Hi Vijay, Thanks for investigating this. I'll take care of adding the missing changes.
Steve On Mon, Nov 18, 2024 at 8:34 PM Vijay Anusuri <[email protected]> wrote: > > Hi Steve, > > It looks like tzdata update to 2024b causing the ptest failures for glib2.0 > in the file "glib/gdatetime.test" not with CVE -2024-52533. > > Below commit is missing in the kirkstone-nut > > https://git.openembedded.org/openembedded-core/commit/?id=0c8f87d5d4ec9f286b1e85d114cb9a728c1ff64b > > I think we need to pull/merge the above commit along with the tzdata update > to 2024b. > https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut&id=723c32ff858ccfd5a69e63e681a57903af928fd5 > > Reference: https://lists.openembedded.org/g/openembedded-core/message/206095 > > Thanks & Regards, > Vijay > > On Tue, Nov 19, 2024 at 2:45 AM Steve Sakoman <[email protected]> wrote: >> >> Unfortunately I am getting ptest errors with this patch on both >> qemux86-64 and and qemuarm64: >> >> AssertionError: Failed ptests: >> {'glib-2.0': ['glib/gdatetime.test']} >> >> https://valkyrie.yoctoproject.org/#/builders/73/builds/403 >> https://valkyrie.yoctoproject.org/#/builders/61/builds/403 >> >> Steve >> >> On Thu, Nov 14, 2024 at 4:39 AM Vijay Anusuri via >> lists.openembedded.org <[email protected]> >> wrote: >> > >> > From: Vijay Anusuri <[email protected]> >> > >> > Upstream-Status: Backport from >> > https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29 >> > >> > Reference: https://security-tracker.debian.org/tracker/CVE-2024-52533 >> > >> > Signed-off-by: Vijay Anusuri <[email protected]> >> > --- >> > .../glib-2.0/glib-2.0/CVE-2024-52533.patch | 49 +++++++++++++++++++ >> > meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 1 + >> > 2 files changed, 50 insertions(+) >> > create mode 100644 >> > meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch >> > >> > diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch >> > b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch >> > new file mode 100644 >> > index 0000000000..3a06a9d782 >> > --- /dev/null >> > +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch >> > @@ -0,0 +1,49 @@ >> > +From ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Mon Sep 17 00:00:00 2001 >> > +From: Michael Catanzaro <[email protected]> >> > +Date: Thu, 19 Sep 2024 18:35:53 +0100 >> > +Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in >> > connect >> > + messages >> > + >> > +`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul >> > +byte in the connect message, which is an addition in SOCKSv4a vs >> > +SOCKSv4. >> > + >> > +This means that the buffer for building and transmitting the connect >> > +message could be overflowed if the username and hostname are both >> > +`SOCKS4_MAX_LEN` (255) bytes long. >> > + >> > +Proxy configurations are normally statically configured, so the username >> > +is very unlikely to be near its maximum length, and hence this overflow >> > +is unlikely to be triggered in practice. >> > + >> > +(Commit message by Philip Withnall, diagnosis and fix by Michael >> > +Catanzaro.) >> > + >> > +Fixes: #3461 >> > + >> > +Upstream-Status: Backport >> > [https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29] >> > +CVE: CVE-2024-52533 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + gio/gsocks4aproxy.c | 4 ++-- >> > + 1 file changed, 2 insertions(+), 2 deletions(-) >> > + >> > +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c >> > +index 3dad118eb7..b3146d08fd 100644 >> > +--- a/gio/gsocks4aproxy.c >> > ++++ b/gio/gsocks4aproxy.c >> > +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) >> > + * >> > +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ >> > + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | >> > | NULL | >> > + * >> > +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ >> > +- * 1 1 2 4 variable 1 variable >> > ++ * 1 1 2 4 variable 1 >> > variable 1 >> > + */ >> > +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) >> > ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) >> > + static gint >> > + set_connect_msg (guint8 *msg, >> > + const gchar *hostname, >> > +-- >> > +GitLab >> > + >> > diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb >> > b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb >> > index 35b51a3ec9..c628ac19af 100644 >> > --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb >> > +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb >> > @@ -49,6 +49,7 @@ SRC_URI = >> > "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ >> > file://CVE-2024-34397_16.patch \ >> > file://CVE-2024-34397_17.patch \ >> > file://CVE-2024-34397_18.patch \ >> > + file://CVE-2024-52533.patch \ >> > " >> > SRC_URI:append:class-native = " file://relocate-modules.patch" >> > >> > -- >> > 2.25.1 >> > >> > >> > >> >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#207406): https://lists.openembedded.org/g/openembedded-core/message/207406 Mute This Topic: https://lists.openembedded.org/mt/109572074/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
