[OE-core][scarthgap][PATCH] openssl: Upgrade 3.2.1 -> 3.2.2
CVE's Fixed by upgrade: CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3 Bugs Fixed by upgrade: #23560: Fixed bug where SSL_export_keying_material() could not be used with QUIC connections Removed backports of CVE-2024-2511, CVE-2024-4603 and bti.patch as they are already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-321-and-322-4-jun-2024 Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-2511.patch | 120 .../openssl/openssl/CVE-2024-4603.patch | 179 -- .../openssl/openssl/bti.patch | 58 -- .../{openssl_3.2.1.bb => openssl_3.2.2.bb}| 5 +- 4 files changed, 1 insertion(+), 361 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/bti.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.1.bb => openssl_3.2.2.bb} (97%) diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch deleted file mode 100644 index 8772f716d5..00 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch +++ /dev/null @@ -1,120 +0,0 @@ -From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 + -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24043) - -CVE: CVE-2024-2511 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08] -Signed-off-by: Peter Marko - ssl/ssl_lib.c| 5 +++-- - ssl/ssl_sess.c | 28 ++-- - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 4afb43bc86e54..c51529ddab5bb 100644 a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ --if (s->session->session_id_length == 0) -+if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index 3dcc4d81e5bc6..1fa6d17c46863 100644 a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ --return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have
[OE-core][kirkstone][PATCH] openssl: Upgrade 3.0.13 -> 3.0.14
CVE's Fixed by upgrade: CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3 Removed backports of CVE-2024-2511 and CVE-2024-4603 as they are already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024 Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-2511.patch | 122 .../openssl/openssl/CVE-2024-4603.patch | 180 -- .../{openssl_3.0.13.bb => openssl_3.0.14.bb} | 4 +- 3 files changed, 1 insertion(+), 305 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch rename meta/recipes-connectivity/openssl/{openssl_3.0.13.bb => openssl_3.0.14.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch deleted file mode 100644 index 8aea686205..00 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch +++ /dev/null @@ -1,122 +0,0 @@ -From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 + -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce) - -CVE: CVE-2024-2511 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d] -Signed-off-by: Peter Marko - ssl/ssl_lib.c| 5 +++-- - ssl/ssl_sess.c | 28 ++-- - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 2c8479eb5fc69..eed649c6fdee9 100644 a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ --if (s->session->session_id_length == 0) -+if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index d836b33ed0e81..75adbd9e52b40 100644 a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ --return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION
[OE-core][scarthgap][PATCHv2] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac, https://github.com/openssl/openssl/commit/10171e5b511b700c5ecd4fd3e1086b19c34b1ae3, https://github.com/openssl/openssl/commit/ec87bc54c8ccc13caa29bc7f74ae84d78ffa1f5e, https://github.com/openssl/openssl/commit/d0f5a122ba271c9c848e16970249f61b3fc11b2b, https://github.com/openssl/openssl/commit/d03e6fdf54ea41fb35e0499134eb3a7f831b] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741_1.patch | 43 .../openssl/openssl/CVE-2024-4741_2.patch | 52 + .../openssl/openssl/CVE-2024-4741_3.patch | 137 .../openssl/openssl/CVE-2024-4741_4.patch | 124 +++ .../openssl/openssl/CVE-2024-4741_5.patch | 205 ++ .../openssl/openssl_3.2.1.bb | 5 + 6 files changed, 566 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_3.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_4.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_5.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch new file mode 100644 index 00..6987220c35 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch @@ -0,0 +1,43 @@ +From fe3eeaab1b2b5c9f9240a5ebafa5057a3211c3d0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 23 Apr 2024 16:34:46 +0100 +Subject: [PATCH 1/5] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/methods/tls_common.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index 08e519a..f46da0f 100644 +--- a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +@@ -2129,7 +2129,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl) + /* Read direction */ + + /* If we have pending data to be read then fail */ +-if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(>rbuf) != 0) ++if (rl->curr_rec < rl->num_recs ++|| rl->curr_rec != rl->num_released ++|| TLS_BUFFER_get_left(>rbuf) != 0 ++|| rl->rstate == SSL_ST_READ_BODY) + return 0; + + return tls_release_read_buffer(rl); +-- +2.44.0 + diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch new file mode 100644 index 00..6d455264ff --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch @@ -0,0 +1,52 @@ +From af2a2a9b4a6504891de7225ad12dba799cc2f1d3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 23 Apr 2024 16:36:11 +0100 +Subject: [PATCH 2/5] Set rl->packet to NULL after we've finished using it + +In order to ensure we do not have a UAF we reset the rl->packet pointer +to NULL after we free it. + +Follow on from CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit bfb8128190632092b3a66465838b87b469455cec) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/10171e5b511b700c5ecd4fd3e1086b19c34b1ae3] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/methods/tls_common.c | 8 + 1 file changed, 8 insertions(+) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index f46da0f..4cc432e 100644 +--- a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +@@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl) + OPENSSL_cleanse(b->buf, b->len); + OPENSSL_free(b->buf); + b->buf = NULL; ++rl->packet = NULL; ++rl->packet_length = 0; + return 1; + } + +@@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, + /* ... now we can act as if 'extend' was set */ + } + ++if (!ossl_assert(rl->packet != NULL)) { ++
