[OE-core][dunfell][PATCH] xserver-xorg: Backport fix for CVE-2024-31080
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
Signed-off-by: Ashish Sharma
---
.../xserver-xorg/CVE-2024-31080.patch | 49 +++
.../xorg-xserver/xserver-xorg_1.20.14.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
diff --git
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 00..da735efb2b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
+ send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith
+Part-of:
+
+Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
+CVE: CVE-2024-31080
+Signed-off-by: Ashish Sharma
+
+ Xi/xiselectev.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+ InputClientsPtr others = NULL;
+ xXIEventMask *evmask = NULL;
+ DeviceIntPtr dev;
++uint32_t length;
+
+ REQUEST(xXIGetSelectedEventsReq);
+ REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+ }
+ }
+
++/* save the value before SRepXIGetSelectedEvents swaps it */
++length = reply.length;
+ WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), );
+
+ if (reply.num_masks)
+-WriteToClient(client, reply.length * 4, buffer);
++WriteToClient(client, length * 4, buffer);
+
+ free(buffer);
+ return Success;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index 9e8ad7b1e5..aacee8892c 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -33,6 +33,7 @@ SRC_URI +=
"file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2024-0408.patch \
file://CVE-2024-0409.patch \
file://CVE-2024-31081.patch \
+ file://CVE-2024-31080.patch \
"
SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
SRC_URI[sha256sum] =
"54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197998):
https://lists.openembedded.org/g/openembedded-core/message/197998
Mute This Topic: https://lists.openembedded.org/mt/105371766/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] xserver-xorg: Backport fix for CVE-2024-31081
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
Signed-off-by: Ashish Sharma
---
.../xserver-xorg/CVE-2024-31081.patch | 47 +++
.../xorg-xserver/xserver-xorg_1.20.14.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
diff --git
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
new file mode 100644
index 00..d2c551a0e5
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
+ send reply
+
+CVE-2024-31081
+
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith
+Part-of:
+
+Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
+CVE: CVE-2024-31081
+Signed-off-by: Ashish Sharma
+
+ Xi/xipassivegrab.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ GrabParameters param;
+ void *tmp;
+ int mask_len;
++uint32_t length;
+
+ REQUEST(xXIPassiveGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ }
+ }
+
++/* save the value before SRepXIPassiveGrabDevice swaps it */
++length = rep.length;
+ WriteReplyToClient(client, sizeof(rep), );
+ if (rep.num_modifiers)
+-WriteToClient(client, rep.length * 4, modifiers_failed);
++WriteToClient(client, length * 4, modifiers_failed);
+
+ out:
+ free(modifiers_failed);
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index a879e77144..9e8ad7b1e5 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -32,6 +32,7 @@ SRC_URI +=
"file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2024-21886-2.patch \
file://CVE-2024-0408.patch \
file://CVE-2024-0409.patch \
+ file://CVE-2024-31081.patch \
"
SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
SRC_URI[sha256sum] =
"54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197997):
https://lists.openembedded.org/g/openembedded-core/message/197997
Mute This Topic: https://lists.openembedded.org/mt/105371450/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] go: Backport fix for CVE-2024-24784
Upstream-Status: Backport
[https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
Signed-off-by: Ashish Sharma
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2024-24784.patch | 205 ++
2 files changed, 206 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index 92b5688d21..90f2bd8255 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -94,6 +94,7 @@ SRC_URI += "\
file://CVE-2023-45289.patch \
file://CVE-2023-45290.patch \
file://CVE-2024-24785.patch \
+file://CVE-2024-24784.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
new file mode 100644
index 00..e9d9d972b9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
@@ -0,0 +1,205 @@
+From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
+ characters in phrase and obs-phrase
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+For #65083
+Fixed #65849
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/96
+Reviewed-by: Damien Neil
+LUCI-TryBot-Result: Go LUCI
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
+Reviewed-by: Carlos Amedee
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
+CVE: CVE-2024-24784
+Signed-off-by: Ashish Sharma
+
+ src/net/mail/message.go | 30 +++
+ src/net/mail/message_test.go | 40 ++--
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index af516fc30f470..fc2a9e46f811b 100644
+--- a/src/net/mail/message.go
b/src/net/mail/message.go
+@@ -280,7 +280,7 @@ func (a *Address) String() string {
+ // Add quotes if needed
+ quoteLocal := false
+ for i, r := range local {
+- if isAtext(r, false, false) {
++ if isAtext(r, false) {
+ continue
+ }
+ if r == '.' {
+@@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool)
([]*Address, error) {
+ if !p.consume('<') {
+ atext := true
+ for _, r := range displayName {
+- if !isAtext(r, true, false) {
++ if !isAtext(r, true) {
+ atext = false
+ break
+ }
+@@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address,
error) {
+ // handle empty group.
