Re: [oe] [meta-oe][kirkstone][PATCH] ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3
Hi OpenEmbedded-Devel Team , I am writing to inquire about the status of the patch mentioned in the mail below that I submitted to OpenEmbedded-Devel and when it is expected to be integrated? Thanks & Regards, Sana Kazi KPIT Technologies Limited From: openembedded-devel@lists.openembedded.org on behalf of sana kazi via lists.openembedded.org Sent: Thursday, September 7, 2023 12:26 PM To: openembedded-devel@lists.openembedded.org Cc: sanakazis...@gmail.com Subject: [oe] [meta-oe][kirkstone][PATCH] ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3 Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe. From: Omkar Patil Changes: Rejected zero-sized runs Avoided merging runlists with no runs Fix CVE-2022-40284 Dunfell and master both have latest version of ntfs-3g-ntfsprogs 2022.10.3. Therefore, upgrade the version on kirkstone too. Signed-off-by: Omkar Patil Signed-off-by: Khem Raj (cherry picked from commit 5d5e8854718dab02c2737e3faf288f830a514841) Signed-off-by: Sana Kazi --- ...3g-ntfsprogs_2022.5.17.bb => ntfs-3g-ntfsprogs_2022.10.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/{ntfs-3g-ntfsprogs_2022.5.17.bb => ntfs-3g-ntfsprogs_2022.10.3.bb} (95%) diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb similarity index 95% rename from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb rename to meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb index b29716ad4..37a8106bb 100644 --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb @@ -10,7 +10,7 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftuxera.com%2Fopensource%2Fntfs-3g_ntfsprogs-%24=05%7C01%7CSana.Kazi%40kpit.com%7C15f74e1dcecf44faeac808dbaf6fba8e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C63829670807254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=uGwpKtNULV3O3fyr8gynGij4JHzOF0h%2F%2FoNyDqBAHSI%3D=0{PV}.tgz \ file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \ " S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" -SRC_URI[sha256sum] = "0489fbb6972581e1b417ab578d543f6ae522e7fa648c3c9b49c789510fd5eb93" +SRC_URI[sha256sum] = "f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c" UPSTREAM_CHECK_URI = "https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tuxera.com%2Fcommunity%2Fopen-source-ntfs-3g%2F=05%7C01%7CSana.Kazi%40kpit.com%7C15f74e1dcecf44faeac808dbaf6fba8e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C63829670807254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=y4lfjW6VN8Go8vwIPGapbXmgcYNR%2BKTkY%2BuzFjYKyeA%3D=0<https://www.tuxera.com/community/open-source-ntfs-3g/>" UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P\d+(\.\d+)+)\.tgz" -- 2.25.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#105725): https://lists.openembedded.org/g/openembedded-devel/message/105725 Mute This Topic: https://lists.openembedded.org/mt/101210079/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][dunfell][PATCH] openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239
From: Sana Kazi Whitelist CVE-2020-27844 as it is introduced by https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 but the contents of this patch is not present in openjpeg_2.3.1 Link: https://security-tracker.debian.org/tracker/CVE-2020-27844 Whitelist CVE-2015-1239 as the CVE description clearly states that j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. Hence, CVE-2015-1239 does not affect openjpeg_2.3.1. Signed-off-by: Sana.Kazi Signed-off-by: Sana Kazi --- .../recipes-graphics/openjpeg/openjpeg_2.3.1.bb| 14 ++ 1 file changed, 14 insertions(+) diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index 218dc911fe..9cf513f3f7 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb @@ -33,3 +33,17 @@ inherit cmake EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}" FILES_${PN} += "${libdir}/openjpeg*" + +# This flaw is introduced by +# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 +# but the contents of this patch is not present in openjpeg_2.3.1 +# Hence, it can be whitelisted. +# https://security-tracker.debian.org/tracker/CVE-2020-27844 + +CVE_CHECK_WHITELIST += "CVE-2020-27844" + +# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg +# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. +# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1 + +CVE_CHECK_WHITELIST += "CVE-2015-1239" -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#97122): https://lists.openembedded.org/g/openembedded-devel/message/97122 Mute This Topic: https://lists.openembedded.org/mt/91135007/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][dunfell][PATCH] openjpeg: Fix multiple CVE