[OE-core][kirkstone][PATCHv2] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d, https://github.com/openssl/openssl/commit/2d05959073c4bf8803401668b9df85931a08e020, https://github.com/openssl/openssl/commit/6fef334f914abfcd988e53a32d19f01d84529f74, https://github.com/openssl/openssl/commit/1359c00e683840154760b7ba9204bad1b13dc074, https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741_1.patch | 76 +++ .../openssl/openssl/CVE-2024-4741_2.patch | 56 + .../openssl/openssl/CVE-2024-4741_3.patch | 137 .../openssl/openssl/CVE-2024-4741_4.patch | 122 +++ .../openssl/openssl/CVE-2024-4741_5.patch | 205 ++ .../openssl/openssl_3.0.13.bb | 5 + 6 files changed, 601 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_3.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_4.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_5.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch new file mode 100644 index 00..0753fa222c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_1.patch @@ -0,0 +1,76 @@ +From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/rec_layer_s3.c | 9 + + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc..1569997 100644 +--- a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(>rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++if (rl->rstate == SSL_ST_READ_BODY) ++return 1; ++if (RECORD_LAYER_processed_read_pending(rl)) ++return 1; ++return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656b..b60f71c 100644 +--- a/ssl/record/record.h b/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index eed649c..d14c55a 100644 +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++if (RECORD_LAYER_data_present(rl)) ++return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch new file mode 100644 index 00..30a74c5ca4 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741_2.patch @@ -0,0 +1,56 @@ +From 2d05959073c4bf8803401668b9df85931a08e020 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 24 Apr 2024 11:33:41 +0100 +Subject: [PATCH] Set rlayer.packet to NULL after we've finished using it + +In order to ensure we do not have a UAF we reset the rlayer.packet pointer +to NULL after we free it. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman
Re: [OE-core] [kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
>> Nitpick : above commit link references commit for CVE-2024-4603 (copy+paste >> error). - Ahh, that's silly of me. Guess the cup of coffee didnt take away the drowsiness completely.. Thank-you for pointing it out. >> The main problem of this patch (and the same patch for scarthgap) is that >> it's picking only one out of 5 commits referencing this CVE. - That definately makes sense. I just followed the fix links from https://openssl.org/news/vulnerabilities.html and didnt dive deeper. - I will send a v2 by tomorrow. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200214): https://lists.openembedded.org/g/openembedded-core/message/200214 Mute This Topic: https://lists.openembedded.org/mt/106446509/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741.patch | 76 +++ .../openssl/openssl_3.0.13.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch new file mode 100644 index 00..2fbc55b48a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch @@ -0,0 +1,76 @@ +From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 +From: Watson Ladd +Date: Wed, 24 Apr 2024 11:26:56 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi +--- + ssl/record/rec_layer_s3.c | 9 + + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 3 +++ + 3 files changed, 13 insertions(+) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 4bcffcc..1569997 100644 +--- a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(>rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++if (rl->rstate == SSL_ST_READ_BODY) ++return 1; ++if (RECORD_LAYER_processed_read_pending(rl)) ++return 1; ++return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index 234656b..b60f71c 100644 +--- a/ssl/record/record.h b/ssl/record/record.h +@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 2c8479e..131eaac 100644 +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -5491,6 +5491,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++if (RECORD_LAYER_data_present(rl)) ++return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +-- +2.35.7 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb index 87ab4047d9..46f02aa20a 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb @@ -14,6 +14,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://CVE-2024-2511.patch \ file://CVE-2024-4603.patch \ + file://CVE-2024-4741.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200212): https://lists.openembedded.org/g/openembedded-core/message/200212 Mute This Topic: https://lists.openembedded.org/mt/106446509/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][scarthgap][PATCH] openssl: Security fix for CVE-2024-4741
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi --- .../openssl/openssl/CVE-2024-4741.patch | 44 +++ .../openssl/openssl_3.2.1.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch new file mode 100644 index 00..4cb9806c75 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch @@ -0,0 +1,44 @@ +From 9c24e8a8e04d4bb6de5198bc40a0bdbd860aded0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 23 Apr 2024 16:34:46 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi + +--- + ssl/record/methods/tls_common.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index 08e519a..f46da0f 100644 +--- a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +@@ -2129,7 +2129,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl) + /* Read direction */ + + /* If we have pending data to be read then fail */ +-if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(>rbuf) != 0) ++if (rl->curr_rec < rl->num_recs ++|| rl->curr_rec != rl->num_released ++|| TLS_BUFFER_get_left(>rbuf) != 0 ++|| rl->rstate == SSL_ST_READ_BODY) + return 0; + + return tls_release_read_buffer(rl); +-- +2.44.0 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb index 9bdf7e1ec6..c1f5591f8e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb @@ -15,6 +15,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://bti.patch \ file://CVE-2024-2511.patch \ file://CVE-2024-4603.patch \ + file://CVE-2024-4741.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200211): https://lists.openembedded.org/g/openembedded-core/message/200211 Mute This Topic: https://lists.openembedded.org/mt/106446429/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] libx11: Security Fix for CVE-2023-43785, CVE-2023-43786 and CVE-2023-43787
