Security Advisory - ffmpeg - CVE-2020-21041,https://trac.ffmpeg.org/ticket/7989,5d9f44da460f781a1604d537d0555b78e29438ba,; remotes/origin/master remotes/origin/release/4.4","n4.4 n4.5-dev",4.3 and below Security Advisory - ffmpeg - CVE-2020-22042,https://trac.ffmpeg.org/ticket/8267,426c16d61a9b5056a157a1a2a057a4e4d13eef84,; remotes/origin/master remotes/origin/release/4.4","n4.4 n4.5-dev",4.3 and below Security Advisory - ffmpeg - CVE-2020-22030,https://trac.ffmpeg.org/ticket/8276,e1b89c76f66343d1b495165664647317c66764bb,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22016,https://trac.ffmpeg.org/ticket/8183,58aa0ed8f10753ee90f4a4a1f4f3da803cf7c145,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22031,https://trac.ffmpeg.org/ticket/8243,0e68e8c93f9068596484ec8ba725586860e06fc8,; remotes/origin/master remotes/origin/release/4.3 remotes/origin/release/4.4","n4.3 n4.3.1 n4.3.2 n4.4 n4.4-dev n4.5-dev",4.2 and below Security Advisory - ffmpeg - CVE-2020-22041,https://trac.ffmpeg.org/ticket/8296,3488e0977c671568731afa12b811adce9d4d807f,; remotes/origin/master remotes/origin/release/4.3
[OE-core] [PATCH] valgrind: Actually install list of non-deterministic ptests
Install list of non-deterministic threaded ptests to be run using taskset to force them to a single core. This commit works with b318944d7, which updated the testing script to run the non-deterministic tests separately but didn't install the list of tests, so these tests were being run without taskset. The taskset_nondeterministic_tests file is the list of tests that will be run separately with taskset, and ignored during the other tests. This is installed to /usr/lib/valgrind/ptest similar to the 2 existing lists for tests to skip on ARM and all architectures. Removed bar_bad and bar_bad_xml to be included separately as they cause issues on non-kvm QEMU instances. See: b318944dd7 valgrind: Improve non-deterministic ptest reliability for more info. Signed-off-by: Tony Tascioglu --- meta/recipes-devtools/valgrind/valgrind/run-ptest | 4 ++-- .../valgrind/valgrind/taskset_nondeterministic_tests | 2 -- meta/recipes-devtools/valgrind/valgrind_3.17.0.bb | 2 ++ 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/recipes-devtools/valgrind/valgrind/run-ptest b/meta/recipes-devtools/valgrind/valgrind/run-ptest index 11050a8312..caeae84d4f 100755 --- a/meta/recipes-devtools/valgrind/valgrind/run-ptest +++ b/meta/recipes-devtools/valgrind/valgrind/run-ptest @@ -34,7 +34,7 @@ fi echo "Run flaky tests using taskset to limit them to a single core." for i in `cat taskset_nondeterministic_tests`; do - taskset 0x0001 perl tests/vg_regtest --valgrind=${VALGRIND_BIN} --valgrind-lib=${VALGRIND_LIBEXECDIR} --yocto-ptest $i 2>&1|tee ${LOG} + taskset 0x0001 perl tests/vg_regtest --valgrind=${VALGRIND_BIN} --valgrind-lib=${VALGRIND_LIBEXECDIR} --yocto-ptest $i 2>&1|tee -a ${LOG} mv $i.vgtest $i.IGNORE done @@ -44,7 +44,7 @@ cd ${VALGRIND_LIB}/ptest && ./tests/vg_regtest \ --valgrind-lib=${VALGRIND_LIBEXECDIR} \ --yocto-ptest \ gdbserver_tests ${TOOLS} ${EXP_TOOLS} \ -2>&1|tee ${LOG} +2>&1|tee -a ${LOG} cd ${VALGRIND_LIB}/ptest && \ ./tests/post_regtest_checks $(pwd) \ diff --git a/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests b/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests index cf073fa927..e15100ade7 100644 --- a/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests +++ b/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests @@ -1,4 +1,2 @@ helgrind/tests/hg05_race2 helgrind/tests/tc09_bad_unlock -drd/tests/bar_bad -drd/tests/bar_bad_xml diff --git a/meta/recipes-devtools/valgrind/valgrind_3.17.0.bb b/meta/recipes-devtools/valgrind/valgrind_3.17.0.bb index 7fcb086789..60b248681e 100644 --- a/meta/recipes-devtools/valgrind/valgrind_3.17.0.bb +++ b/meta/recipes-devtools/valgrind/valgrind_3.17.0.bb @@ -18,6 +18,7 