+ p.skipSpace()
+ if p.consume(';') {
+- p.skipCFWS()
++ if !p.skipCFWS() {
++ return nil, errors.New("mail: misformatted
parenthetical comment")
++ }
+ return group, nil
+ }
+
+@@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address,
error) {
+ return nil, errors.New("mail: misformatted
parenthetical comment")
+ }
+ if p.consume(';') {
+- p.skipCFWS()
++ if !p.skipCFWS() {
++ return nil, errors.New("mail: misformatted
parenthetical comment")
++ }
+ break
+ }
+ if !p.consume(',') {
+@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err
error) {
+ var words []string
+ var isPrevEncoded bool
+ for {
++ // obs-phrase allows CFWS after one word
++ if len(words) > 0 {
++ if !p.skipCFWS() {
++ return "", errors.New("mail: misformatted
parenthetical comment")
++ }
++ }
+ // word = atom / quoted-string
+ var word string
+ p.skipSpace()
+@@ -661,7 +671,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC
[OE-core][dunfell][PATCH] expat: Backport fix for CVE-2024-28757
Upstream ref:
https://github.com/libexpat/libexpat/pull/842
https://github.com/libexpat/libexpat/issues/839
Upstream-Status: Backport
[https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454]
Signed-off-by: Ashish Sharma
---
.../expat/expat/CVE-2024-28757.patch | 57 +++
meta/recipes-core/expat/expat_2.2.9.bb| 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2024-28757.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch
b/meta/recipes-core/expat/expat/CVE-2024-28757.patch
new file mode 100644
index 00..c4bdb4621a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch
@@ -0,0 +1,57 @@
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated
+ external parser
+
+When parsing DTD content with code like ..
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+ enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc),
XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc`
accounted
+as indirect input. Now function accountingGetCurrentAmplification cannot
calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did
refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to
indicate
+no amplification over direct input. As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external
parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived
from
+ghost input "", the shortest possible way to include an
external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct :=
22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+CVE: CVE-2024-28757
+Upstream-Status: Backport
[https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454]
+Signed-off-by: Ashish Sharma
+---
+ expat/lib/xmlparse.c | 6 +-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index b884d82b5..d44baa68d 100644
+--- a/expat/lib/xmlparse.c
b/expat/lib/xmlparse.c
+@@ -7787,6 +7787,8 @@ copyString(const XML_Char *s, const
XML_Memory_Handling_Suite *memsuite) {
+
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
++ // 1.1.12 => 22
++ const size_t lenOfShortestInclude = sizeof("") - 1;
+ const XmlBigCount countBytesOutput
+ = rootParser->m_accounting.countBytesDirect
+ + rootParser->m_accounting.countBytesIndirect;
+@@ -7794,7 +7796,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser)
{
+ = rootParser->m_accounting.countBytesDirect
+ ? (countBytesOutput
+/ (float)(rootParser->m_accounting.countBytesDirect))
+-: 1.0f;
++: ((lenOfShortestInclude
+++ rootParser->m_accounting.countBytesIndirect)
++ / (float)lenOfShortestInclude);
+ assert(! rootParser->m_parentParser);
+ return amplificationFactor;
+ }
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb
b/meta/recipes-core/expat/expat_2.2.9.bb
index 8a5006e59a..ea50533ed9 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -22,6 +22,7 @@ SRC_URI =
"git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://libtool-tag.patch \
file://CVE-2022-40674.patch \
file://CVE-2022-43680.patch \
+ file://CVE-2024-28757.patch \
"
SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197079):
