Re: [oe] [meta-oe][kirkstone][PATCH] ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3
Hi OpenEmbedded-Devel Team ,
I am writing to inquire about the status of the patch mentioned in the mail
below that I submitted to OpenEmbedded-Devel and when it is expected to be
integrated?
Thanks & Regards,
Sana Kazi
KPIT Technologies Limited
From: openembedded-devel@lists.openembedded.org
on behalf of sana kazi via
lists.openembedded.org
Sent: Thursday, September 7, 2023 12:26 PM
To: openembedded-devel@lists.openembedded.org
Cc: sanakazis...@gmail.com
Subject: [oe] [meta-oe][kirkstone][PATCH] ntfs-3g-ntfsprogs: Upgrade 2022.5.17
to 2022.10.3
Caution: This email originated from outside of the KPIT. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
From: Omkar Patil
Changes:
Rejected zero-sized runs
Avoided merging runlists with no runs
Fix CVE-2022-40284
Dunfell and master both have latest version of ntfs-3g-ntfsprogs
2022.10.3. Therefore, upgrade the version on kirkstone too.
Signed-off-by: Omkar Patil
Signed-off-by: Khem Raj
(cherry picked from commit 5d5e8854718dab02c2737e3faf288f830a514841)
Signed-off-by: Sana Kazi
---
...3g-ntfsprogs_2022.5.17.bb => ntfs-3g-ntfsprogs_2022.10.3.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename
meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/{ntfs-3g-ntfsprogs_2022.5.17.bb
=> ntfs-3g-ntfsprogs_2022.10.3.bb} (95%)
diff --git
a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb
b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb
similarity index 95%
rename from
meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb
rename to
meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb
index b29716ad4..37a8106bb 100644
---
a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb
+++
b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb
@@ -10,7 +10,7 @@ SRC_URI =
"https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftuxera.com%2Fopensource%2Fntfs-3g_ntfsprogs-%24=05%7C01%7CSana.Kazi%40kpit.com%7C15f74e1dcecf44faeac808dbaf6fba8e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C63829670807254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=uGwpKtNULV3O3fyr8gynGij4JHzOF0h%2F%2FoNyDqBAHSI%3D=0{PV}.tgz
\
file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \
"
S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
-SRC_URI[sha256sum] =
"0489fbb6972581e1b417ab578d543f6ae522e7fa648c3c9b49c789510fd5eb93"
+SRC_URI[sha256sum] =
"f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c"
UPSTREAM_CHECK_URI =
"https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tuxera.com%2Fcommunity%2Fopen-source-ntfs-3g%2F=05%7C01%7CSana.Kazi%40kpit.com%7C15f74e1dcecf44faeac808dbaf6fba8e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C63829670807254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=y4lfjW6VN8Go8vwIPGapbXmgcYNR%2BKTkY%2BuzFjYKyeA%3D=0<https://www.tuxera.com/community/open-source-ntfs-3g/>"
UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P\d+(\.\d+)+)\.tgz"
--
2.25.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#105725):
https://lists.openembedded.org/g/openembedded-devel/message/105725
Mute This Topic: https://lists.openembedded.org/mt/101210079/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][dunfell][PATCH] openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239
From: Sana Kazi
Whitelist CVE-2020-27844 as it is introduced by
https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
but the contents of this patch is not present in openjpeg_2.3.1
Link: https://security-tracker.debian.org/tracker/CVE-2020-27844
Whitelist CVE-2015-1239 as the CVE description clearly states that
j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239
but in openjpeg_2.3.1 this function is not present.
Hence, CVE-2015-1239 does not affect openjpeg_2.3.1.
Signed-off-by: Sana.Kazi
Signed-off-by: Sana Kazi
---
.../recipes-graphics/openjpeg/openjpeg_2.3.1.bb| 14 ++
1 file changed, 14 insertions(+)
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
index 218dc911fe..9cf513f3f7 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
@@ -33,3 +33,17 @@ inherit cmake
EXTRA_OECMAKE +=
"-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}"
FILES_${PN} += "${libdir}/openjpeg*"
+
+# This flaw is introduced by
+#
https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
+# but the contents of this patch is not present in openjpeg_2.3.1
+# Hence, it can be whitelisted.
+# https://security-tracker.debian.org/tracker/CVE-2020-27844
+
+CVE_CHECK_WHITELIST += "CVE-2020-27844"
+
+# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg
+# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not
present.
+# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1
+
+CVE_CHECK_WHITELIST += "CVE-2015-1239"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#97122):
https://lists.openembedded.org/g/openembedded-devel/message/97122
Mute This Topic: https://lists.openembedded.org/mt/91135007/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][dunfell][PATCH] openjpeg: Fix multiple CVE
Add patch to fix below CVE:
CVE-2019-12973
CVE-2020-15389
CVE-2020-27814
CVE-2020-27823
CVE-2020-27824
CVE-2020-27841
CVE-2020-27842
CVE-2020-27843
CVE-2020-27845
Signed-off-by: Virendra Thakur
Signed-off-by: Sana Kazi
---
.../openjpeg/openjpeg/CVE-2019-12973-1.patch | 72 ++
.../openjpeg/openjpeg/CVE-2019-12973-2.patch | 86 +++
.../openjpeg/openjpeg/CVE-2020-15389.patch| 43
.../openjpeg/openjpeg/CVE-2020-27814-1.patch | 29 +++
.../openjpeg/openjpeg/CVE-2020-27814-2.patch | 27 ++
.../openjpeg/openjpeg/CVE-2020-27814-3.patch | 30 +++
.../openjpeg/openjpeg/CVE-2020-27814-4.patch | 27 ++
.../openjpeg/openjpeg/CVE-2020-27823.patch| 29 +++
.../openjpeg/openjpeg/CVE-2020-27824.patch| 24 ++
.../openjpeg/openjpeg/CVE-2020-27841.patch| 238 ++
.../openjpeg/openjpeg/CVE-2020-27842.patch| 31 +++
.../openjpeg/openjpeg/CVE-2020-27843.patch| 31 +++
.../openjpeg/openjpeg/CVE-2020-27845.patch| 74 ++
.../openjpeg/openjpeg_2.3.1.bb| 13 +
14 files changed, 754 insertions(+)
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch
create mode 100644
meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch
b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch
new file mode 100644
index 00..98988e686e
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch
@@ -0,0 +1,72 @@
+From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001
+From: Young Xiao
+Date: Sat, 16 Mar 2019 19:57:27 +0800
+Subject: [PATCH] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+See commit 8ee335227bbc for details.
+
+Signed-off-by: Young Xiao
+
+Upstream-Status: Backport
[https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz]
+CVE: CVE-2019-12973
+Signed-off-by: Virendra Thakur
+---
+ src/bin/jp2/convertbmp.c | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 0af52f816..ec34f535b 100644
+--- a/src/bin/jp2/convertbmp.c
b/src/bin/jp2/convertbmp.c
+@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8*
pData,
+ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData,
+OPJ_UINT32 stride, OPJ_UINT32 width,
OPJ_UINT32 height)
+ {
+-OPJ_UINT32 x, y;
++OPJ_UINT32 x, y, written;
+ OPJ_UINT8 *pix;
+ const OPJ_UINT8 *beyond;
+
+ beyond = pData + stride * height;
+ pix = pData;
+-x = y = 0U;
++x = y = written = 0U;
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8*
pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) &
0x0fU));
++written++;
+ }
+ } else { /* absolute mode */
+ c = getc(IN);
+@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8*
pData,
+ c1 = (OPJ_UINT8)getc(IN);
+ }
+ *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) &
0x0fU));
++written++;
+
[oe] [meta-oe][dunfell][PATCH] protobuf: Fix CVE-2021-22570
Fix CVE-2021-22570.
Link: https://koji.fedoraproject.org/koji/buildinfo?buildID=1916865
Link:
https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch
Remove first and second hunk because the second argument in
InsertIfNotPresent() function is of type const char* const& but the
first and second hunk makes the type of second argument as const string
which is not compatible with the type of second argument in
InsertIfNotPresent().
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
---
.../protobuf/protobuf/CVE-2021-22570.patch| 64 +++
.../protobuf/protobuf_3.11.4.bb | 1 +
2 files changed, 65 insertions(+)
create mode 100644
meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
new file mode 100644
index 0..be3180181
--- /dev/null
+++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
@@ -0,0 +1,64 @@
+CVE: CVE-2021-22570
+Upstream-Status: Backport
[https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch]
+Comment: Removed first and second hunk
+Signed-off-by: Sana.Kazi
+
+diff --git a/src/google/protobuf/descriptor.cc
b/src/google/protobuf/descriptor.cc
+index 7af37c57f3..03c4e2b516 100644
+--- a/src/google/protobuf/descriptor.cc
b/src/google/protobuf/descriptor.cc
+@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string*
contents,
+ const Descriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start + 1) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end > FieldDescriptor::kMaxNumber) {
++strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end - 1);
+@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString(
+ const EnumDescriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end == INT_MAX) {
++strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end);
+@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string&
full_name,
+ // Use its file as the parent instead.
+ if (parent == nullptr) parent = file_;
+
++ if (full_name.find('\0') != std::string::npos) {
++AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + full_name + "\" contains null character.");
++return false;
++ }
+ if (tables_->AddSymbol(full_name, symbol)) {
+ if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+ // This is only possible if there was already an error adding something
of
+@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string&
full_name,
+ void DescriptorBuilder::AddPackage(const std::string& name,
+const Message& proto,
+const FileDescriptor* file) {
++ if (name.find('\0') != std::string::npos) {
++AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + name + "\" contains null character.");
++return;
++ }
+ if (tables_->AddSymbol(name, Symbol(file))) {
+ // Success. Also add parent package, if any.