Add patch to fix below CVE: CVE-2019-12973 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845 Signed-off-by: Virendra Thakur Signed-off-by: Sana Kazi --- .../openjpeg/openjpeg/CVE-2019-12973-1.patch | 72 ++ .../openjpeg/openjpeg/CVE-2019-12973-2.patch | 86 +++ .../openjpeg/openjpeg/CVE-2020-15389.patch| 43 .../openjpeg/openjpeg/CVE-2020-27814-1.patch | 29 +++ .../openjpeg/openjpeg/CVE-2020-27814-2.patch | 27 ++ .../openjpeg/openjpeg/CVE-2020-27814-3.patch | 30 +++ .../openjpeg/openjpeg/CVE-2020-27814-4.patch | 27 ++ .../openjpeg/openjpeg/CVE-2020-27823.patch| 29 +++ .../openjpeg/openjpeg/CVE-2020-27824.patch| 24 ++ .../openjpeg/openjpeg/CVE-2020-27841.patch| 238 ++ .../openjpeg/openjpeg/CVE-2020-27842.patch| 31 +++ .../openjpeg/openjpeg/CVE-2020-27843.patch| 31 +++ .../openjpeg/openjpeg/CVE-2020-27845.patch| 74 ++ .../openjpeg/openjpeg_2.3.1.bb| 13 + 14 files changed, 754 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch new file mode 100644 index 00..98988e686e --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch @@ -0,0 +1,72 @@ +From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Sat, 16 Mar 2019 19:57:27 +0800 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +See commit 8ee335227bbc for details. + +Signed-off-by: Young Xiao + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur +--- + src/bin/jp2/convertbmp.c | 10 -- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 0af52f816..ec34f535b 100644 +--- a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, +OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +-OPJ_UINT32 x, y; ++OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; +-x = y = 0U; ++x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++written++; + } + } else { /* absolute mode */ + c = getc(IN); +@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + c1 = (OPJ_UINT8)getc(IN); + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++written++; +
[oe] [meta-oe][dunfell][PATCH] protobuf: Fix CVE-2021-22570
Fix CVE-2021-22570. Link: https://koji.fedoraproject.org/koji/buildinfo?buildID=1916865 Link: https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch Remove first and second hunk because the second argument in InsertIfNotPresent() function is of type const char* const& but the first and second hunk makes the type of second argument as const string which is not compatible with the type of second argument in InsertIfNotPresent(). Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- .../protobuf/protobuf/CVE-2021-22570.patch| 64 +++ .../protobuf/protobuf_3.11.4.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch new file mode 100644 index 0..be3180181 --- /dev/null +++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch @@ -0,0 +1,64 @@ +CVE: CVE-2021-22570 +Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch] +Comment: Removed first and second hunk +Signed-off-by: Sana.Kazi + +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 7af37c57f3..03c4e2b516 100644 +--- a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, +const Message& proto, +const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index d2f22ba6b..55d56ff08 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \ file://0001-protobuf-fix-configure-error.patch \
[oe][meta-networking][dunfell][PATCH] netcat: Set CVE_PRODUCT
From: Andre Carvalho This way yocto cve-check can find open CVE's. See also: http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html "Results from cve-check are not very good at the moment. One of the reasons for this is that component names used in CVE database differ from yocto recipe names. This series fixes several of those name mapping problems by setting the CVE_PRODUCT correctly in the recipes. To check this mapping with after a build, I'm exporting LICENSE and CVE_PRODUCT variables to buildhistory for recipes and packages." Value added is based on: https://nvd.nist.gov/products/cpe/search/results?keyword=netcat=FINAL=CPEURI=2.3 Signed-off-by: Andre Carvalho Signed-off-by: Khem Raj Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- meta-networking/recipes-support/netcat/netcat_0.7.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb index 14d743f82..1e113de51 100644 --- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb +++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967 inherit autotools +CVE_PRODUCT = "netcat_project:netcat" + do_install_append() { install -d ${D}${bindir} mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN} -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#94729): https://lists.openembedded.org/g/openembedded-devel/message/94729 Mute This Topic: https://lists.openembedded.org/mt/88346383/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe][meta-oe][dunfell][PATCH] nss: Fix CVE-2021-43527