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \ file://run-ptest \ file://remove-for-aarch64 \ file://remove-for-all \ + file://taskset_nondeterministic_tests \ file://0004-Fix-out-of-tree-builds.patch \ file://0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch \ file://0001-Remove-tests-that-fail-to-build-on-some-PPC32-config.patch \ @@ -187,6 +188,7 @@ do_install_ptest() { cp ${B}/config.h ${D}${PTEST_PATH} install -D ${WORKDIR}/remove-for-aarch64 ${D}${PTEST_PATH} install -D ${WORKDIR}/remove-for-all ${D}${PTEST_PATH} +install -D ${WORKDIR}/taskset_nondeterministic_tests ${D}${PTEST_PATH} # Add an executable need by none/tests/bigcode mkdir ${D}${PTEST_PATH}/perf -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#152992): https://lists.openembedded.org/g/openembedded-core/message/152992 Mute This Topic: https://lists.openembedded.org/mt/83557504/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] valgrind: remove buggy ptest from arm64
This commit removes the stack_changes ptest from aarch64 devices. This test is buggy and fails almost 100% of the time in qemuarm64. In general, many of the valgrind tests are more likely to fail on qemuarm64 vs native x86_64. This test previously worked on gatesgarth and dunfell, but has been failing since hardknott. It might be due to a recent change in the cross-compiler or glibc. The test runs fine when running natively on arm on a Raspberry Pi. Until we can find the root cause for the failures, this shorter term solution should clear up some of the noise from the autobuilder from a known failure. Signed-off-by: Tony Tascioglu --- meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 index a3a0c6e50f..b4fc8af333 100644 --- a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 +++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 @@ -235,3 +235,4 @@ memcheck/tests/wrapmalloc memcheck/tests/wrapmallocstatic memcheck/tests/writev1 memcheck/tests/xml1 +memcheck/tests/linux/stack_changes -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#152867): https://lists.openembedded.org/g/openembedded-core/message/152867 Mute This Topic: https://lists.openembedded.org/mt/83466599/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] valgrind: Improve non-deterministic ptest reliability
Several of the valgrind tests (particulaly helgrind) are unreliable and can fail with a different output. Particularly, there is a higher chance of failure on QEMU instances with SMP enabled and on systems with more interrupts such as laptops on powersave. The tests have been reported upstream as being unreliable dating back over 5 years, due in part to the ordering of threads during an "unwinding" process in helgrind. https://bugs.kde.org/show_bug.cgi?id=345121 https://bugs.kde.org/show_bug.cgi?id=430321 A workaround to improve the reliability of such tests is to force them to run on a single CPU core using taskset. This greatly reduces the chance of a failure. >From my testing, I have found it can help reduce the rate of failures on both a laptop and QEMU by over 5x. Stress-testing in QEMU for several hours did not result in a failure while running the test normally did. The flaky or undeterministic thread-based tests are defined in the taskset_nondeterministic_tests file. These test cases will be run with taskset 0x0001 to run on a single CPU core rather then the regular test. The edited run-ptest executes the flaky tests first, then ignores them to not duplicate the results from the main tests. Everything modified is restored when testing is complete. The drawback is that this isn't a foolproof solution. It helps the tests fail much less frequently, and considering how this issue has been documented for a long time, a workaround such as this is needed. Signed-off-by: Tony Tascioglu --- meta/recipes-devtools/valgrind/valgrind/run-ptest| 12 .../valgrind/valgrind/taskset_nondeterministic_tests | 4 2 files changed, 16 insertions(+) create mode 100644 meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests diff --git a/meta/recipes-devtools/valgrind/valgrind/run-ptest b/meta/recipes-devtools/valgrind/valgrind/run-ptest index 60d243276b..11050a8312 100755 --- a/meta/recipes-devtools/valgrind/valgrind/run-ptest +++ b/meta/recipes-devtools/valgrind/valgrind/run-ptest @@ -32,6 +32,13 @@ if [ "$arch" = "aarch64" ]; then done fi +echo "Run flaky tests using taskset to limit them to a single core." +for i in `cat taskset_nondeterministic_tests`; do + taskset 0x0001 perl tests/vg_regtest --valgrind=${VALGRIND_BIN} --valgrind-lib=${VALGRIND_LIBEXECDIR} --yocto-ptest $i 2>&1|tee ${LOG} + mv $i.vgtest $i.IGNORE +done + + cd ${VALGRIND_LIB}/ptest && ./tests/vg_regtest \ --valgrind=${VALGRIND_BIN} \ --valgrind-lib=${VALGRIND_LIBEXECDIR} \ @@ -56,6 +63,11 @@ for i in `cat remove-for-all`; do mv $i.IGNORE $i.vgtest; done +echo "Restore flaky and other non-deterministic tests" +for i in `cat taskset_nondeterministic_tests`; do + mv $i.IGNORE $i.vgtest; +done + echo "Failed test details..." failed_tests=`grep FAIL: ${LOG} | awk '{print $2}'` for test in $failed_tests; do diff --git a/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests b/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests new file mode 100644 index 00..cf073fa927 --- /dev/null +++ b/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests @@ -0,0 +1,4 @@ +helgrind/tests/hg05_race2 +helgrind/tests/tc09_bad_unlock +drd/tests/bar_bad +drd/tests/bar_bad_xml -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#152662): https://lists.openembedded.org/g/openembedded-core/message/152662 Mute This Topic: https://lists.openembedded.org/mt/83309370/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 2/2] libxml2: Fix CVE-2021-3541
Upstream commit: This is related to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. CVE: CVE-2021-3541 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e] Signed-off-by: Tony Tascioglu --- .../libxml/libxml2/CVE-2021-3541.patch| 73 +++ meta/recipes-core/libxml/libxml2_2.9.10.bb| 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 00..3b86278ac4 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch @@ -0,0 +1,73 @@ +From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: [PATCH] Patch for security issue CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. + +CVE: CVE-2021-3541 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e] + +Signed-off-by: Tony Tascioglu + +--- + parser.c | 26 ++ + 1 file changed, 26 insertions(+) + +diff --git a/parser.c b/parser.c +index f5e5e169..c9312fa4 100644 +--- a/parser.c b/parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++/* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 1) && ++(ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++} ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index a9bff74b55..ce4f9a3340 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -29,6 +29,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2021-3518-0001.patch \ file://CVE-2021-3518-0002.patch \ file://CVE-2021-3537.patch \ + file://CVE-2021-3541.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#152108): https://lists.openembedded.org/g/openembedded-core/message/152108 Mute This Topic: https://lists.openembedded.org/mt/82973298/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 1/2] libxml2: Fix CVE-2021-3518