+ std::string::size_type dot_pos = name.find_last_of('.');
+@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
+ }
+ result->pool_ = pool_;
+
++ if (result->name().find('\0') != std::string::npos) {
++AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + result->name() + "\" contains null character.");
++return nullptr;
++ }
++
+ // Add to tables.
+ if (!tables_->AddFile(result)) {
+ AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index d2f22ba6b..55d56ff08 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -17,6 +17,7 @@ SRC_URI =
"git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \
file://0001-protobuf-fix-configure-error.patch \
[oe][meta-networking][dunfell][PATCH] netcat: Set CVE_PRODUCT
From: Andre Carvalho
This way yocto cve-check can find open CVE's. See also:
http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html
"Results from cve-check are not very good at the moment.
One of the reasons for this is that component names used in CVE
database differ from yocto recipe names. This series fixes several
of those name mapping problems by setting the CVE_PRODUCT correctly
in the recipes. To check this mapping with after a build, I'm exporting
LICENSE and CVE_PRODUCT variables to buildhistory for recipes and
packages."
Value added is based on:
https://nvd.nist.gov/products/cpe/search/results?keyword=netcat=FINAL=CPEURI=2.3
Signed-off-by: Andre Carvalho
Signed-off-by: Khem Raj
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
---
meta-networking/recipes-support/netcat/netcat_0.7.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
index 14d743f82..1e113de51 100644
--- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
+++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
@@ -16,6 +16,8 @@ SRC_URI[sha256sum] =
"b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967
inherit autotools
+CVE_PRODUCT = "netcat_project:netcat"
+
do_install_append() {
install -d ${D}${bindir}
mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN}
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#94729):
https://lists.openembedded.org/g/openembedded-devel/message/94729
Mute This Topic: https://lists.openembedded.org/mt/88346383/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [oe][meta-oe][dunfell][PATCH] nss: Fix CVE-2021-43527
Hi,
Could you please review the below patch?
Regards,
Sana Kazi
On Thu, 16 Dec 2021 at 16:23, Sana Kazi wrote:
> Add patch to fix CVE-2021-43527 which causes heap overflow in nss.
>
> Signed-off-by: Sana Kazi
> Signed-off-by: Sana Kazi
> ---
> .../nss/nss/CVE-2021-43527.patch | 283 ++
> meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
> 2 files changed, 284 insertions(+)
> create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
>
> diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
> b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
> new file mode 100644
> index 0..cf3ea63ca
> --- /dev/null
> +++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
> @@ -0,0 +1,283 @@
> +Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded
> signatures
> +Origin: Provided by Mozilla
> +
> +CVE: CVE-2021-43527
> +Upstream-Status: Backport [
> http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz
> ]
> +Comment: Refreshed hunk 1 and 6 due to fuzz
> +Signed-off-by: Sana Kazi
> +
> +--- a/nss/lib/cryptohi/secvfy.c
> b/nss/lib/cryptohi/secvfy.c
> +@@ -164,6 +164,37 @@
> + PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
> + }
> +
> ++static unsigned int
> ++checkedSignatureLen(const SECKEYPublicKey *pubk)
> ++{
> ++unsigned int sigLen = SECKEY_SignatureLen(pubk);
> ++if (sigLen == 0) {
> ++/* Error set by SECKEY_SignatureLen */
> ++return sigLen;
> ++}
> ++unsigned int maxSigLen;
> ++switch (pubk->keyType) {
> ++case rsaKey:
> ++case rsaPssKey:
> ++maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
> ++break;
> ++case dsaKey:
> ++maxSigLen = DSA_MAX_SIGNATURE_LEN;
> ++break;
> ++case ecKey:
> ++maxSigLen = 2 * MAX_ECKEY_LEN;
> ++break;
> ++default:
> ++PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
> ++return 0;
> ++}
> ++if (sigLen > maxSigLen) {
> ++PORT_SetError(SEC_ERROR_INVALID_KEY);
> ++return 0;
> ++}
> ++return sigLen;
> ++}
> ++
> + /*
> + * decode the ECDSA or DSA signature from it's DER wrapping.