Hi, Could you please review the below patch? Regards, Sana Kazi On Thu, 16 Dec 2021 at 16:23, Sana Kazi wrote: > Add patch to fix CVE-2021-43527 which causes heap overflow in nss. > > Signed-off-by: Sana Kazi > Signed-off-by: Sana Kazi > --- > .../nss/nss/CVE-2021-43527.patch | 283 ++ > meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 + > 2 files changed, 284 insertions(+) > create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch > > diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch > b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch > new file mode 100644 > index 0..cf3ea63ca > --- /dev/null > +++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch > @@ -0,0 +1,283 @@ > +Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded > signatures > +Origin: Provided by Mozilla > + > +CVE: CVE-2021-43527 > +Upstream-Status: Backport [ > http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz > ] > +Comment: Refreshed hunk 1 and 6 due to fuzz > +Signed-off-by: Sana Kazi > + > +--- a/nss/lib/cryptohi/secvfy.c > b/nss/lib/cryptohi/secvfy.c > +@@ -164,6 +164,37 @@ > + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); > + } > + > ++static unsigned int > ++checkedSignatureLen(const SECKEYPublicKey *pubk) > ++{ > ++unsigned int sigLen = SECKEY_SignatureLen(pubk); > ++if (sigLen == 0) { > ++/* Error set by SECKEY_SignatureLen */ > ++return sigLen; > ++} > ++unsigned int maxSigLen; > ++switch (pubk->keyType) { > ++case rsaKey: > ++case rsaPssKey: > ++maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; > ++break; > ++case dsaKey: > ++maxSigLen = DSA_MAX_SIGNATURE_LEN; > ++break; > ++case ecKey: > ++maxSigLen = 2 * MAX_ECKEY_LEN; > ++break; > ++default: > ++PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); > ++return 0; > ++} > ++if (sigLen > maxSigLen) { > ++PORT_SetError(SEC_ERROR_INVALID_KEY); > ++return 0; > ++} > ++return sigLen; > ++} > ++ > + /* > + * decode the ECDSA or DSA signature from it's DER wrapping. > + * The unwrapped/raw signature is placed in the buffer pointed > +@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, > +unsigned int len) > + { > + SECItem *dsasig = NULL; /* also used for ECDSA */ > +-SECStatus rv = SECSuccess; > + > +-if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && > +-(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { > +-if (sig->len != len) { > +-PORT_SetError(SEC_ERROR_BAD_DER); > +-return SECFailure; > ++/* Safety: Ensure algId is as expected and that signature size is > within maxmimums */ > ++if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { > ++if (len > DSA_MAX_SIGNATURE_LEN) { > ++goto loser; > + } > +- > +-PORT_Memcpy(dsig, sig->data, sig->len); > +-return SECSuccess; > +-} > +- > +-if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { > ++} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { > + if (len > MAX_ECKEY_LEN * 2) { > +-PORT_SetError(SEC_ERROR_BAD_DER); > +-return SECFailure; > ++goto loser; > + } > +-} > +-dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); > +- > +-if ((dsasig == NULL) || (dsasig->len != len)) { > +-rv = SECFailure; > + } else { > +-PORT_Memcpy(dsig, dsasig->data, dsasig->len); > ++goto loser; > + } > + > +-if (dsasig != NULL) > ++/* Decode and pad to length */ > ++dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); > ++if (dsasig == NULL) { > ++goto loser; > ++} > ++if (dsasig->len != len) { > + SECITEM_FreeItem(dsasig, PR_TRUE); > +-if (rv == SECFailure) > +-PORT_SetError(SEC_ERROR_BAD_DER); > +-return rv; > ++goto loser; > ++} > ++ > ++PORT_Memcpy(dsig, dsasig->data, len); > ++SECITEM_FreeItem(dsasig, PR_TRUE); > ++ > ++return SECSuccess; > ++ > ++loser: > ++PORT_SetError(SEC_ERROR_BAD_DER); > ++return SECFailure; > + } > + > + const SEC_ASN1Template hashParameterTemplate[] = > +@@ -231,7 +262,7 @@ SECStatus > + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, > + cons
[oe][meta-oe][dunfell][PATCH] nss: Fix CVE-2021-43527