This patch fixes CVE-2021-3518. The fix for the CVE is the following 3 lines in 1098c30a: - (cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_XINCLUDE_START) && - (cur->children->type != XML_XINCLUDE_END)) { + ((cur->type == XML_DOCUMENT_NODE) || +(cur->type == XML_ELEMENT_NODE))) { This relies on an updated version of xinclude.c from upstream which also adds several new tests. Those changes are brought in first so that the CVE patch can be applied cleanly. The first patch updates xinclude.c and adds the new tests from upstream, and the second applies the fix for the CVE. CVE: CVE-2021-3518 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7] Signed-off-by: Tony Tascioglu --- .../libxml/libxml2/CVE-2021-3518-0001.patch | 216 ++ .../libxml/libxml2/CVE-2021-3518-0002.patch | 45 meta/recipes-core/libxml/libxml2_2.9.10.bb| 2 + 3 files changed, 263 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch new file mode 100644 index 00..3d4d3a0237 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch @@ -0,0 +1,216 @@ +From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 16:34:52 +0200 +Subject: [PATCH 1/2] Don't recurse into xi:include children in + xmlXIncludeDoProcess + +Otherwise, nested xi:include nodes might result in a use-after-free +if XML_PARSE_NOXINCNODE is specified. + +Found with libFuzzer and ASan. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f9817c75b50a77c6aeb8f36801966fdadad229a] +CVE: CVE-2021-3518 + +This patch brings in the necessary files to allow the 2nd patch that fixes the CVE to be applied. + +Signed-off-by: Ovidiu Panait +Signed-off-by: Tony Tascioglu +--- + result/XInclude/fallback3.xml | 8 + result/XInclude/fallback3.xml.err | 0 + result/XInclude/fallback3.xml.rdr | 25 + + result/XInclude/fallback4.xml | 10 ++ + result/XInclude/fallback4.xml.err | 0 + result/XInclude/fallback4.xml.rdr | 29 + + test/XInclude/docs/fallback3.xml | 9 + + test/XInclude/docs/fallback4.xml | 7 +++ + xinclude.c| 24 ++-- + 9 files changed, 98 insertions(+), 14 deletions(-) + create mode 100644 result/XInclude/fallback3.xml + create mode 100644 result/XInclude/fallback3.xml.err + create mode 100644 result/XInclude/fallback3.xml.rdr + create mode 100644 result/XInclude/fallback4.xml + create mode 100644 result/XInclude/fallback4.xml.err + create mode 100644 result/XInclude/fallback4.xml.rdr + create mode 100644 test/XInclude/docs/fallback3.xml + create mode 100644 test/XInclude/docs/fallback4.xml + +diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml +new file mode 100644 +index 000..b423551 +--- /dev/null b/result/XInclude/fallback3.xml +@@ -0,0 +1,8 @@ ++ ++ ++ ++something ++really ++simple ++ ++ +diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err +new file mode 100644 +index 000..e69de29 +diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr +new file mode 100644 +index 000..aa2f137 +--- /dev/null b/result/XInclude/fallback3.xml.rdr +@@ -0,0 +1,25 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml +new file mode 100644 +index 000..9883fd5 +--- /dev/null b/result/XInclude/fallback4.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++something ++really ++simple ++ ++ ++ +diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err +new file mode 100644 +index 000..e69de29 +diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr +new file mode 100644 +index 000..628b951 +--- /dev/null b/result/XInclude/fallback4.xml.rdr +@@ -0,0 +1,29 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p
[OE-core] [PATCH] libxml2: Update to 2.9.12
Drop CVE patches which are fixed by the new upstream version. Modify conflicting patches to apply to the new versions: libxml2/libxml-m4-use-pkgconfig.patch libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch Drop fix-python39, which is merged upstream. Removed hunk for tstLastError.py from libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch since it has been fixed upstream by: 8c3e52e: Updated python/tests/tstLastError.py libxml2.registerErrorHandler(None,None): None is not acceptable as first argument failUnlessEqual replaced by assertEqual The checksums for the licence file changed because a typo was fixed across the files. The licence remains the same. The obsolete MD5 