From: Siddharth Doshi CVE's Fixed: CVE-2023-43785: libX11: out-of-bounds memory access in _XkbReadKeySyms() CVE-2023-43786: libX11: stack exhaustion from infinite recursion in PutSubImage() CVE-2023-43787: libX11: integer overflow in XCreateImage() leading to a heap overflow Signed-off-by: Siddharth Doshi --- .../xorg-lib/libx11/CVE-2023-43785.patch | 62 ++ .../xorg-lib/libx11/CVE-2023-43786-0001.patch | 41 .../xorg-lib/libx11/CVE-2023-43786-0002.patch | 45 + .../xorg-lib/libx11/CVE-2023-43786-0003.patch | 51 +++ .../xorg-lib/libx11/CVE-2023-43787.patch | 63 +++ .../xorg-lib/libx11_1.7.3.1.bb| 5 ++ 6 files changed, 267 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 00..64f8776cc9 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch @@ -0,0 +1,62 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] +CVE: CVE-2023-43785 +Signed-off-by: Siddharth Doshi +--- + src/xkb/XKBGetMap.c | 14 +- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21..31199e4 100644 +--- a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +-sz = map->size_syms + 128; ++sz = offset + newMap->nSyms; ++sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +-_XkbReadBufferCopyKeySyms(buf, (KeySym *) >syms[offset], +- newMap->nSyms); ++if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) >syms[offset], ++ newMap->nSyms) == 0) ++return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +-if (newMap->nSyms > 0) +-_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++if (newMap->nSyms > 0) { ++if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++return BadLength; ++} + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch new file mode 100644 index 00..db5b7067aa --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch @@ -0,0 +1,41 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH] CVE-2023-43786: stack exhaustion from infinite recursion in + PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan
[OE-core][dunfell][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 51247cbe0a..d8e88af22e 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189426): https://lists.openembedded.org/g/openembedded-core/message/189426 Mute This Topic: https://lists.openembedded.org/mt/102054886/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189425): https://lists.openembedded.org/g/openembedded-core/message/189425 Mute This Topic: https://lists.openembedded.org/mt/102054453/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189424): https://lists.openembedded.org/g/openembedded-core/message/189424 Mute This Topic: https://lists.openembedded.org/mt/102054450/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] vim: Upgrade 9.0.2009 -> 9.0.2048
From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189397): https://lists.openembedded.org/g/openembedded-core/message/189397 Mute This Topic: https://lists.openembedded.org/mt/102040997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] tiff: Security fix for CVE-2023-40745
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] CVE: CVE-2023-40745 Signed-off-by: Siddharth Doshi --- .../libtiff/tiff/CVE-2023-40745.patch | 34 +++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch new file mode 100644 index 00..cb4656fd46 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch @@ -0,0 +1,34 @@ +From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001 +From: Arie Haenel +Date: Wed, 19 Jul 2023 19:34:25 + +Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images + (fixes #591) + +Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] +CVE: CVE-2023-40745 +Signed-off-by: Siddharth Doshi +--- + tools/tiffcp.c | 7 +++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 57eef90..34b6ef2 100644 +--- a/tools/tiffcp.c b/tools/tiffcp.c +@@ -1577,6 +1577,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; + } ++ ++ if ( (imagew - tilew * spp) > INT_MAX ){ ++ TIFFError(TIFFFileName(in), ++"Error, image raster scan line size is too large"); ++ return 0; ++ } ++ + iskew = imagew - tilew*spp; + tilebuf = limitMalloc(tilesize); + if (tilebuf == 0) +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 61d8142e41..9071b407cf 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -43,6 +43,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-3618-1.patch \ file://CVE-2023-3618-2.patch \ file://CVE-2023-26966.patch \ + file://CVE-2023-40745.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189343): https://lists.openembedded.org/g/openembedded-core/message/189343 Mute This Topic: https://lists.openembedded.org/mt/102020787/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH 2/2] libxpm: upgrade to 3.5.17
From: Siddharth Doshi - This upgrade includes multiple security fixes. CVE-2022-4883 CVE-2022-44617 CVE-2022-46285 CVE-2022-44617 CVE-2023-43788 CVE-2023-43789 - Removed CVE-2022-46285 as it is already fixed by this upgrade. - License-update: additional copyright holders f0857c0 man pages: Correct Copyright/License notices Due to this commit LIC_FILES_CHKSUM is changed - Disable reading compressed files as that requires compress/uncompress executables. Following the approach in oe-core/master: 7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15 - Add XORG_EXT to specify tar.xz as upstream has switched from bz2 to xz compression. Signed-off-by: Siddharth Doshi --- .../xorg-lib/libxpm/CVE-2022-46285.patch | 40 --- .../{libxpm_3.5.13.bb => libxpm_3.5.17.bb}| 9 ++--- 2 files changed, 4 insertions(+), 45 deletions(-) delete mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.17.bb} (68%) diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch deleted file mode 100644 index e8b654dfb2..00 --- a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch +++ /dev/null @@ -1,40 +0,0 @@ -CVE: CVE-2022-46285 -Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ] -Signed-off-by: Lee Chee Yang - -From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 17 Dec 2022 12:23:45 -0800 -Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments - -When reading XPM images from a file with libXpm 3.5.14 or older, if a -comment in the file is not closed (i.e. a C-style comment starts with -"/*" and is missing the closing "*/"), the ParseComment() function will -loop forever calling getc() to try to read the rest of the comment, -failing to notice that it has returned EOF, which may cause a denial of -service to the calling program. - -Reported-by: Marco Ivaldi -Signed-off-by: Alan Coopersmith - src/data.c | 4 - 1 file changed, 4 insertions(+) - -diff --git a/src/data.c b/src/data.c -index 898889c..bfad4ff 100644 a/src/data.c -+++ b/src/data.c -@@ -174,6 +174,10 @@ ParseComment(xpmData *data) - notend = 0; - Ungetc(data, *s, file); - } -+ else if (c == EOF) { -+ /* hit end of file before the end of the comment */ -+ return XpmFileInvalid; -+ } - } - return 0; - } --- -GitLab - diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb similarity index 68% rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index 8937e61cb5..4694f911be 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb @@ -11,19 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \ protocol." LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" +LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff" DEPENDS += "libxext libsm libxt gettext-native" PE = "1" XORG_PN = "libXpm" +XORG_EXT = "tar.xz" +EXTRA_OECONF += "--disable-open-zfile" PACKAGES =+ "sxpm cxpm" FILES_cxpm = "${bindir}/cxpm" FILES_sxpm = "${bindir}/sxpm" -SRC_URI += " file://CVE-2022-46285.patch" - -SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" -SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" +SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" BBCLASSEXTEND = "native" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189296): https://lists.openembedded.org/g/openembedded-core/message/189296 Mute This Topic: https://lists.openembedded.org/mt/101996977/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH 1/2] xorg-lib-common: Add variable to set tarball type