https://lists.openembedded.org/g/openembedded-core/message/197079
Mute This Topic: https://lists.openembedded.org/mt/104913576/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH V2] mdadm: Backport fix for CVE-2023-28938
Upstream-Status: Backport from
[https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
CVE: CVE-2023-28938
Signed-off-by: Ashish Sharma
---
.../mdadm/files/CVE-2023-28938.patch | 80 +++
meta/recipes-extended/mdadm/mdadm_4.1.bb | 1 +
2 files changed, 81 insertions(+)
create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
new file mode 100644
index 00..1e2990d79a
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
@@ -0,0 +1,80 @@
+From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001
+From: Mateusz Grzonka
+Date: Tue, 27 Jul 2021 10:25:18 +0200
+Subject: Fix memory leak after "mdadm --detail"
+
+Signed-off-by: Mateusz Grzonka
+Signed-off-by: Jes Sorensen
+---
+Upstream-Status: Backport from
[https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
+CVE: CVE-2023-28938
+Signed-off-by: Ashish Sharma
+
+ Detail.c | 20 +---
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/Detail.c b/Detail.c
+index ad56344f..d3af0ab5 100644
+--- a/Detail.c
b/Detail.c
+@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c)
+ int spares = 0;
+ struct stat stb;
+ int failed = 0;
+- struct supertype *st;
++ struct supertype *st = NULL;
+ char *subarray = NULL;
+ int max_disks = MD_SB_DISKS; /* just a default */
+ struct mdinfo *info = NULL;
+- struct mdinfo *sra;
++ struct mdinfo *sra = NULL;
+ struct mdinfo *subdev;
+ char *member = NULL;
+ char *container = NULL;
+@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c)
+ if (!sra) {
+ if (md_get_array_info(fd, )) {
+ pr_err("%s does not appear to be an md device\n", dev);
+- close(fd);
+- return rv;
++ goto out;
+ }
+ }
+ external = (sra != NULL && sra->array.major_version == -1 &&
+@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c)
+ sra->devs == NULL) {
+ pr_err("Array associated with md device %s does
not exist.\n",
+ dev);
+- close(fd);
+- sysfs_free(sra);
+- return rv;
++ goto out;
+ }
+ array = sra->array;
+ } else {
+ pr_err("cannot get array detail for %s: %s\n",
+ dev, strerror(errno));
+- close(fd);
+- return rv;
++ goto out;
+ }
+ }
+
+@@ -827,10 +823,12 @@ out:
+ close(fd);
+ free(subarray);
+ free(avail);
+- for (d = 0; d < n_devices; d++)
+- free(devices[d]);
++ if (devices)
++ for (d = 0; d < n_devices; d++)
++ free(devices[d]);
+ free(devices);
+ sysfs_free(sra);
++ free(st);
+ return rv;
+ }
+
+--
+cgit
+
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb
b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index 5238a41df2..ca326fd1cb 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -25,6 +25,7 @@ SRC_URI =
"${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
file://include_sysmacros.patch \
file://0001-mdadm-skip-test-11spare-migration.patch \
file://CVE-2023-28736.patch \
+ file://CVE-2023-28938.patch \
"
SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191382):
https://lists.openembedded.org/g/openembedded-core/message/191382
Mute This Topic: https://lists.openembedded.org/mt/102854640/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] mdadm: Backport fix CVE-2023-28938
Signed-off-by: Ashish Sharma
---
.../mdadm/files/CVE-2023-28938.patch | 80 +++
meta/recipes-extended/mdadm/mdadm_4.1.bb | 1 +
2 files changed, 81 insertions(+)
create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
new file mode 100644
index 000..1e2990d79af
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
@@ -0,0 +1,80 @@
+From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001
+From: Mateusz Grzonka
+Date: Tue, 27 Jul 2021 10:25:18 +0200
+Subject: Fix memory leak after "mdadm --detail"
+
+Signed-off-by: Mateusz Grzonka
+Signed-off-by: Jes Sorensen
+---
+Upstream-Status: Backport from
[https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
+CVE: CVE-2023-28938
+Signed-off-by: Ashish Sharma
+