> + * The unwrapped/raw signature is placed in the buffer pointed
> +@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid,
> +unsigned int len)
> + {
> + SECItem *dsasig = NULL; /* also used for ECDSA */
> +-SECStatus rv = SECSuccess;
> +
> +-if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
> +-(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
> +-if (sig->len != len) {
> +-PORT_SetError(SEC_ERROR_BAD_DER);
> +-return SECFailure;
> ++/* Safety: Ensure algId is as expected and that signature size is
> within maxmimums */
> ++if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
> ++if (len > DSA_MAX_SIGNATURE_LEN) {
> ++goto loser;
> + }
> +-
> +-PORT_Memcpy(dsig, sig->data, sig->len);
> +-return SECSuccess;
> +-}
> +-
> +-if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
> ++} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
> + if (len > MAX_ECKEY_LEN * 2) {
> +-PORT_SetError(SEC_ERROR_BAD_DER);
> +-return SECFailure;
> ++goto loser;
> + }
> +-}
> +-dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
> +-
> +-if ((dsasig == NULL) || (dsasig->len != len)) {
> +-rv = SECFailure;
> + } else {
> +-PORT_Memcpy(dsig, dsasig->data, dsasig->len);
> ++goto loser;
> + }
> +
> +-if (dsasig != NULL)
> ++/* Decode and pad to length */
> ++dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
> ++if (dsasig == NULL) {
> ++goto loser;
> ++}
> ++if (dsasig->len != len) {
> + SECITEM_FreeItem(dsasig, PR_TRUE);
> +-if (rv == SECFailure)
> +-PORT_SetError(SEC_ERROR_BAD_DER);
> +-return rv;
> ++goto loser;
> ++}
> ++
> ++PORT_Memcpy(dsig, dsasig->data, len);
> ++SECITEM_FreeItem(dsasig, PR_TRUE);
> ++
> ++return SECSuccess;
> ++
> ++loser:
> ++PORT_SetError(SEC_ERROR_BAD_DER);
> ++return SECFailure;
> + }
> +
> + const SEC_ASN1Template hashParameterTemplate[] =
> +@@ -231,7 +262,7 @@ SECStatus
> + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
> + cons
[oe][meta-oe][dunfell][PATCH] nss: Fix CVE-2021-43527
Add patch to fix CVE-2021-43527 which causes heap overflow in nss.
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
---
.../nss/nss/CVE-2021-43527.patch | 283 ++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
2 files changed, 284 insertions(+)
create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
new file mode 100644
index 0..cf3ea63ca
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch
@@ -0,0 +1,283 @@
+Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
+Origin: Provided by Mozilla
+
+CVE: CVE-2021-43527
+Upstream-Status: Backport
[http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz]
+Comment: Refreshed hunk 1 and 6 due to fuzz
+Signed-off-by: Sana Kazi
+
+--- a/nss/lib/cryptohi/secvfy.c
b/nss/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++unsigned int sigLen = SECKEY_SignatureLen(pubk);
++if (sigLen == 0) {
++/* Error set by SECKEY_SignatureLen */
++return sigLen;
++}
++unsigned int maxSigLen;
++switch (pubk->keyType) {
++case rsaKey:
++case rsaPssKey:
++maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++break;
++case dsaKey:
++maxSigLen = DSA_MAX_SIGNATURE_LEN;
++break;
++case ecKey:
++maxSigLen = 2 * MAX_ECKEY_LEN;
++break;
++default:
++PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++return 0;
++}
++if (sigLen > maxSigLen) {
++PORT_SetError(SEC_ERROR_INVALID_KEY);
++return 0;
++}
++return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid,
+unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+-SECStatus rv = SECSuccess;
+
+-if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+-(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+-if (sig->len != len) {
+-PORT_SetError(SEC_ERROR_BAD_DER);
+-return SECFailure;
++/* Safety: Ensure algId is as expected and that signature size is within
maxmimums */
++if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++if (len > DSA_MAX_SIGNATURE_LEN) {
++goto loser;
+ }
+-
+-PORT_Memcpy(dsig, sig->data, sig->len);
+-return SECSuccess;
+-}
+-
+-if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ if (len > MAX_ECKEY_LEN * 2) {
+-PORT_SetError(SEC_ERROR_BAD_DER);
+-return SECFailure;
++goto loser;
+ }
+-}
+-dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+-if ((dsasig == NULL) || (dsasig->len != len)) {
+-rv = SECFailure;
+ } else {
+-PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++goto loser;
+ }
+
+-if (dsasig != NULL)
++/* Decode and pad to length */
++dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++if (dsasig == NULL) {
++goto loser;
++}
++if (dsasig->len != len) {
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+-if (rv == SECFailure)
+-PORT_SetError(SEC_ERROR_BAD_DER);
+-return rv;
++goto loser;
++}
++
++PORT_Memcpy(dsig, dsasig->data, len);
++SECITEM_FreeItem(dsasig, PR_TRUE);
++
++return SECSuccess;
++
++loser:
++PORT_SetError(SEC_ERROR_BAD_DER);
++return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -231,7 +262,7 @@ SECStatus
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
+ {
+-int len;
++unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+@@ -458,48 +489,52 @@ vfy_CreateContext(const SECKEYPublicKey
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+-switch (type) {
+-case rsaKey:
+-rv = recoverPKCS1DigestInfo(hashAlg, >hashAlg,