From: Siddharth Doshi Upstream has switched some new releases from bz2 to xz compression. Add an XORG_EXT variable so recipes can set the file name extension needed for the compression type. Following the approach in oe-core/master: 6a8068e036b4b2a40b38896275b936916b4db76e xorg-lib-common: Add variable to set tarball type use a variable for the tarball suffix/compression format. Signed-off-by: Robert Joslyn Signed-off-by: Alexandre Belloni Signed-off-by: Siddharth Doshi --- meta/recipes-graphics/xorg-lib/xorg-lib-common.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc index a566eaa45e..1e8525d874 100644 --- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc +++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc @@ -6,8 +6,9 @@ LICENSE = "MIT-X" DEPENDS = "util-macros" XORG_PN = "${BPN}" +XORG_EXT ?= "tar.bz2" -SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2" +SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}" S = "${WORKDIR}/${XORG_PN}-${PV}" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189295): https://lists.openembedded.org/g/openembedded-core/message/189295 Mute This Topic: https://lists.openembedded.org/mt/101996976/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] libxpm: upgrade to 3.5.17
From: Siddharth Doshi This release fixes the following CVEs: - CVE-2023-43788 - CVE-2023-43789 Signed-off-by: Ross Burton Signed-off-by: Siddharth Doshi --- .../xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} (88%) diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb similarity index 88% rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index 28a775c5f4..7bc494a690 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb @@ -23,6 +23,6 @@ PACKAGES =+ "sxpm cxpm" FILES:cxpm = "${bindir}/cxpm" FILES:sxpm = "${bindir}/sxpm" -SRC_URI[sha256sum] = "e6bc5da7a69dbd9bcc67e87c93d4904fe2f5177a0711c56e71fa2f6eff649f51" +SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" BBCLASSEXTEND = "native" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189294): https://lists.openembedded.org/g/openembedded-core/message/189294 Mute This Topic: https://lists.openembedded.org/mt/101996754/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] glib-2.0: Fix multiple vulnerabilities
From: Siddharth Doshi CVE's Fixed: CVE-2023-29499: glib: GVariant offset table entry size is not checked in is_normal() CVE-2023-32611: glib: g_variant_byteswap() can take a long time with some non-normal inputs CVE-2023-32636: glib: Timeout in fuzz_variant_text CVE-2023-32643: glib: Heap-buffer-overflow in g_variant_serialised_get_child CVE-2023-32665: glib: GVariant deserialisation does not match spec for non-normal data Signed-off-by: Siddharth Doshi --- .../glib-2.0/glib-2.0/CVE-2023-29499.patch| 290 .../glib-2.0/CVE-2023-32611-0001.patch| 89 .../glib-2.0/CVE-2023-32611-0002.patch| 255 +++ .../glib-2.0/glib-2.0/CVE-2023-32636.patch| 49 ++ .../glib-2.0/glib-2.0/CVE-2023-32643.patch| 154 +++ .../glib-2.0/CVE-2023-32665-0001.patch| 103 + .../glib-2.0/CVE-2023-32665-0002.patch| 210 + .../glib-2.0/CVE-2023-32665-0003.patch| 417 ++ .../glib-2.0/CVE-2023-32665-0004.patch| 113 + .../glib-2.0/CVE-2023-32665-0005.patch| 80 .../glib-2.0/CVE-2023-32665-0006.patch| 396 + .../glib-2.0/CVE-2023-32665-0007.patch| 49 ++ .../glib-2.0/CVE-2023-32665-0008.patch| 394 + .../glib-2.0/CVE-2023-32665-0009.patch| 97 meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb | 14 + 15 files changed, 2710 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch new file mode 100644 index 00..ce90586290 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch @@ -0,0 +1,290 @@ +From 5f4485c4ff57fdefb1661531788def7ca5a47328 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 17 Aug 2023 04:19:44 + +Subject: [PATCH] gvariant-serialiser: Check offset table entry size is minimal + +The entries in an offset table (which is used for variable sized arrays +and tuples containing variable sized members) are sized so that they can +address every byte in the overall variant. + +The specification requires that for a variant to be in normal form, its +offset table entries must be the minimum width such that they can +address every byte in the variant. + +That minimality requirement was not checked in +`g_variant_is_normal_form()`, leading to two different byte arrays being +interpreted as the normal form of a given variant tree. That kind of +confusion could potentially be exploited, and is certainly a bug. + +Fix it by adding the necessary checks on offset table entry width, and +unit tests. + +Spotted by William Manley. + +Signed-off-by: Philip Withnall + +Fixes: #2794 + +CVE: CVE-2023-29499 +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/5f4485c4ff57fdefb1661531788def7ca5a47328] +Signed-off-by: Siddharth Doshi +--- + glib/gvariant-serialiser.c | 19 +++- + glib/tests/gvariant.c | 176 + + 2 files changed, 194 insertions(+), 1 deletion(-) + +diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +index 0bf7243..5aa2cbc 100644 +--- a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +@@ -694,6 +694,10 @@ gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value) + out.data_size = last_end; + out.array = value.data + last_end; + out.length = offsets_array_size / out.offset_size; ++ ++ if (out.length > 0 && gvs_calculate_total_size (last_end, out.length) != value.size) ++return out; /* offset size not minimal */ ++ + out.is_normal = TRUE; + + return out; +@@ -1201,6 +1205,7 @@ gvs_tuple_is_normal (GVariantSerialised value) + gsize length; + gsize offset; + gsize i; ++ gsize offset_table_size; + + /* as per the comment in gvs_tuple_get_child()
[OE-core][dunfell][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 73e639d7b1..51247cbe0a 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188986): https://lists.openembedded.org/g/openembedded-core/message/188986 Mute This Topic: https://lists.openembedded.org/mt/101913473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f55f590e6..5e06866692 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188982): https://lists.openembedded.org/g/openembedded-core/message/188982 Mute This Topic: https://lists.openembedded.org/mt/101913301/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch
Please ignore the above message. Sent by mistake . -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188981): https://lists.openembedded.org/g/openembedded-core/message/188981 Mute This Topic: https://lists.openembedded.org/mt/101805676/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch
From: Peter Marko Adresses CVE-2023-4911. Single commit bump: * c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-core/glibc/glibc-version.inc | 2 +- meta/recipes-core/glibc/glibc_2.35.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index c23a43576c..e0d47f283b 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.35/master" PV = "2.35" -SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9" +SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index b4bad5b7ac..271520f76b 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb @@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" CVE_CHECK_IGNORE += "CVE-2019-1010025" # To avoid these in cve-check reports since the recipe version did not change -CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156" +CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156" DEPENDS += "gperf-native bison-native" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188980): https://lists.openembedded.org/g/openembedded-core/message/188980 Mute This Topic: https://lists.openembedded.org/mt/101805676/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f55f590e6..5e06866692 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188979): https://lists.openembedded.org/g/openembedded-core/message/188979 Mute This Topic: https://lists.openembedded.org/mt/101913251/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][master][PATCH] vim: Upgrade 9.0.1894 -> 9.0.2009
From: Siddharth Doshi This includes CVE fix for CVE-2023-5441. Signed-off-by: Siddharth Doshi --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f55f590e6..5e06866692 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1894" -SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e" +PV .= ".2009" +SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188978): https://lists.openembedded.org/g/openembedded-core/message/188978 Mute This Topic: https://lists.openembedded.org/mt/101913244/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] go: Fix CVE-2023-39318 and CVE-2023-39319
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5] CVE: CVE-2023-39319 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2023-39318.patch | 238 ++ .../go/go-1.14/CVE-2023-39319.patch | 230 + 3 files changed, 470 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 20377e095b..9fc5eb130f 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -70,6 +70,8 @@ SRC_URI += "\ file://CVE-2023-29400.patch \ file://CVE-2023-29406.patch \ file://CVE-2023-29409.patch \ +file://CVE-2023-39318.patch \ +file://CVE-2023-39319.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch new file mode 100644 index 00..20e70c0485 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 --- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 0b65313..4eb7891 100644 +--- a/src/html/template/context.go b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a
[OE-core][kirkstone][PATCHv2] go: Fix CVE-2023-39318
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2023-39318.patch | 238 ++ 2 files changed, 239 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c753a26a7e..ed2645bc12 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2023-24531_2.patch \ file://CVE-2023-29409.patch \ file://CVE-2023-39319.patch \ +file://CVE-2023-39318.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 00..85c6ec97c8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 --- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f5f44a1..feb6517 100644 +--- a/src/html/template/context.go b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a
[OE-core][kirkstone][PATCH] go: Fix CVE-2023-39318
From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2023-39318.patch | 238 ++ 2 files changed, 239 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 119ae112af..df7d5d235a 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2023-24531_2.patch \ file://CVE-2023-29409.patch \ file://CVE-2023-39319.patch \ +file://CVE-2023-39318.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 00..942af323e0 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 --- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 0b65313..4eb7891 100644 +--- a/src/html/template/context.go b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a
[OE-core][dunfell][PATCH] libxml2: Fix CVE-2023-39615
From: Siddharth Doshi Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9, https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129] CVE: CVE-2023-39615 Signed-off-by: Siddharth Doshi --- .../libxml/libxml2/CVE-2023-39615-0001.patch | 36 ++ .../libxml/libxml2/CVE-2023-39615-0002.patch | 71 +++ .../libxml/libxml2/CVE-2023-39615-pre.patch | 44 meta/recipes-core/libxml/libxml2_2.9.10.bb| 3 + 4 files changed, 154 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch new file mode 100644 index 00..9689cec67d --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch @@ -0,0 +1,36 @@ +From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 May 2023 17:47:37 +0200 +Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks + +For some reason, xmlCtxtUseOptionsInternal set the start and end element +SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 +was specified. This means that custom SAX handlers could never work with +that flag because these functions would receive the wrong user data +argument and crash immediately. + +Fixes #535. + +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9] +CVE: CVE-2023-39615 +Signed-off-by: Siddharth Doshi +--- + parser.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 6e09208..7814e6e 100644 +--- a/parser.c b/parser.c +@@ -15156,8 +15156,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + } + #ifdef LIBXML_SAX1_ENABLED + if (options & XML_PARSE_SAX1) { +-ctxt->sax->startElement = xmlSAX2StartElement; +-ctxt->sax->endElement = xmlSAX2EndElement; + ctxt->sax->startElementNs = NULL; + ctxt->sax->endElementNs = NULL; + ctxt->sax->initialized = 1; +-- +2.24.4 + diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch new file mode 100644 index 00..ebd9868fac --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch @@ -0,0 +1,71 @@ +From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 8 May 2023 17:58:02 +0200 +Subject: [PATCH] SAX: Always initialize SAX1 element handlers + +Follow-up to commit d0c3f01e. A parser context will be initialized to +SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, +so we must initialize the SAX1 element handlers as well. + +Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so +we don't switch to SAX1 if the SAX2 element handlers are NULL. + +Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129] +CVE: CVE-2023-39615 +Signed-off-by: Siddharth Doshi +--- + SAX2.c | 11 +++ + parser.c | 5 + + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 5f141f9..902d34d 100644 +--- a/SAX2.c b/SAX2.c +@@ -2869,20 +2869,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version) + { + if (hdlr == NULL) return(-1); + if (version == 2) { +- hdlr->startElement = NULL; +- hdlr->endElement = NULL; + hdlr->startElementNs = xmlSAX2StartElementNs; + hdlr->endElementNs = xmlSAX2EndElementNs; + hdlr->serror = NULL; + hdlr->initialized = XML_SAX2_MAGIC; + #ifdef LIBXML_SAX1_ENABLED + } else if (version == 1) { +- hdlr->startElement = xmlSAX2StartElement; +- hdlr->endElement = xmlSAX2EndElement; + hdlr->initialized = 1; + #endif /* LIBXML_SAX1_ENABLED */ + } else + return(-1); ++#ifdef LIBXML_SAX1_ENABLED ++hdlr->startElement = xmlSAX2StartElement; ++hdlr->endElement = xmlSAX2EndElement; ++#else ++hdlr->startElement = NULL; ++hdlr->endElement = NULL; ++#endif /* LIBXML_SAX1_ENABLED */ + hdlr->internalSubset = xmlSAX2InternalSubset; + hdlr->externalSubset = xmlSAX2ExternalSubset; + hdlr->isStandalone = xmlSAX2IsStandalone; +diff --git a/parser.c b/parser.c +index 7814e6e..cf0fb38 100644 +--- a/parser.c b/parser.c +@@ -1102,10 +1102,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) return; + sax = ctxt->sax; + #ifdef LIBXML_SAX1_ENABLED +-if ((sax) && (sax->initialized == XML_SAX2_MAGIC) && +-((sax->startElementNs != NULL) || +-