Add patch to fix CVE-2021-43527 which causes heap overflow in nss. Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- .../nss/nss/CVE-2021-43527.patch | 283 ++ meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 + 2 files changed, 284 insertions(+) create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch new file mode 100644 index 0..cf3ea63ca --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch @@ -0,0 +1,283 @@ +Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded signatures +Origin: Provided by Mozilla + +CVE: CVE-2021-43527 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz] +Comment: Refreshed hunk 1 and 6 due to fuzz +Signed-off-by: Sana Kazi + +--- a/nss/lib/cryptohi/secvfy.c b/nss/lib/cryptohi/secvfy.c +@@ -164,6 +164,37 @@ + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); + } + ++static unsigned int ++checkedSignatureLen(const SECKEYPublicKey *pubk) ++{ ++unsigned int sigLen = SECKEY_SignatureLen(pubk); ++if (sigLen == 0) { ++/* Error set by SECKEY_SignatureLen */ ++return sigLen; ++} ++unsigned int maxSigLen; ++switch (pubk->keyType) { ++case rsaKey: ++case rsaPssKey: ++maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; ++break; ++case dsaKey: ++maxSigLen = DSA_MAX_SIGNATURE_LEN; ++break; ++case ecKey: ++maxSigLen = 2 * MAX_ECKEY_LEN; ++break; ++default: ++PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); ++return 0; ++} ++if (sigLen > maxSigLen) { ++PORT_SetError(SEC_ERROR_INVALID_KEY); ++return 0; ++} ++return sigLen; ++} ++ + /* + * decode the ECDSA or DSA signature from it's DER wrapping. + * The unwrapped/raw signature is placed in the buffer pointed +@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, +unsigned int len) + { + SECItem *dsasig = NULL; /* also used for ECDSA */ +-SECStatus rv = SECSuccess; + +-if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && +-(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { +-if (sig->len != len) { +-PORT_SetError(SEC_ERROR_BAD_DER); +-return SECFailure; ++/* Safety: Ensure algId is as expected and that signature size is within maxmimums */ ++if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { ++if (len > DSA_MAX_SIGNATURE_LEN) { ++goto loser; + } +- +-PORT_Memcpy(dsig, sig->data, sig->len); +-return SECSuccess; +-} +- +-if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { ++} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { + if (len > MAX_ECKEY_LEN * 2) { +-PORT_SetError(SEC_ERROR_BAD_DER); +-return SECFailure; ++goto loser; + } +-} +-dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); +- +-if ((dsasig == NULL) || (dsasig->len != len)) { +-rv = SECFailure; + } else { +-PORT_Memcpy(dsig, dsasig->data, dsasig->len); ++goto loser; + } + +-if (dsasig != NULL) ++/* Decode and pad to length */ ++dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); ++if (dsasig == NULL) { ++goto loser; ++} ++if (dsasig->len != len) { + SECITEM_FreeItem(dsasig, PR_TRUE); +-if (rv == SECFailure) +-PORT_SetError(SEC_ERROR_BAD_DER); +-return rv; ++goto loser; ++} ++ ++PORT_Memcpy(dsig, dsasig->data, len); ++SECITEM_FreeItem(dsasig, PR_TRUE); ++ ++return SECSuccess; ++ ++loser: ++PORT_SetError(SEC_ERROR_BAD_DER); ++return SECFailure; + } + + const SEC_ASN1Template hashParameterTemplate[] = +@@ -231,7 +262,7 @@ SECStatus + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) + { +-int len; ++unsigned int len; + PLArenaPool *arena; + SECStatus rv; + SECItem oid; +@@ -458,48 +489,52 @@ vfy_CreateContext(const SECKEYPublicKey + cx->pkcs1RSADigestInfo = NULL; + rv = SECSuccess; + if (sig) { +-switch (type) { +-case rsaKey: +-rv = recoverPKCS1DigestInfo(hashAlg, >hashAlg, +->pkcs1RSADigestInfo, +->pkcs1RSADigestInfoLen, +-cx->key, +-sig, wincx); +-break; +-case rsaPssKey: +-sigLen = SECKEY_SignatureLen(key); +-if (sigLen == 0)
[oe][meta-networking][dunfell][PATCH 3/3] dovecot: Fix CVE-2020-12674
Added patch for CVE-2020-12674 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- ...uth-mech-rpa-Fail-on-zero-len-buffer.patch | 30 +++ .../dovecot/dovecot_2.2.36.4.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch new file mode 100644 index 00..5580cd409f --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch @@ -0,0 +1,30 @@ +From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi + +CVE: CVE-2020-12674 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); +-- +2.11.0 diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb index e36e51c283..29905196b6 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb @@ -25,6 +25,7 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \ file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \ file://buffer_free_fix.patch \ file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \ + file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \ " SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2" -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#94201): https://lists.openembedded.org/g/openembedded-devel/message/94201 Mute This Topic: https://lists.openembedded.org/mt/87475408/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe][meta-networking][dunfell][PATCH 2/3] dovecot: Fix CVE-2020-12673