+->pkcs1RSADigestInfo,
+->pkcs1RSADigestInfoLen,
+-cx->key,
+-sig, wincx);
+-break;
+-case rsaPssKey:
+-sigLen = SECKEY_SignatureLen(key);
+-if (sigLen == 0)
[oe][meta-networking][dunfell][PATCH 3/3] dovecot: Fix CVE-2020-12674
Added patch for CVE-2020-12674
Link:
http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
---
...uth-mech-rpa-Fail-on-zero-len-buffer.patch | 30 +++
.../dovecot/dovecot_2.2.36.4.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
diff --git
a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
new file mode 100644
index 00..5580cd409f
--- /dev/null
+++
b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
@@ -0,0 +1,30 @@
+From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001
+From: Aki Tuomi
+Date: Wed, 6 May 2020 13:40:36 +0300
+Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer
+
+---
+ src/auth/mech-rpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: Sana Kazi
+
+CVE: CVE-2020-12674
+Upstream-Status: Backport
[http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
+index 08298ebdd6..2de8705b4f 100644
+--- a/src/auth/mech-rpa.c
b/src/auth/mech-rpa.c
+@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
+ return 0;
+
+ len = *p++;
+- if (p + len > end)
++ if (p + len > end || len == 0)
+ return 0;
+
+ *buffer = p_malloc(pool, len);
+--
+2.11.0
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
index e36e51c283..29905196b6 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
@@ -25,6 +25,7 @@ SRC_URI =
"http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \
file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \
file://buffer_free_fix.patch \
file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \
+ file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \
"
SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#94201):
https://lists.openembedded.org/g/openembedded-devel/message/94201
Mute This Topic: https://lists.openembedded.org/mt/87475408/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe][meta-networking][dunfell][PATCH 2/3] dovecot: Fix CVE-2020-12673
Added patch for CVE-2020-12673
Link:
http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
---
...tlm-Check-buffer-length-on-responses.patch | 37 +++
.../dovecot/dovecot_2.2.36.4.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
diff --git
a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
new file mode 100644
index 00..81aead8aad
--- /dev/null
+++
b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
@@ -0,0 +1,37 @@
+Backport of:
+
+From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
+From: Aki Tuomi
+Date: Mon, 18 May 2020 12:33:39 +0300
+Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
+
+Add missing check for buffer length.
+
+If this is not checked, it is possible to send message which
+causes read past buffer bug.
+
+Broken in c7480644202e5451fbed448508ea29a25cffc99c
+---
+ src/lib-ntlm/ntlm-message.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+Signed-off-by: Sana Kazi
+
+CVE: CVE-2020-12673
+Upstream-Status: Backport
[http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/src/lib-ntlm/ntlm-message.c
b/src/lib-ntlm/ntlm-message.c
+@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st
+ if (length == 0 && space == 0)
+ return 1;
+
++ if (length > data_size) {
++ *error = "buffer length out of bounds";
++ return 0;
++ }
++
+ if (offset >= data_size) {
+ *error = "buffer offset out of bounds";
+ return 0;
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
index 407604c819..e36e51c283 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
@@ -24,6 +24,7 @@ SRC_URI =
"http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \
file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
\
file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \
file://buffer_free_fix.patch \
+ file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \
"
SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#94200):
https://lists.openembedded.org/g/openembedded-devel/message/94200
Mute This Topic: https://lists.openembedded.org/mt/87475390/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe][meta-networking][dunfell][PATCH 1/3] dovecot: Fix CVE-2020-12100
Added patches to fix CVE-2020-12100
Link:
http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz
Signed-off-by: Sana Kazi
Signed-off-by: Sana Kazi
---
...-parser-Add-a-message_part_finish-he.patch | 76 +++
...-parser-Change-message_part_append-t.patch | 71 +++
...-parser-Optimize-updating-children_c.patch | 49 +
...-parser-Optimize-appending-new-part-.patch | 88
...-parser-Minor-code-cleanup-to-findin.patch | 45 +
...-parser-Truncate-excessively-long-MI.patch | 163 +++
...-parser-Optimize-boundary-lookups-wh.patch | 72 +++
...-parser-Add-boundary_remove_until-he.patch | 50 +
...-parser-Don-t-use-memory-pool-for-pa.patch | 169
...-parser-Support-limiting-max-number-.patch | 188 ++
...-parser-Support-limiting-max-number-.patch | 87
...handling-trailing-in-MIME-boundaries.patch | 133 +
...Fix-parse_too_many_nested_mime_parts.patch | 32 +++
.../dovecot/dovecot/buffer_free_fix.patch | 27 +++
.../dovecot/dovecot_2.2.36.4.bb | 14 ++
15 files changed, 1264 insertions(+)