[OE-core][dunfell][PATCH] gdb: Fix CVE-2023-39128
From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/gdb/gdb-9.1.inc | 1 + .../gdb/gdb/0012-CVE-2023-39128.patch | 75 +++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb-9.1.inc b/meta/recipes-devtools/gdb/gdb-9.1.inc index d019e6b384..212c554cf1 100644 --- a/meta/recipes-devtools/gdb/gdb-9.1.inc +++ b/meta/recipes-devtools/gdb/gdb-9.1.inc @@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0009-resolve-restrict-keyword-conflict.patch \ file://0010-Fix-invalid-sigprocmask-call.patch \ file://0011-gdbserver-ctrl-c-handling.patch \ + file://0012-CVE-2023-39128.patch \ " SRC_URI[md5sum] = "f7e9f6236c425097d9e5f18a6ac40655" SRC_URI[sha256sum] = "699e0ec832fdd2f21c8266171ea5bf44024bd05164fdf064e4d10cc4cf0d1737" diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch new file mode 100644 index 00..6445455bde --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 0c2d4fc..40852b6 100644 +--- a/gdb/ada-lang.c b/gdb/ada-lang.c +@@ -56,6 +56,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + + /* Define whether or not the C operator '/' truncates towards zero for +@@ -1184,7 +1185,7 @@ ada_decode (const char *encoded) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1350,6 +1351,18 @@ Suppress: + + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once +allocated, names in this table are never released. While this is a +storage leak, it should not be significant unless there are massive +@@ -14345,4 +14358,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer); + gdb::observers::free_objfile.attach (ada_free_objfile_observer); + gdb::observers::inferior_exit.attach (ada_inferior_exit); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.24.4 + -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187498): https://lists.openembedded.org/g/openembedded-core/message/187498 Mute This Topic: https://lists.openembedded.org/mt/101310159/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] gdb: Fix CVE-2023-39128
From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0011-CVE-2023-39128.patch | 75 +++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 649ee28727..099bd2d8f5 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -14,5 +14,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0008-resolve-restrict-keyword-conflict.patch \ file://0009-Fix-invalid-sigprocmask-call.patch \ file://0010-gdbserver-ctrl-c-handling.patch \ + file://0011-CVE-2023-39128.patch \ " SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" diff --git a/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch new file mode 100644 index 00..53b49cb21d --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 70a2b44..f682302 100644 +--- a/gdb/ada-lang.c b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + #include "ada-exp.h" + +@@ -1057,7 +1058,7 @@ ada_decode (const char *encoded, bool wrap) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1225,6 +1226,18 @@ ada_decode (const char *encoded, bool wrap) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once +allocated, names in this table are never released. While this is a +storage leak, it should not be significant unless there are massive +@@ -13497,4 +13510,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.35.7 + -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187482): https://lists.openembedded.org/g/openembedded-core/message/187482 Mute This Topic: https://lists.openembedded.org/mt/101288329/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] sysklogd: fix integration with systemd-journald
opps. Please ignore this. Sent by mistake. Apologies for the error. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187481): https://lists.openembedded.org/g/openembedded-core/message/187481 Mute This Topic: https://lists.openembedded.org/mt/101288296/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] sysklogd: fix integration with systemd-journald
From: Changqing Li Fix an issue with early log messages being lost when running in systemd. Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- ...KillMode-process-is-not-recommended-.patch | 33 ...-messages-lost-when-running-in-syste.patch | 75 +++ .../sysklogd/sysklogd_2.3.0.bb| 2 + 3 files changed, 110 insertions(+) create mode 100644 meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch create mode 100644 meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch diff --git a/meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch b/meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch new file mode 100644 index 00..6c7e7cea44 --- /dev/null +++ b/meta/recipes-extended/sysklogd/files/0001-syslogd.service-KillMode-process-is-not-recommended-.patch @@ -0,0 +1,33 @@ +From b732dd0001c66f3ff1e0aef919c84ca9f0f81252 Mon Sep 17 00:00:00 2001 +From: Joachim Wiberg +Date: Sat, 22 Apr 2023 07:40:24 +0200 +Subject: [PATCH 1/2] syslogd.service: KillMode=process is not recommended, + drop + +The default 'control-group' ensures all processes started by sysklogd +are stopped when the service is stopped, this is what we want. + +Signed-off-by: Joachim Wiberg + +Upstream-Status: Backport [https://github.com/troglobit/sysklogd/commit/c82c004de7e25e770039cba5d6a34c30dd548533] + +Signed-off-by: Changqing Li +--- + syslogd.