+ Detail.c | 20 +---
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/Detail.c b/Detail.c
+index ad56344f..d3af0ab5 100644
+--- a/Detail.c
b/Detail.c
+@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c)
+ int spares = 0;
+ struct stat stb;
+ int failed = 0;
+- struct supertype *st;
++ struct supertype *st = NULL;
+ char *subarray = NULL;
+ int max_disks = MD_SB_DISKS; /* just a default */
+ struct mdinfo *info = NULL;
+- struct mdinfo *sra;
++ struct mdinfo *sra = NULL;
+ struct mdinfo *subdev;
+ char *member = NULL;
+ char *container = NULL;
+@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c)
+ if (!sra) {
+ if (md_get_array_info(fd, )) {
+ pr_err("%s does not appear to be an md device\n", dev);
+- close(fd);
+- return rv;
++ goto out;
+ }
+ }
+ external = (sra != NULL && sra->array.major_version == -1 &&
+@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c)
+ sra->devs == NULL) {
+ pr_err("Array associated with md device %s does
not exist.\n",
+ dev);
+- close(fd);
+- sysfs_free(sra);
+- return rv;
++ goto out;
+ }
+ array = sra->array;
+ } else {
+ pr_err("cannot get array detail for %s: %s\n",
+ dev, strerror(errno));
+- close(fd);
+- return rv;
++ goto out;
+ }
+ }
+
+@@ -827,10 +823,12 @@ out:
+ close(fd);
+ free(subarray);
+ free(avail);
+- for (d = 0; d < n_devices; d++)
+- free(devices[d]);
++ if (devices)
++ for (d = 0; d < n_devices; d++)
++ free(devices[d]);
+ free(devices);
+ sysfs_free(sra);
++ free(st);
+ return rv;
+ }
+
+--
+cgit
+
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb
b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index 5238a41df20..ca326fd1cb1 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -25,6 +25,7 @@ SRC_URI =
"${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
file://include_sysmacros.patch \
file://0001-mdadm-skip-test-11spare-migration.patch \
file://CVE-2023-28736.patch \
+ file://CVE-2023-28938.patch \
"
SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191310):
https://lists.openembedded.org/g/openembedded-core/message/191310
Mute This Topic: https://lists.openembedded.org/mt/102833196/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] zlib: Backport fix for CVE-2023-45853
Upstream-Status: Backport from
[https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]
Signed-off-by: Ashish Sharma
---
.../zlib/zlib/CVE-2023-45853.patch| 40 +++
meta/recipes-core/zlib/zlib_1.2.11.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
diff --git a/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
new file mode 100644
index 000..654579eb815
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
@@ -0,0 +1,40 @@
+From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
+From: Hans Wennborg
+Date: Fri, 18 Aug 2023 11:05:33 +0200
+Subject: [PATCH] Reject overflows of zip header fields in minizip.
+
+This checks the lengths of the file name, extra field, and comment
+that would be put in the zip headers, and rejects them if they are
+too long. They are each limited to 65535 bytes in length by the zip
+format. This also avoids possible buffer overflows if the provided
+fields are too long.
+
+Upstream-Status: Backport from
[https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]
+CVE: CVE-2023-45853
+Signed-off-by: Ashish Sharma
+---
+ contrib/minizip/zip.c | 11 +++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
+index 3d3d4cadd..0446109b2 100644
+--- a/contrib/minizip/zip.c
b/contrib/minizip/zip.c
+@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile
file, const char* filename, c
+ return ZIP_PARAMERROR;
+ #endif
+
++// The filename and comment length must fit in 16 bits.
++if ((filename!=NULL) && (strlen(filename)>0x))
++return ZIP_PARAMERROR;
++if ((comment!=NULL) && (strlen(comment)>0x))
++return ZIP_PARAMERROR;
++// The extra field length must fit in 16 bits. If the member also requires
++// a Zip64 extra block, that will also need to fit within that 16-bit
++// length, but that will be checked for later.