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch
create mode 100644
meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch
diff --git
a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
new file mode 100644
index 00..583f71ca58
--- /dev/null
+++
b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
@@ -0,0 +1,76 @@
+From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen
+Date: Thu, 23 Apr 2020 11:33:31 +0300
+Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish()
+ helper function
+
+---
+ src/lib-mail/message-parser.c | 25 -
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+Signed-off-by: Sana Kazi
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport
[http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index b1de1950a..aaa8dd8b7 100644
+--- a/src/lib-mail/message-parser.c
b/src/lib-mail/message-parser.c
+@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part
*parent)
+ return part;
+ }
+
++static void message_part_finish(struct message_parser_ctx *ctx)
++{
++ message_size_add(>part->parent->body_size, >part->body_size);
++ message_size_add(>part->parent->body_size,
>part->header_size);
++ ctx->part = ctx->part->parent;
++}
++
+ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx
*ctx,
+struct message_boundary *boundary,
+struct message_block *block_r, bool first_line)
+ {
+- struct message_part *part;
+ size_t line_size;
+
+
Re: [oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns
Hi, It is merged in dunfell but not yet in master. Are you planning to merge it in master? Thanks & Regards, Sana Kazi KPIT Technologies Limited From: Khem Raj Sent: Friday, March 19, 2021 10:11 PM To: Sana Kazi ; Openembedded-devel@lists.openembedded.org Subject: Re: [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns Hello Sana It was in latest pull from Armin which was merged today it should be in already in dunfell now. Let us know if not. On 3/19/21 6:31 AM, Sana Kazi wrote: > Hi Team, > > Could you please review below patch to be upstreamed for mdns > > > Thanks & Regards, > > Sana Kazi > KPIT Technologies Limited > > > > ---- > *From:* Sana Kazi > *Sent:* Tuesday, March 9, 2021 12:06 PM > *To:* Openembedded-devel@lists.openembedded.org > ; raj.k...@gmail.com > > *Cc:* Nisha Parrakat ; Aditya Tayade > ; Harpritkaur Bhandari > > *Subject:* [meta-networking][meta-oe][master][dunfell][PATCH] mdns: > Whitelisted CVE-2007-0613 for mdns > CVE-2007-0613 is not applicable as it only affects Apple products > i.e. ichat,mdnsresponder, instant message framework and MacOS. > Also, > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.exploit-db.com%2Fexploits%2F3230data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742865584%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=zEEydQaidbnLPHjwC8eq4k%2Fb%2FThn53dRfqsUwy5KU%2FE%3Dreserved=0 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.exploit-db.com%2Fexploits%2F3230data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742865584%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=zEEydQaidbnLPHjwC8eq4k%2Fb%2FThn53dRfqsUwy5KU%2FE%3Dreserved=0> > shows the part of code > affected by CVE-2007-0613 which is not preset in upstream source code. > Hence, CVE-2007-0613 does not affect other Yocto implementations and > is not reported for other distros can be marked whitelisted. > Links: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fvulmon.com%2Fvulnerabilitydetails%3Fqid%3DCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=eAkjsIawSp2YHJL3bqORC%2B%2FRdxYVRKFIJ998sPA%2B%2FZ4%3Dreserved=0 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fvulmon.com%2Fvulnerabilitydetails%3Fqid%3DCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=eAkjsIawSp2YHJL3bqORC%2B%2FRdxYVRKFIJ998sPA%2B%2FZ4%3Dreserved=0> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.incibe-cert.es%2Fen%2Fearly-warning%2Fvulnerabilities%2Fcve-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=5qInEtds3j9aCQPBzoNNgwnjrpkNc%2BlkDXmk2gvoHOA%3Dreserved=0 > > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.incibe-cert.es%2Fen%2Fearly-warning%2Fvulnerabilities%2Fcve-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=5qInEtds3j9aCQPBzoNNgwnjrpkNc%2BlkDXmk2gvoHOA%3Dreserved=0> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=QW82iXTsR0a1LvT5gIku8EJux9cOlpzzGCVIOCa1FFQ%3Dreserved=0 > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2007-0613data=04%7C01%7CSana.Kazi%40kpit.com%7Ca14a0eb0436f8fb708d8eaf5caef%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637517688742875586%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=QW82iXTsR0a1LvT5gIku8EJux9
Re: [oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns
Hi Team,
Could you please review below patch to be upstreamed for mdns
Thanks & Regards,
Sana Kazi
KPIT Technologies Limited
From: Sana Kazi
Sent: Tuesday, March 9, 2021 12:06 PM
To: Openembedded-devel@lists.openembedded.org
; raj.k...@gmail.com
Cc: Nisha Parrakat ; Aditya Tayade
; Harpritkaur Bhandari
Subject: [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted
CVE-2007-0613 for mdns
CVE-2007-0613 is not applicable as it only affects Apple products
i.e. ichat,mdnsresponder, instant message framework and MacOS.