Added patch for CVE-2020-12673 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- ...tlm-Check-buffer-length-on-responses.patch | 37 +++ .../dovecot/dovecot_2.2.36.4.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch new file mode 100644 index 00..81aead8aad --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch @@ -0,0 +1,37 @@ +Backport of: + +From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 + + 1 file changed, 5 insertions(+) + +Signed-off-by: Sana Kazi + +CVE: CVE-2020-12673 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st + if (length == 0 && space == 0) + return 1; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return 0; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return 0; diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb index 407604c819..e36e51c283 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb @@ -24,6 +24,7 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \ file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \ file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \ file://buffer_free_fix.patch \ + file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \ " SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2" -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#94200): https://lists.openembedded.org/g/openembedded-devel/message/94200 Mute This Topic: https://lists.openembedded.org/mt/87475390/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe][meta-networking][dunfell][PATCH 1/3] dovecot: Fix CVE-2020-12100
Added patches to fix CVE-2020-12100 Link: http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- ...-parser-Add-a-message_part_finish-he.patch | 76 +++ ...-parser-Change-message_part_append-t.patch | 71 +++ ...-parser-Optimize-updating-children_c.patch | 49 + ...-parser-Optimize-appending-new-part-.patch | 88 ...-parser-Minor-code-cleanup-to-findin.patch | 45 + ...-parser-Truncate-excessively-long-MI.patch | 163 +++ ...-parser-Optimize-boundary-lookups-wh.patch | 72 +++ ...-parser-Add-boundary_remove_until-he.patch | 50 + ...-parser-Don-t-use-memory-pool-for-pa.patch | 169 ...-parser-Support-limiting-max-number-.patch | 188 ++ ...-parser-Support-limiting-max-number-.patch | 87 ...handling-trailing-in-MIME-boundaries.patch | 133 + ...Fix-parse_too_many_nested_mime_parts.patch | 32 +++ .../dovecot/dovecot/buffer_free_fix.patch | 27 +++ .../dovecot/dovecot_2.2.36.4.bb | 14 ++ 15 files changed, 1264 insertions(+) create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch new file mode 100644 index 00..583f71ca58 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch @@ -0,0 +1,76 @@ +From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Thu, 23 Apr 2020 11:33:31 +0300 +Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish() + helper function + +--- + src/lib-mail/message-parser.c | 25 - + 1 file changed, 12 insertions(+), 13 deletions(-) + +Signed-off-by: Sana Kazi + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index b1de1950a..aaa8dd8b7 100644 +--- a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent) + return part; + } + ++static void message_part_finish(struct message_parser_ctx *ctx) ++{ ++ message_size_add(>part->parent->body_size, >part->body_size); ++ message_size_add(>part->parent->body_size, >part->header_size); ++ ctx->part = ctx->part->parent; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx, +struct message_boundary *boundary, +struct message_block *block_r, bool first_line) + { +- struct message_part *part; + size_t line_size; + +
Re: [oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns
Hi, It is merged in dunfell but not yet in master. Are you planning to merge it in master? Thanks & Regards, Sana Kazi KPIT Technologies Limited From: Khem Raj Sent: Friday, March 19, 2021 10:11 PM To: Sana Kazi ; Openembedded-devel@lists.openembedded.org Subject: Re: [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns Hello Sana It was in latest pull from Armin which was merged today it should be in already in dunfell now. Let us know if not. On 3/19/21 6:31 AM, Sana Kazi wrote: > Hi Team, > > Could you please review below patch to be upstreamed for mdns > > > Thanks & Regards, > > Sana Kazi > KPIT Technologies Limited > > > > ---- > *From:* Sana Kazi > *Sent:* Tuesday, March 9, 2021 12:06 PM > *To:* Openembedded-devel@lists.openembedded.org > ; raj.k...