++if ((size_extrafield_local>0x) || (size_extrafield_global>0x))
++return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+
+ if (zi->in_opened_file_inzip == 1)
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb
b/meta/recipes-core/zlib/zlib_1.2.11.bb
index bf99c2a3f98..6ba168ed10b 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -12,6 +12,7 @@ SRC_URI =
"${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://CVE-2018-25032.patch \
file://run-ptest \
file://CVE-2022-37434.patch \
+ file://CVE-2023-45853.patch \
"
UPSTREAM_CHECK_URI = "http://zlib.net/;
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190254):
https://lists.openembedded.org/g/openembedded-core/message/190254
Mute This Topic: https://lists.openembedded.org/mt/102438373/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] zlib: Backport fix CVE-2023-45853
Signed-off-by: Ashish Sharma
---
.../zlib/zlib/CVE-2023-45853.patch| 40 +++
meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +-
2 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
diff --git a/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
new file mode 100644
index 000..77afb7ad1b6
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
@@ -0,0 +1,40 @@
+From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
+From: Hans Wennborg
+Date: Fri, 18 Aug 2023 11:05:33 +0200
+Subject: [PATCH] Reject overflows of zip header fields in minizip.
+
+This checks the lengths of the file name, extra field, and comment
+that would be put in the zip headers, and rejects them if they are
+too long. They are each limited to 65535 bytes in length by the zip
+format. This also avoids possible buffer overflows if the provided
+fields are too long.
+
+Upstream-Status: Backport from
[https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]
+CVE: CVE-2023-45853
+Signed-off-by: Ashish Sharma
+
+ contrib/minizip/zip.c | 11 +++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
+index 3d3d4cadd..0446109b2 100644
+--- a/contrib/minizip/zip.c
b/contrib/minizip/zip.c
+@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile
file, const char* filename, c
+ return ZIP_PARAMERROR;
+ #endif
+
++// The filename and comment length must fit in 16 bits.
++if ((filename!=NULL) && (strlen(filename)>0x))
++return ZIP_PARAMERROR;
++if ((comment!=NULL) && (strlen(comment)>0x))
++return ZIP_PARAMERROR;
++// The extra field length must fit in 16 bits. If the member also requires
++// a Zip64 extra block, that will also need to fit within that 16-bit
++// length, but that will be checked for later.
++if ((size_extrafield_local>0x) || (size_extrafield_global>0x))
++return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+
+ if (zi->in_opened_file_inzip == 1)
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb
b/meta/recipes-core/zlib/zlib_1.2.11.bb
index f768b41988b..fbd99480d34 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -11,7 +11,8 @@ SRC_URI =
"${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
file://CVE-2018-25032.patch \
file://run-ptest \
- file://CVE-2022-37434.patch \
+ file://CVE-2022-37434.patch \
+ file://CVE-2023-45853.patch \
"
UPSTREAM_CHECK_URI = "http://zlib.net/;
--
2.35.7
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190251):
https://lists.openembedded.org/g/openembedded-core/message/190251
Mute This Topic: https://lists.openembedded.org/mt/102437958/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] binutils: Backport fix CVE-2023-25588
Upstream-Status: Backport from
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
CVE: CVE-2023-25588
Signed-off-by: Ashish Sharma
---
.../binutils/binutils-2.34.inc| 1 +
.../binutils/binutils/CVE-2023-25588.patch| 146 ++
2 files changed, 147 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc
b/meta/recipes-devtools/binutils/binutils-2.34.inc
index f0669f421c2..3d7c7edc937 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -53,5 +53,6 @@ SRC_URI = "\
file://CVE-2020-16593.patch \
file://0001-CVE-2021-45078.patch \
file://CVE-2022-38533.patch \
+ file://CVE-2023-25588.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
new file mode 100644
index 000..065d8e47f00
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
@@ -0,0 +1,146 @@
+From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001
+From: Alan Modra
+Date: Fri, 14 Oct 2022 10:30:21 +1030
+Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised
+
+Besides not initialising the_bfd of synthetic symbols, counting
+symbols when sizing didn't match symbols created if there were any
+dynsyms named "". We don't want synthetic symbols without names
+anyway, so get rid of them. Also, simplify and correct sanity checks.