Also, https://www.exploit-db.com/exploits/3230 shows the part of code
affected by CVE-2007-0613 which is not preset in upstream source code.
Hence, CVE-2007-0613 does not affect other Yocto implementations and
is not reported for other distros can be marked whitelisted.
Links:
https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
https://security-tracker.debian.org/tracker/CVE-2007-0613
https://ubuntu.com/security/CVE-2007-0613
https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
---
.../recipes-protocols/mdns/mdns_1310.40.42.bb | 13 +
1 file changed, 13 insertions(+)
diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
index 445ed87e4..60bc26bf1 100644
--- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
+++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
@@ -27,6 +27,19 @@ SRC_URI[sha256sum] =
"bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838
CVE_PRODUCT = "apple:mdnsresponder"
+# CVE-2007-0613 is not applicable as it only affects Apple products
+# i.e. ichat,mdnsresponder, instant message framework and MacOS.
+# Also, https://www.exploit-db.com/exploits/3230 shows the part of code
+# affected by CVE-2007-0613 which is not preset in upstream source code.
+# Hence, CVE-2007-0613 does not affect other Yocto implementations and
+# is not reported for other distros can be marked whitelisted.
+# Links:
+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
+# https://security-tracker.debian.org/tracker/CVE-2007-0613
+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+CVE_CHECK_WHITELIST += "CVE-2007-0613"
+
PARALLEL_MAKE = ""
S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix"
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#90221):
https://lists.openembedded.org/g/openembedded-devel/message/90221
Mute This Topic: https://lists.openembedded.org/mt/81195756/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][meta-oe][dunfell][PATCH] dnsmasq: Add fixes for CVEs reported for dnsmasq
Applied single patch for below listed CVEs which avoids remote
attacker to overwrite memory:
CVE-2020-25681
CVE-2020-25682
CVE-2020-25683
CVE-2020-25687
as they are fixed by single commit
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a
Link: https://www.openwall.com/lists/oss-security/2021/01/19/1
Also, applied patch for below listed CVEs:
CVE-2020-25684
CVE-2020-25685
CVE-2020-25686
Signed-off-by: Sana Kazi
---
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 7 +-
.../dnsmasq/files/CVE-2020-25681.patch| 373 +++
.../dnsmasq/files/CVE-2020-25684.patch| 100 +++
.../dnsmasq/files/CVE-2020-25685-1.patch | 590 ++
.../dnsmasq/files/CVE-2020-25685-2.patch | 201 ++
.../dnsmasq/files/CVE-2020-25686-1.patch | 335 ++
.../dnsmasq/files/CVE-2020-25686-2.patch | 66 ++
7 files changed, 1671 insertions(+), 1 deletion(-)
create mode 100644
meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
create mode 100644
meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch
create mode 100644
meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch
create mode 100644
meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch
create mode 100644
meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch
create mode 100644
meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index 92415386c..a1dc0f3a0 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -4,5 +4,10 @@ SRC_URI[dnsmasq-2.81.md5sum] =
"e43808177a773014b5892ccba238f7a8"
SRC_URI[dnsmasq-2.81.sha256sum] =
"3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0"
SRC_URI += "\
file://lua.patch \
+file://CVE-2020-25681.patch \
+file://CVE-2020-25684.patch \
+file://CVE-2020-25685-1.patch \
+file://CVE-2020-25685-2.patch \
+file://CVE-2020-25686-1.patch \
+file://CVE-2020-25686-2.patch \
"
-
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
new file mode 100644
index 0..cab734ed1
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch
@@ -0,0 +1,373 @@
+From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001
+From: Simon Kelley
+Date: Wed, 11 Nov 2020 23:25:04 +
+Subject: [PATCH] Fix remote buffer overflow CERT VU#434904
+
+The problem is in the sort_rrset() function and allows a remote
+attacker to overwrite memory. Any dnsmasq instance with DNSSEC
+enabled is vulnerable.
+
+Signed-off-by: Sana Kazi
+---
+ CHANGELOG| 7 +-
+ src/dnssec.c | 273 ---
+ 2 files changed, 158 insertions(+), 122 deletions(-)
+
+CVE: CVE-2020-25681
+CVE: CVE-2020-25682
+CVE: CVE-2020-25683
+CVE: CVE-2020-25687
+Upstream-Status: Backport
[https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a]
+Comment: No change in any hunk
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index db5c2d1..e95aa34 100644
+--- a/src/dnssec.c
b/src/dnssec.c
+@@ -223,138 +223,147 @@ static int check_date_range(unsigned long curtime, u32
date_start, u32 date_end)
+ && serial_compare_32(curtime, date_end) == SERIAL_LT;
+ }
+
+-/* Return bytes of canonicalised rdata, when the return value is zero, the
remaining
+- data, pointed to by *p, should be used raw. */
+-static int get_rdata(struct dns_header *header, size_t plen, unsigned char
*end, char *buff, int bufflen,
+- unsigned char **p, u16 **desc)
++/* Return bytes of canonicalised rrdata one by one.