checksums for the tar files have been dropped in favor of SHA256. The new release also adds fuzz tests, which are removed from the makefile to allow the ptests to run. Fuzz testing is done upstream and there is no need to run them as part of ptests which are intended for functionality testing. Signed-off-by: Tony Tascioglu --- ...he-python-tests-if-python-is-enabled.patch | 34 +++ .../libxml/libxml2/CVE-2019-20388.patch | 37 .../libxml/libxml2/CVE-2020-24977.patch | 41 .../libxml/libxml2/CVE-2020-7595.patch| 36 --- .../libxml/libxml2/fix-python39.patch | 94 --- .../libxml2/libxml-m4-use-pkgconfig.patch | 35 --- .../libxml2/remove-fuzz-from-ptests.patch | 43 + .../{libxml2_2.9.10.bb => libxml2_2.9.12.bb} | 15 +-- 8 files changed, 81 insertions(+), 254 deletions(-) delete mode 100644 meta/recipes-core/libxml/libxml2/CVE-2019-20388.patch delete mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch delete mode 100644 meta/recipes-core/libxml/libxml2/CVE-2020-7595.patch delete mode 100644 meta/recipes-core/libxml/libxml2/fix-python39.patch create mode 100644 meta/recipes-core/libxml/libxml2/remove-fuzz-from-ptests.patch rename meta/recipes-core/libxml/{libxml2_2.9.10.bb => libxml2_2.9.12.bb} (87%) diff --git a/meta/recipes-core/libxml/libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch b/meta/recipes-core/libxml/libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch index 5e9a0a506b..69b848e09a 100644 --- a/meta/recipes-core/libxml/libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch +++ b/meta/recipes-core/libxml/libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch @@ -1,4 +1,4 @@ -From 2b5fb416aa275fd2a17a0139a2f783998bcb42cc Mon Sep 17 00:00:00 2001 +From ea1993d1d9a18c5e61b9cb271892b0a48f508d32 Mon Sep 17 00:00:00 2001 From: Peter Kjellerstedt Date: Fri, 9 Jun 2017 17:50:46 +0200 Subject: [PATCH] Make ptest run the python tests if python is enabled @@ -8,16 +8,14 @@ be due to the fact that the tests are forced to run with Python 3. Upstream-Status: Inappropriate [OE specific] Signed-off-by: Peter Kjellerstedt - --- - Makefile.am | 2 +- - python/Makefile.am | 9 + - python/tests/Makefile.am | 10 ++ - python/tests/tstLastError.py | 2 +- - 4 files changed, 21 insertions(+), 2 deletions(-) + Makefile.am | 2 +- + python/Makefile.am | 9 + + python/tests/Makefile.am | 10 ++ + 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am -index ae62274..bd1e425 100644 +index b428452b..dc18d6dd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -203,9 +203,9 @@ install-ptest: @@ -32,7 +30,7 @@ index ae62274..bd1e425 100644 runtests: runtest$(EXEEXT) testrecurse$(EXEEXT) testapi$(EXEEXT) \ testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT) diff --git a/python/Makefile.am b/python/Makefile.am -index 34aed96..ba3ec6a 100644 +index 34aed96c..ba3ec6a4 100644 --- a/python/Makefile.am +++ b/python/Makefile.am @@ -48,7 +48,16 @@ GENERATED = libxml2class.py libxml2class.txt $(BUILT_SOURCES) @@ -53,7 +51,7 @@ index 34aed96..ba3ec6a 100644 tests test: all cd tests && $(MAKE) tests diff --git a/python/tests/Makefile.am b/python/tests/Makefile.am -index 227e24d..021bb29 100644 +index 227e24df..3568c2d2 100644 --- a/python/tests/Makefile.am +++ b/python/tests/Makefile.am @@ -59,6 +59,11 @@ XMLS= \ @@ -83,16 +81,6 @@ index 227e24d..021bb29 100644 + tests: endif -diff --git a/python/tests/tstLastError.py b/python/tests/tstLastError.py -index 81d0acc..162c8db 100755 a/python/tests/tstLastError.py -+++ b/python/tests/tstLastError.py -@@ -25,7 +25,7 @@ class TestCase(unittest.TestCase): - when the exception is raised, check the libxml2.lastError for - expected values.""" - # disable the default error handler --libxml2.registerErrorHandler(None,None) -+libxml2.registerErrorHandler(lambda ctx,str: None,None) - try: - f(*args) -
[OE-core] [PATCH 2/2] libxml2: Add bash dependency for ptests.