+
+ PR 29677
+ * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
+---
+Upstream-Status: Backport from
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
+CVE: CVE-2023-25588
+Signed-off-by: Ashish Sharma
+
+ bfd/mach-o.c | 72 ++--
+ 1 file changed, 31 insertions(+), 41 deletions(-)
+
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c
+index acb35e7f0c6..5279343768c 100644
+--- a/bfd/mach-o.c
b/bfd/mach-o.c
+@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ bfd_mach_o_symtab_command *symtab = mdata->symtab;
+ asymbol *s;
+ char * s_start;
+- char * s_end;
+ unsigned long count, i, j, n;
+ size_t size;
+ char *names;
+- char *nul_name;
+ const char stub [] = "$stub";
+
+ *ret = NULL;
+@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ /* We need to allocate a bfd symbol for every indirect symbol and to
+ allocate the memory for its name. */
+ count = dysymtab->nindirectsyms;
+- size = count * sizeof (asymbol) + 1;
+-
++ size = 0;
+ for (j = 0; j < count; j++)
+ {
+- const char * strng;
+ unsigned int isym = dysymtab->indirect_syms[j];
++ const char *str;
+
+ /* Some indirect symbols are anonymous. */
+- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
+- /* PR 17512: file: f5b8eeba. */
+- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) +
sizeof (stub);
++ if (isym < symtab->nsyms
++&& (str = symtab->symbols[isym].symbol.name) != NULL)
++ {
++/* PR 17512: file: f5b8eeba. */
++size += strnlen (str, symtab->strsize - (str - symtab->strtab));
++size += sizeof (stub);
++ }
+ }
+
+- s_start = bfd_malloc (size);
++ s_start = bfd_malloc (size + count * sizeof (asymbol));
+ s = *ret = (asymbol *) s_start;
+ if (s == NULL)
+ return -1;
+ names = (char *) (s + count);
+- nul_name = names;
+- *names++ = 0;
+- s_end = s_start + size;
+
+ n = 0;
+ for (i = 0; i < mdata->nsects; i++)
+@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
+
+ /* PR 17512: file: 08e15eec. */
+-if (first >= count || last >= count || first > last)
++if (first >= count || last > count || first > last)
+ goto fail;
+
+ for (j = first; j < last; j++)
+ {
+ unsigned int isym = dysymtab->indirect_syms[j];
+-
+-/* PR 17512: file: 04d64d9b. */
+-if (((char *) s) + sizeof (* s) > s_end)
+- goto fail;
+-
+-s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+-s->section = sec->bfdsection;
+-s->value = addr - sec->addr;
+-s->udata.p = NULL;
++const char *str;
++size_t len;
+
+ if (isym < symtab->nsyms
+-&& symtab->symbols[isym].symbol.name)
++&& (str = symtab->symbols[isym].symbol.name) != NULL)
+ {
+-const char *sym = symtab->symbols[isym].symbol.name;
+-size_t len;
+-
+-s->name = names;
+-len = strlen (sym);
+-
[OE-core][dunfell][PATCH] mdadm: Backport fix for CVE-2023-28736
Signed-off-by: Ashish Sharma
---
.../mdadm/files/CVE-2023-28736.patch | 77 +++
meta/recipes-extended/mdadm/mdadm_4.1.bb | 1 +
2 files changed, 78 insertions(+)
create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
new file mode 100644
index 000..8e0a06cbc7b
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@
+From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
+From: Blazej Kucman
+Date: Fri, 3 Dec 2021 15:31:15 +0100
+Subject: mdadm: block creation with long names
+
+This fixes buffer overflows in create_mddev(). It prohibits
+creation with not supported names for DDF and native. For IMSM,
+mdadm will do silent cut to 16 later.
+
+Signed-off-by: Mariusz Tkaczyk
+Signed-off-by: Blazej Kucman
+Signed-off-by: Jes Sorensen
+---
+
+Upstream-Status: Backport from
[https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
+CVE: CVE-2023-28736
+Signed-off-by: Ashish Sharma
+
+ mdadm.8.in | 5 +
+ mdadm.c| 9 -
+ mdadm.h| 5 +
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/mdadm.8.in b/mdadm.8.in
+index 28d773c2..68e100cb 100644
+--- a/mdadm.8.in
b/mdadm.8.in
+@@ -2186,6 +2186,11 @@ is run, but will be created by
+ .I udev
+ once the array becomes active.