@gmail.com > > *Cc:* Nisha Parrakat ; Aditya Tayade > ; Harpritkaur Bhandari > > *Subject:* [meta-networking][meta-oe][master][dunfell][PATCH] mdns: > Whitelisted CVE-2007-0613 for mdns > CVE-2007-0613 is not applicable as it only affects Apple products > i.e. ichat,mdnsresponder, instant message framework and MacOS. > Also, > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.exploit-db.com%2Fexploits%2F3230data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742865584%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=zEEydQaidbnLPHjwC8eq4k%2Fb%2FThn53dRfqsUwy5KU%2FE%3Dreserved=0 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.exploit-db.com%2Fexploits%2F3230data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742865584%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=zEEydQaidbnLPHjwC8eq4k%2Fb%2FThn53dRfqsUwy5KU%2FE%3Dreserved=0> > shows the part of code > affected by CVE-2007-0613 which is not preset in upstream source code. > Hence, CVE-2007-0613 does not affect other Yocto implementations and > is not reported for other distros can be marked whitelisted. > Links: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fvulmon.com%2Fvulnerabilitydetails%3Fqid%3DCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=eAkjsIawSp2YHJL3bqORC%2B%2FRdxYVRKFIJ998sPA%2B%2FZ4%3Dreserved=0 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fvulmon.com%2Fvulnerabilitydetails%3Fqid%3DCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=eAkjsIawSp2YHJL3bqORC%2B%2FRdxYVRKFIJ998sPA%2B%2FZ4%3Dreserved=0> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.incibe-cert.es%2Fen%2Fearly-warning%2Fvulnerabilities%2Fcve-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=5qInEtds3j9aCQPBzoNNgwnjrpkNc%2BlkDXmk2gvoHOA%3Dreserved=0 > > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.incibe-cert.es%2Fen%2Fearly-warning%2Fvulnerabilities%2Fcve-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=5qInEtds3j9aCQPBzoNNgwnjrpkNc%2BlkDXmk2gvoHOA%3Dreserved=0> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=QW82iXTsR0a1LvT5gIku8EJux9cOlpzzGCVIOCa1FFQ%3Dreserved=0 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=QW82iXTsR0a1LvT5gIku8EJux9
Re: [oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns
Hi Team, Could you please review below patch to be upstreamed for mdns Thanks & Regards, Sana Kazi KPIT Technologies Limited From: Sana Kazi Sent: Tuesday, March 9, 2021 12:06 PM To: Openembedded-devel@lists.openembedded.org ; raj.k...@gmail.com Cc: Nisha Parrakat ; Aditya Tayade ; Harpritkaur Bhandari Subject: [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns CVE-2007-0613 is not applicable as it only affects Apple products i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, https://www.exploit-db.com/exploits/3230 shows the part of code affected by CVE-2007-0613 which is not preset in upstream source code. Hence, CVE-2007-0613 does not affect other Yocto implementations and is not reported for other distros can be marked whitelisted. Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 https://security-tracker.debian.org/tracker/CVE-2007-0613 https://ubuntu.com/security/CVE-2007-0613 https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 --- .../recipes-protocols/mdns/mdns_1310.40.42.bb | 13 + 1 file changed, 13 insertions(+) diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb index 445ed87e4..60bc26bf1 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb @@ -27,6 +27,19 @@ SRC_URI[sha256sum] = "bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838 CVE_PRODUCT = "apple:mdnsresponder" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#90221): https://lists.openembedded.org/g/openembedded-devel/message/90221 Mute This Topic: https://lists.openembedded.org/mt/81195756/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][meta-oe][dunfell][PATCH] dnsmasq: Add fixes for CVEs reported for dnsmasq
Applied single patch for below listed CVEs which avoids remote attacker to overwrite memory: CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 as they are fixed by single commit http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a Link: https://www.openwall.com/lists/oss-security/2021/01/19/1 Also, applied patch for below listed CVEs: CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 Signed-off-by: Sana Kazi --- .../recipes-support/dnsmasq/dnsmasq_2.81.bb | 7 +- .../dnsmasq/files/CVE-2020-25681.patch| 373 +++ .../dnsmasq/files/CVE-2020-25684.patch| 100 +++ .../dnsmasq/files/CVE-2020-25685-1.patch | 590 ++ .../dnsmasq/files/CVE-2020-25685-2.patch | 201 ++ .../dnsmasq/files/CVE-2020-25686-1.patch | 335 ++ .../dnsmasq/files/CVE-2020-25686-2.patch | 66 ++ 7 files changed, 1671 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 92415386c..a1dc0f3a0 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -4,5 +4,10 @@ SRC_URI[dnsmasq-2.81.md5sum] = "e43808177a773014b5892ccba238f7a8" SRC_URI[dnsmasq-2.81.sha256sum] = "3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0" SRC_URI += "\ file://lua.patch \ +file://CVE-2020-25681.patch \ +file://CVE-2020-25684.patch \ +file://CVE-2020-25685-1.patch \ +file://CVE-2020-25685-2.patch \ +file://CVE-2020-25686-1.patch \ +file://CVE-2020-25686-2.patch \ " - diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch new file mode 100644 index 0..cab734ed1 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch @@ -0,0 +1,373 @@ +From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 11 Nov 2020 23:25:04 + +Subject: [PATCH] Fix remote buffer overflow CERT VU#434904 + +The problem is in the sort_rrset() function and allows a remote +attacker to overwrite memory. Any dnsmasq instance with DNSSEC +enabled is vulnerable. + +Signed-off-by: Sana Kazi +--- + CHANGELOG| 7 +- + src/dnssec.c | 273 --- + 2 files changed, 158 insertions(+), 122 deletions(-) + +CVE: CVE-2020-25681 +CVE: CVE-2020-25682 +CVE: CVE-2020-25683 +CVE: CVE-2020-25687 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a] +Comment: No change in any hunk + +diff --git a/src/dnssec.c b/src/dnssec.c +index db5c2d1..e95aa34 100644 +--- a/src/dnssec.c b/src/dnssec.c +@@ -223,138 +223,147 @@ static int check_date_range(unsigned long curtime, u32 date_start, u32 date_end) + && serial_compare_32(curtime, date_end) == SERIAL_LT; + } + +-/* Return bytes of canonicalised rdata, when the return value is zero, the remaining +- data, pointed to by *p, should be used raw. */ +-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, +- unsigned char **p, u16 **desc) ++/* Return bytes of canonicalised rrdata one by one. ++ Init state->ip with the RR, and state->end with the end of same. ++ Init state->op to NULL. ++ Init state->desc to RR descriptor. ++ Init state->buff with a MAXDNAME * 2 buffer. ++ ++ After each call which returns 1, state->op points to the next byte of data. ++ On returning 0, the end has been reached. ++*/ ++struct rdata_state { ++ u16 *desc; ++ size_t c; ++ unsigned char *end, *ip, *op; ++ char *buff; ++}; ++ ++static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state) + { +- int d = **desc; ++ int d; + +- /* No more data needs mangling */ +- if (d == (u16)-1) ++ if (state->op && state->c != 1) + { +- /* If there's more data than we have space for, just return what fits, +- we'll get called again for more chunks */ +- if (end - *p > bufflen) +- { +-memcpy(buff, *p, bufflen); +-*p += bufflen; +-return bufflen; +- } +- +- return 0; ++
[oe] [meta-networking][meta-oe][master][dunfell][PATCHv2] mdns: Whitelisted CVE-2007-0613 for mdns
CVE-2007-0613 is not applicable as it only affects Apple products i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, https://www.exploit-db.com/exploits/3230 shows the part of code affected by CVE-2007-0613 which is not preset in upstream source code. Hence, CVE-2007-0613 does not affect other Yocto implementations and is not reported for other distros can be marked whitelisted. Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 https://security-tracker.debian.org/tracker/CVE-2007-0613 https://ubuntu.com/security/CVE-2007-0613 https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 Signed-off-by: Sana Kazi --- .../recipes-protocols/mdns/mdns_1310.40.42.bb | 13 + 1 file changed, 13 insertions(+) diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb index 445ed87e4..60bc26bf1 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb @@ -27,6 +27,19 @@ SRC_URI[sha256sum] = "bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838 CVE_PRODUCT = "apple:mdnsresponder" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89996): https://lists.openembedded.org/g/openembedded-devel/message/89996 Mute This Topic: https://lists.openembedded.org/mt/81195770/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns
CVE-2007-0613 is not applicable as it only affects Apple products i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, https://www.exploit-db.com/exploits/3230 shows the part of code affected by CVE-2007-0613 which is not preset in upstream source code. Hence, CVE-2007-0613 does not affect other Yocto implementations and is not reported for other distros can be marked whitelisted. Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 https://security-tracker.debian.org/tracker/CVE-2007-0613 https://ubuntu.com/security/CVE-2007-0613 https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 --- .../recipes-protocols/mdns/mdns_1310.40.42.bb | 13 + 1 file changed, 13 insertions(+) diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb index 445ed87e4..60bc26bf1 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb @@ -27,6 +27,19 @@ SRC_URI[sha256sum] = "bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838 CVE_PRODUCT = "apple:mdnsresponder" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89995): https://lists.openembedded.org/g/openembedded-devel/message/89995 Mute This Topic: https://lists.openembedded.org/mt/81195756/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-