Before, running ptests on core-image-minimal would result in an error due to missing /bin/bash: [ -d test ] || ln -s ../libxml2-2.9.10/test . make: /bin/bash: No such file or directory make: *** [Makefile:2105: runtests] Error 127 Changing the Makefile to use /bin/sh results in some of the tests failing, so I have added the missing dependancy on bash. Signed-off-by: Tony Tascioglu --- meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..858ee0c66a 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -43,7 +43,7 @@ inherit autotools pkgconfig binconfig-disabled ptest inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)} -RDEPENDS_${PN}-ptest += "make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}" +RDEPENDS_${PN}-ptest += "bash make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}" RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}" -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151988): https://lists.openembedded.org/g/openembedded-core/message/151988 Mute This Topic: https://lists.openembedded.org/mt/82893679/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/2] libxml2: Reformat runtest.patch
Reformatted runtest.patch to allow it to be applied using git am. This makes it easier to apply the series of patches to the original git repo. There are no changes to the code of the patch other than the reformat. Previously, the patch claimed to be a backport, but I have not found an upstream commit so I've changed the Upstream-Status to pending. Signed-off-by: Tony Tascioglu --- .../recipes-core/libxml/libxml2/runtest.patch | 45 ++- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/meta/recipes-core/libxml/libxml2/runtest.patch b/meta/recipes-core/libxml/libxml2/runtest.patch index 0dbb353c0f..c7a90cd3dc 100644 --- a/meta/recipes-core/libxml/libxml2/runtest.patch +++ b/meta/recipes-core/libxml/libxml2/runtest.patch @@ -1,28 +1,33 @@ -Add 'install-ptest' rule. Print a standard result line for -each test. +From 6172ccd1e74bc181f5298f19e240234e12876abe Mon Sep 17 00:00:00 2001 +From: Tony Tascioglu +Date: Tue, 11 May 2021 11:57:46 -0400 +Subject: [PATCH] Add 'install-ptest' rule. + +Print a standard result line for each test. Signed-off-by: Mihaela Sendrea Signed-off-by: Andrej Valek -Upstream-Status: Backport +Upstream-Status: Pending Signed-off-by: Hongxu Jia +Signed-off-by: Tony Tascioglu --- - Makefile.am | 9 + Makefile.am | 9 +++ runsuite.c| 1 + runtest.c | 2 + runxmlconf.c | 1 + - testapi.c | 122 ++--- - testchar.c| 156 +- + testapi.c | 122 ++- + testchar.c| 156 +++--- testdict.c| 1 + testlimits.c | 1 + testrecurse.c | 2 + 9 files changed, 210 insertions(+), 85 deletions(-) diff --git a/Makefile.am b/Makefile.am -index 9c630be..7cfd04b 100644 +index 05d1671f..ae622745 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -202,6 +202,15 @@ runxmlconf_LDADD= $(LDADDS) +@@ -198,6 +198,15 @@ runxmlconf_LDADD= $(LDADDS) #testOOM_DEPENDENCIES = $(DEPS) #testOOM_LDADD= $(LDADDS) @@ -39,10 +44,10 @@ index 9c630be..7cfd04b 100644 testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT) [ -d test ] || $(LN_S) $(srcdir)/test . diff --git a/runsuite.c b/runsuite.c -index aaab13e..9ba2c5d 100644 +index d24b5ec3..f7ff2521 100644 --- a/runsuite.c +++ b/runsuite.c -@@ -1162,6 +1162,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { +@@ -1147,6 +1147,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { if (logfile != NULL) fclose(logfile); @@ -51,10 +56,10 @@ index aaab13e..9ba2c5d 100644 } #else /* !SCHEMAS */ diff --git a/runtest.c b/runtest.c -index addda5c..8ba5d59 100644 +index ffa98d04..470f95cb 100644 --- a/runtest.c +++ b/runtest.c -@@ -4501,6 +4501,7 @@ launchTests(testDescPtr tst) { +@@ -4508,6 +4508,7 @@ launchTests(testDescPtr tst) { xmlCharEncCloseFunc(ebcdicHandler); xmlCharEncCloseFunc(eucJpHandler); @@ -62,7 +67,7 @@ index addda5c..8ba5d59 100644 return(err); } -@@ -4577,6 +4578,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { +@@ -4588,6 +4589,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { xmlCleanupParser(); xmlMemoryDump(); @@ -71,7 +76,7 @@ index addda5c..8ba5d59 100644 } diff --git a/runxmlconf.c b/runxmlconf.c -index cef20f4..4f291fb 100644 +index 70f61017..e882b3a1 100644 --- a/runxmlconf.c +++ b/runxmlconf.c @@ -595,6 +595,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { @@ -83,7 +88,7 @@ index cef20f4..4f291fb 100644 } diff --git a/testapi.c b/testapi.c -index 4a751e2..7ccc066 100644 +index ff8b470d..52b51d78 100644 --- a/testapi.c +++ b/testapi.c @@ -1246,49 +1246,91 @@ static int @@ -219,7 +224,7 @@ index 4a751e2..7ccc066 100644 } diff --git a/testchar.c b/testchar.c -index 0d08792..f555d3b 100644 +index 6866a175..7bce0132 100644 --- a/testchar.c +++ b/testchar.c @@ -23,7 +23,7 @@ static void errorHandler(void *unused, xmlErrorPtr err) { @@ -797,7 +802,7 @@ index 0d08792..f555d3b 100644 /* * Cleanup function for the XML library. diff --git a/testdict.c b/testdict.c -index 40bebd0..114b934 100644 +index 40bebd05..114b9347 100644 --- a/testdict.c +++ b/testdict.c @@ -440,5 +440,6 @@ int main(void) @@ -808,7 +813,7 @@ index 40bebd0..114b934 100644 return(ret); } diff --git a/testlimits.c b/testlimits.c -index 68c94db..1584434 100644 +index 059116a6..f0bee68d 100644 --- a/testlimits.c +++ b/testlimits.c @@ -1634,5 +1634,6 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { @@ -819,7 +824,7 @@ index 68c94db..1584434 100644 return(ret); } diff --git a/testrecurse.c b/testrecurse.c -index f95ae1c..74c8f8b 100644 +index 0cbe25a6..3ecadb40 100644 --- a/testrecurse.c +++ b/testrecurse.c @@ -892,6 +892,7 @@ launchTests(testDescPtr
Re: [OE-core] [hardknott][PATCH 1/3] libxml2: fix CVE-2021-3517
Hello, These patches are only going to hardknott, and upstream released a new version yesterday that we can use for the master branch. The CVE fixes are present in the new version, and these patches backport those fixes for libxml version 2.9.10 in hardknott. I am working on the uprev to 2.9.12, and will send it to master once tested. Thanks, Tony -Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Tony Tascioglu Sent: Friday, May 14, 2021 9:15 AM To: openembedded-core@lists.openembedded.org Cc: MacLeod, Randy ; Tascioglu, Tony Subject: [OE-core] [hardknott][PATCH 1/3] libxml2: fix CVE-2021-3517 Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3517 Upstream-status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] Signed-off-by: Tony Tascioglu --- .../libxml/libxml2/CVE-2021-3517.patch| 54 +++ meta/recipes-core/libxml/libxml2_2.9.10.bb| 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 00..b6204f655a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch @@ -0,0 +1,54 @@ +From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001 +From: Joel Hockey +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 + +CVE: CVE-2021-3517 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b5 +25cf0a88c2dc87a3a2] + +Signed-off-by: Tony Tascioglu +--- + entities.c | 16 +++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index d575e9d1..7cdbc4de 100644 +--- a/entities.c b/entities.c +@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* +* We assume we have UTF-8 input. ++ * It must match either: ++ * 110x 10xx ++ * 1110 10xx 10xx ++ * 0xxx 10xx 10xx 10xx ++ * That is: ++ * cur[0] is 11xx ++ * cur[1] is 10xx ++ * cur[2] is 10xx if cur[0] is 111x ++ * cur[3] is 10xx if cur[0] is ++ * cur[0] is not 1xxx +*/ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..ad612379b3 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -24,6 +24,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2019-20388.patch \ file://CVE-2020-24977.patch \ file://fix-python39.patch \ + file://CVE-2021-3517.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151764): https://lists.openembedded.org/g/openembedded-core/message/151764 Mute This Topic: https://lists.openembedded.org/mt/82823776/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 1/3] libxml2: fix CVE-2021-3517
Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3517 Upstream-status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] Signed-off-by: Tony Tascioglu --- .../libxml/libxml2/CVE-2021-3517.patch| 54 +++ meta/recipes-core/libxml/libxml2_2.9.10.bb| 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 00..b6204f655a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch @@ -0,0 +1,54 @@ +From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001 +From: Joel Hockey +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 + +CVE: CVE-2021-3517 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] + +Signed-off-by: Tony Tascioglu +--- + entities.c | 16 +++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index d575e9d1..7cdbc4de 100644 +--- a/entities.c b/entities.c +@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* +* We assume we have UTF-8 input. ++ * It must match either: ++ * 110x 10xx ++ * 1110 10xx 10xx ++ * 0xxx 10xx 10xx 10xx ++ * That is: ++ * cur[0] is 11xx ++ * cur[1] is 10xx ++ * cur[2] is 10xx if cur[0] is 111x ++ * cur[3] is 10xx if cur[0] is ++ * cur[0] is not 1xxx +*/ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..ad612379b3 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -24,6 +24,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2019-20388.patch \ file://CVE-2020-24977.patch \ file://fix-python39.patch \ + file://CVE-2021-3517.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151761): https://lists.openembedded.org/g/openembedded-core/message/151761 Mute This Topic: https://lists.openembedded.org/mt/82823776/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 2/3] libxml2: fix CVE-2021-3516
Fixes use-after-free in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3516 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539] Signed-off-by: Tony Tascioglu --- .../libxml/libxml2/CVE-2021-3516.patch| 36 +++ meta/recipes-core/libxml/libxml2_2.9.10.bb| 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch new file mode 100644 index 00..287a171924 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch @@ -0,0 +1,36 @@ +From b76718876953e11bbd73dc6c9457323fd5aeda2e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: [PATCH 2/3] Fix use-after-free with `xmllint --html --push` + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. + +CVE: CVE-2021-3516 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539] + +Signed-off-by: Tony Tascioglu +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index c0712674..ba66676b 100644 +--- a/xmllint.c b/xmllint.c +@@ -2204,7 +2204,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +-xmlCtxtUseOptions(ctxt, options); ++htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index ad612379b3..6f1229c2d0 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2020-24977.patch \ file://fix-python39.patch \ file://CVE-2021-3517.patch \ + file://CVE-2021-3516.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151762): https://lists.openembedded.org/g/openembedded-core/message/151762 Mute This Topic: https://lists.openembedded.org/mt/82823778/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 3/3] libxml2: fix CVE-2021-3537
Parsing specially crafted Mixed Content while parsing XML data may lead to invalid data structure being created, as errors were not propagated. This could lead to several NULL Pointer Dereference when post-validating documents parsed in recovery mode. CVE: CVE-2021-3537 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61] Signed-off-by: Tony Tascioglu --- .../libxml/libxml2/CVE-2021-3537.patch| 49 +++ meta/recipes-core/libxml/libxml2_2.9.10.bb| 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 00..defbe7867b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch @@ -0,0 +1,49 @@ +From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. + +CVE: CVE-2021-3537 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61] + +Signed-off-by: Tony Tascioglu +--- + parser.c | 7 +++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index a34bb6cd..bbcff39f 100644 +--- a/parser.c b/parser.c +@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, +depth + 1); ++if (cur == NULL) ++return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++} + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 6f1229c2d0..b850164285 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://fix-python39.patch \ file://CVE-2021-3517.patch \ file://CVE-2021-3516.patch \ + file://CVE-2021-3537.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.29.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151763): https://lists.openembedded.org/g/openembedded-core/message/151763 Mute This Topic: https://lists.openembedded.org/mt/82823781/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-