+
++The max length md-device name is limited to 32 characters.
++Different metadata types have more strict limitation
++(like IMSM where only 16 characters are allowed).
++For that reason, long name could be truncated or rejected, it depends on
metadata policy.
++
+ As devices are added, they are checked to see if they contain RAID
+ superblocks or filesystems. They are also checked to see if the variance in
+ device size exceeds 1%.
+diff --git a/mdadm.c b/mdadm.c
+index 91e67467..26299b2e 100644
+--- a/mdadm.c
b/mdadm.c
+@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
+ mdfd = open_mddev(devlist->devname, 1);
+ if (mdfd < 0)
+ exit(1);
+- } else
++ } else {
++ char *bname = basename(devlist->devname);
++
++ if (strlen(bname) > MD_NAME_MAX) {
++ pr_err("Name %s is too long.\n",
devlist->devname);
++ exit(1);
++ }
+ /* non-existent device is OK */
+ mdfd = open_mddev(devlist->devname, 0);
++ }
+ if (mdfd == -2) {
+ pr_err("device %s exists but is not an md array.\n",
devlist->devname);
+ exit(1);
+diff --git a/mdadm.h b/mdadm.h
+index 54567396..c7268a71 100644
+--- a/mdadm.h
b/mdadm.h
+@@ -1880,3 +1880,8 @@ enum r0layout {
+ #define INVALID_SECTORS 1
+ /* And another special number needed for --data_offset=variable */
+ #define VARIABLE_OFFSET 3
++
++/**
++ * This is true for native and DDF, IMSM allows 16.
++ */
++#define MD_NAME_MAX 32
+--
+cgit
+
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb
b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index bb77759cf97..5238a41df20 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -24,6 +24,7 @@ SRC_URI =
"${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
file://include_sysmacros.patch \
file://0001-mdadm-skip-test-11spare-migration.patch \
+ file://CVE-2023-28736.patch \
"
SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188330):
https://lists.openembedded.org/g/openembedded-core/message/188330
Mute This Topic: https://lists.openembedded.org/mt/101618300/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] qemu: Backport fix CVE-2023-3180
Upstream-Status: Backport from
[https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
CVE: CVE-2023-3180
Signed-off-by: Ashish Sharma
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-3180.patch | 49 +++
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index ddb6ed999a5..678bc171f89 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -141,6 +141,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
file://CVE-2023-0330.patch \
file://CVE-2023-3354.patch \
+ file://CVE-2023-3180.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
new file mode 100644
index 000..7144bdca460
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
@@ -0,0 +1,49 @@
+From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001
+From: zhenwei pi
+Date: Thu, 3 Aug 2023 10:43:13 +0800
+Subject: [PATCH] virtio-crypto: verify src buffer length for sym request
+
+For symmetric algorithms, the length of ciphertext must be as same
+as the plaintext.
+The missing verification of the src_len and the dst_len in
+virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
+
+This patch is originally written by Yiming Tao for QEMU-SECURITY,
+resend it(a few changes of error message) in qemu-devel.
+
+Fixes: CVE-2023-3180
+Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
+Cc: Gonglei
+Cc: Mauro Matteo Cascella
+Cc: Yiming Tao
+Signed-off-by: zhenwei pi
+Message-Id: <20230803024314.29962-2-pizhen...@bytedance.com>
+Reviewed-by: Michael S. Tsirkin
+Signed-off-by: Michael S. Tsirkin
+
+Upstream-Status: Backport from
[https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
+CVE: CVE-2023-3180
+Signed-off-by: Ashish Sharma
+
+ hw/virtio/virtio-crypto.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 44faf5a522b..13aec771e11 100644
+--- a/hw/virtio/virtio-crypto.c
b/hw/virtio/virtio-crypto.c
+@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+ return NULL;
+ }
+
++if (unlikely(src_len != dst_len)) {
++virtio_error(vdev, "sym request src len is different from dst len");
++return NULL;
++}
++
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len +
hash_result_len;
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto too big length");
+--
+GitLab
+
--
2.24.4
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187292):
https://lists.openembedded.org/g/openembedded-core/message/187292
Mute This Topic: https://lists.openembedded.org/mt/101190246/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