++ Init state->ip with the RR, and state->end with the end of same.
++ Init state->op to NULL.
++ Init state->desc to RR descriptor.
++ Init state->buff with a MAXDNAME * 2 buffer.
++
++ After each call which returns 1, state->op points to the next byte of data.
++ On returning 0, the end has been reached.
++*/
++struct rdata_state {
++ u16 *desc;
++ size_t c;
++ unsigned char *end, *ip, *op;
++ char *buff;
++};
++
++static int get_rdata(struct dns_header *header, size_t plen, struct
rdata_state *state)
+ {
+- int d = **desc;
++ int d;
+
+- /* No more data needs mangling */
+- if (d == (u16)-1)
++ if (state->op && state->c != 1)
+ {
+- /* If there's more data than we have space for, just return what fits,
+- we'll get called again for more chunks */
+- if (end - *p > bufflen)
+- {
+-memcpy(buff, *p, bufflen);
+-*p += bufflen;
+-return bufflen;
+- }
+-
+- return 0;
++
[oe] [meta-networking][meta-oe][master][dunfell][PATCHv2] mdns: Whitelisted CVE-2007-0613 for mdns
CVE-2007-0613 is not applicable as it only affects Apple products
i.e. ichat,mdnsresponder, instant message framework and MacOS.
Also, https://www.exploit-db.com/exploits/3230 shows the part of code
affected by CVE-2007-0613 which is not preset in upstream source code.
Hence, CVE-2007-0613 does not affect other Yocto implementations and
is not reported for other distros can be marked whitelisted.
Links:
https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
https://security-tracker.debian.org/tracker/CVE-2007-0613
https://ubuntu.com/security/CVE-2007-0613
https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
Signed-off-by: Sana Kazi
---
.../recipes-protocols/mdns/mdns_1310.40.42.bb | 13 +
1 file changed, 13 insertions(+)
diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
index 445ed87e4..60bc26bf1 100644
--- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
+++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
@@ -27,6 +27,19 @@ SRC_URI[sha256sum] =
"bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838
CVE_PRODUCT = "apple:mdnsresponder"
+# CVE-2007-0613 is not applicable as it only affects Apple products
+# i.e. ichat,mdnsresponder, instant message framework and MacOS.
+# Also, https://www.exploit-db.com/exploits/3230 shows the part of code
+# affected by CVE-2007-0613 which is not preset in upstream source code.
+# Hence, CVE-2007-0613 does not affect other Yocto implementations and
+# is not reported for other distros can be marked whitelisted.
+# Links:
+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
+# https://security-tracker.debian.org/tracker/CVE-2007-0613
+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+CVE_CHECK_WHITELIST += "CVE-2007-0613"
+
PARALLEL_MAKE = ""
S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix"
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#89996):
https://lists.openembedded.org/g/openembedded-devel/message/89996
Mute This Topic: https://lists.openembedded.org/mt/81195770/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns
CVE-2007-0613 is not applicable as it only affects Apple products
i.e. ichat,mdnsresponder, instant message framework and MacOS.
Also, https://www.exploit-db.com/exploits/3230 shows the part of code
affected by CVE-2007-0613 which is not preset in upstream source code.
Hence, CVE-2007-0613 does not affect other Yocto implementations and
is not reported for other distros can be marked whitelisted.
Links:
https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
https://security-tracker.debian.org/tracker/CVE-2007-0613
https://ubuntu.com/security/CVE-2007-0613
https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
---
.../recipes-protocols/mdns/mdns_1310.40.42.bb | 13 +
1 file changed, 13 insertions(+)
diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
index 445ed87e4..60bc26bf1 100644
--- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
+++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
@@ -27,6 +27,19 @@ SRC_URI[sha256sum] =
"bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838
CVE_PRODUCT = "apple:mdnsresponder"
+# CVE-2007-0613 is not applicable as it only affects Apple products
+# i.e. ichat,mdnsresponder, instant message framework and MacOS.
+# Also, https://www.exploit-db.com/exploits/3230 shows the part of code
+# affected by CVE-2007-0613 which is not preset in upstream source code.
+# Hence, CVE-2007-0613 does not affect other Yocto implementations and
+# is not reported for other distros can be marked whitelisted.
+# Links:
+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
+# https://security-tracker.debian.org/tracker/CVE-2007-0613
+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+CVE_CHECK_WHITELIST += "CVE-2007-0613"
+
PARALLEL_MAKE = ""
S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix"
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#89995):
https://lists.openembedded.org/g/openembedded-devel/message/89995
Mute This Topic: https://lists.openembedded.org/mt/81195756/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