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/syslogd.service.in b/syslogd.service.in +index 91e080a..d614c5f 100644 +--- a/syslogd.service.in b/syslogd.service.in +@@ -9,7 +9,6 @@ EnvironmentFile=-@SYSCONFDIR@/default/syslogd + ExecStart=@SBINDIR@/syslogd -F -p /run/systemd/journal/syslog $SYSLOGD_OPTS + StandardOutput=null + Restart=on-failure +-KillMode=process + + [Install] + WantedBy=multi-user.target +-- +2.25.1 + diff --git a/meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch b/meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch new file mode 100644 index 00..78ae57eeeb --- /dev/null +++ b/meta/recipes-extended/sysklogd/files/0002-Fix-62-early-log-messages-lost-when-running-in-syste.patch @@ -0,0 +1,75 @@ +From ba8156eab79784ef816958327e701923890e98f7 Mon Sep 17 00:00:00 2001 +From: Joachim Wiberg +Date: Sat, 22 Apr 2023 08:27:57 +0200 +Subject: [PATCH 2/2] Fix #62: early log messages lost when running in systemd + +This is a follow-up to d7576c7 which initially added support for running +in systemd based systems. Since the unit file sources the syslog.socket +we have /run/systemd/journal/syslog open already on descriptor 3. All +we need to do is verify that's the mode syslogd runs in. + +Signed-off-by: Joachim Wiberg + +Upstream-Status: Backport [https://github.com/troglobit/sysklogd/commit/7ec64e5f9c1bc284792d028647fb36ef3e64dff7] + +Signed-off-by: Changqing Li +--- + src/syslogd.c | 21 +++-- + syslogd.service.in | 2 +- + 2 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/src/syslogd.c b/src/syslogd.c +index fa4303f..e96ca9a 100644 +--- a/src/syslogd.c b/src/syslogd.c +@@ -162,6 +162,7 @@ voiduntty(void); + static void parsemsg(const char *from, char *msg); + static int opensys(const char *file); + static void printsys(char *msg); ++static void unix_cb(int sd, void *arg); + static void logmsg(struct buf_msg *buffer); + static void fprintlog_first(struct filed *f, struct buf_msg *buffer); + static void fprintlog_successive(struct filed *f, int flags); +@@ -436,12 +437,20 @@ int main(int argc, char *argv[]) + .pe_serv = "syslog", + }); + +- /* Default to _PATH_LOG for the UNIX domain socket */ +- if (!pflag) +- addpeer(&(struct peer) { +- .pe_name = _PATH_LOG, +- .pe_mode = 0666, +- }); ++ /* Figure out where to read system log messages from */ ++ if (!pflag) { ++ /* Do we run under systemd-journald (Requires=syslog.socket)? */ ++ if (fcntl(3, F_GETFD) != -1) { ++ if (socket_register(3, NULL, unix_cb, NULL) == -1) ++ err(1, "failed registering syslog.socket (3)"); ++ } else { ++ /* Default to _PATH_LOG for the UNIX domain socket */ ++ addpeer(&(struct peer) { ++ .pe_name = _PATH_LOG, ++ .pe_mode = 0666, ++ }); ++ } ++ } + + if (!Foreground && !Debug) { + ppid = waitdaemon(30); +diff --git a/syslogd.service.in
[OE-core][mickledore][PATCH] gdb: Fix CVE-2023-39128
From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi --- meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0009-CVE-2023-39128.patch | 75 +++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index e986b1a1f9..2437a96ae7 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -14,6 +14,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0007-Fix-invalid-sigprocmask-call.patch \ file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://add-missing-ldflags.patch \ + file://0009-CVE-2023-39128.patch \ " SRC_URI[sha256sum] = "fd5bebb7be1833abdb6e023c2f498a354498281df9d05523d8915babeb893f0a" diff --git a/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch new file mode 100644 index 00..88e39eaa59 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 40f8591..06ac46b 100644 +--- a/gdb/ada-lang.c b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + #include "ada-exp.h" + #include "charset.h" +@@ -1388,7 +1389,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1585,6 +1586,18 @@ ada_decode (const char *encoded, bool wrap, bool operators) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once +allocated, names in this table are never released. While this is a +storage leak, it should not be significant unless there are massive +@@ -14084,4 +14097,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.25.1 + -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187479): https://lists.openembedded.org/g/openembedded-core/message/187479 Mute This Topic: https://lists.openembedded.org/mt/101288288/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [mickledore][PATCH] binutils: Fix CVE-2023-39128
Hi Sanjana, Thank-you for this patch. But, i feel this is not the right way to patch this vulnerability. No doubts the patch is released for binutils-gdb, but that is because the sources are merged. However, in our systems, the command gdb comes from gdb package and not from bintuils-gdb. Additional confirmation can also be obtained from bintuils configuration where we are disabling gdb from bintuils. So even after patching the vulnerability will exists as it not patched in gdb and where it is patched, the gdb is diasbled. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187478): https://lists.openembedded.org/g/openembedded-core/message/187478 Mute This Topic: https://lists.openembedded.org/mt/101235381/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
I guess i missed the patch status. Apologies for that. Thank-you for updating me on the status. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187477): https://lists.openembedded.org/g/openembedded-core/message/187477 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
Hi Team, Any updates for this patch? Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187399): https://lists.openembedded.org/g/openembedded-core/message/187399 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] inetutils: Security fix for CVE-2023-40303
ooopps...my bad. I just checked in https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-kirkstone.txt ( https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-kirkstone.txt ) and submitted a patch without checking if its already submitted or not. Thanks for the update. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187287): https://lists.openembedded.org/g/openembedded-core/message/187287 Mute This Topic: https://lists.openembedded.org/mt/101188627/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] inetutils: Security fix for CVE-2023-40303
From: Siddharth Doshi Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] CVE: CVE-2023-40303 Signed-off-by: Siddharth Doshi --- .../inetutils/inetutils/CVE-2023-40303.patch | 283 ++ .../inetutils/inetutils_2.2.bb| 1 + 2 files changed, 284 insertions(+) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch new file mode 100644 index 00..06f7f2fc00 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch @@ -0,0 +1,283 @@ +From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux +Date: Fri, 30 Jun 2023 19:02:45 +0200 +Subject: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check set*id() return values + +Several setuid(), setgid(), seteuid() and setguid() return values +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially +leading to potential security issues. + +Signed-off-by: Jeffrey Bencteux +Signed-off-by: Simon Josefsson + +Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] +CVE: CVE-2023-40303 +Signed-off-by: Siddharth Doshi + +--- + ftpd/ftpd.c | 10 +++--- + src/rcp.c| 39 +-- + src/rlogin.c | 11 +-- + src/rsh.c| 25 + + src/rshd.c | 20 +--- + src/uucpd.c | 15 +-- + 6 files changed, 100 insertions(+), 20 deletions(-) + +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c +index 68d41fd..703fbbc 100644 +--- a/ftpd/ftpd.c b/ftpd/ftpd.c +@@ -865,7 +865,9 @@ end_login (struct credentials *pcred) + char *remotehost = pcred->remotehost; + int atype = pcred->auth_type; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++_exit (EXIT_FAILURE); ++ + if (pcred->logged_in) + { + logwtmp_keep_open (ttyline, "", ""); +@@ -1154,7 +1156,8 @@ getdatasock (const char *mode) + + if (data >= 0) + return fdopen (data, mode); +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++_exit (EXIT_FAILURE); + s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); + if (s < 0) + goto bad; +@@ -1981,7 +1984,8 @@ passive (int epsv, int af) + else/* !AF_INET6 */ + ((struct sockaddr_in *) _addr)->sin_port = 0; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++_exit (EXIT_FAILURE); + if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0) + { + if (seteuid ((uid_t) cred.uid)) +diff --git a/src/rcp.c b/src/rcp.c +index 476cbaa..cd84570 100644 +--- a/src/rcp.c b/src/rcp.c +@@ -348,14 +348,23 @@ main (int argc, char *argv[]) + if (from_option) + { /* Follow "protocol", send data. */ + response (); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + source (argc, argv); + exit (errs); + } + + if (to_option) + { /* Receive data. */ +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + sink (argc, argv); + exit (errs); + } +@@ -540,7 +549,11 @@ toremote (char *targ, int argc, char *argv[]) + if (response () < 0) + exit (EXIT_FAILURE); + free (bp); +-setuid (userid); ++ ++if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -633,7 +646,12 @@ tolocal (int argc, char *argv[]) + ++errs; + continue; + } +- seteuid (userid); ++ ++ if (seteuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); + (void) getpeername (rem, (struct sockaddr *) , ); +@@ -646,7 +664,12 @@ tolocal (int argc, char *argv[]) + #endif + vect[0] = target; + sink (1, vect); +- seteuid (effuid); ++ ++ if (seteuid (effuid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + close (rem); + rem = -1; + #ifdef SHISHI +@@ -1444,7 +1467,11 @@ susystem (char *s, int userid) + return (127); + + case 0: +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++error (EXIT_FAILURE, 0, "Could not drop privileges
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
Hi Steve, Please find the detailed error log: {{{ | [629/6213] Compiling C object libqemuutil.a.p/stubs_win32-kbd-hook.c.o | [630/6213] Compiling C object libqemuutil.a.p/stubs_replay-tools.c.o | [631/6213] Compiling C object fsdev/virtfs-proxy-helper.p/9p-marshal.c.o | [632/6213] Compiling C object libqemuutil.a.p/stubs_xen-hw-stub.c.o | [633/6213] Compiling C object fsdev/virtfs-proxy-helper.p/9p-iov-marshal.c.o | [634/6213] Linking static target libqemuutil.a | [635/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/qos_external.c.o | [636/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/fw_cfg.c.o | [637/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/pci.c.o | [638/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/qgraph.c.o | [639/6213] Compiling C object fsdev/virtfs-proxy-helper.p/virtfs-proxy-helper.c.o | In file included from ../qemu-6.2.0/fsdev/virtfs-proxy-helper.c:29: | /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h: In function 'close_if_special_file': | /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h:46:9: warning: implicit declaration of function 'qemu_fstat' [-Wimplicit-function-declaration] | 46 | if (qemu_fstat(fd, ) < 0) { | | ^~ | /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h:46:9: warning: nested extern declaration of 'qemu_fstat' [-Wnested-externs] | [640/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/malloc-pc.c.o | [641/6213] Linking target fsdev/virtfs-proxy-helper | FAILED: fsdev/virtfs-proxy-helper }}} > > The fix patch mentions that the issue leads to "undefined symbol error > on certain architectures", but doesn't identify which architectures > specifically. > > - I am facing this on x86_64 and riscv architectures. Atleast these are the two which i tried on and got the same error. - Logically looking at the code, it should ideally fail on any machine it is compiled on regardless of the architecture as the wrapper "qemu_fstat" is not defined anywhere in the code and is called. - However, since i had not tested on all architectures, i couldn't tell about all the architectures. - It definately made me confuse more since it had passed autobuilder test, so i explicitly mentioned in certain architectures and not fails everywhere. - Just building qemu with `PACKAGECONFIG:append = " libusb virtfs" ` is enough to re-produce the error. Atleast that's what i am building it with. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#186816): https://lists.openembedded.org/g/openembedded-core/message/186816 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
The commit [https://github.com/openembedded/openembedded-core/commit/9bd4ddeb4b5efc65b0514d50d6991211271924c1] backports fix for CVE-2023-2861 for version 6.2.0. The 'qemu_fstat' in `do_create_others' is not defined which leads to the undefined symbol error on certain architectures. Also, the commit message says "(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)". So either the wrapper has to be dropped or it has to be defined. Hence, backported the main patch rather than the cherry picked one. Signed-off-by: Siddharth Doshi --- .../qemu/qemu/CVE-2023-2861.patch | 66 +++ 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch index 48f51f5d03..a86413fbad 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -1,14 +1,16 @@ -From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001 +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 From: Christian Schoenebeck -Date: Wed Jun 7 18:29:33 2023 +0200 -Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p - protocol does not specifically define how server shall behave when client - tries to open a special file, however from security POV it does make sense - for 9p server to prohibit opening any special file on host side in general. A - sane Linux 9p client for instance would never attempt to open a special file - on host side, it would always handle those exclusively on its guest side. A - malicious client however could potentially escape from the exported 9p tree - by creating and opening a device file on host side. +Date: Wed, 7 Jun 2023 18:29:33 +0200 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. With QEMU this could only be exploited in the following unsafe setups: @@ -32,19 +34,16 @@ Signed-off-by: Christian Schoenebeck Reviewed-by: Greg Kurz Reviewed-by: Michael Tokarev Message-Id: -(cherry picked from commit f6b0de5) -Signed-off-by: Michael Tokarev -(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used) - -Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] +Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] CVE: CVE-2023-2861 Signed-off-by: Archana Polampalli +Signed-off-by: Siddharth Doshi --- - fsdev/virtfs-proxy-helper.c | 27 -- - hw/9pfs/9p-util.h | 38 + - 2 files changed, 63 insertions(+), 2 deletions(-) + fsdev/virtfs-proxy-helper.c | 27 +++-- + hw/9pfs/9p-util.h | 40 + + 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c index 15c0e79b0..f9e4669a5 100644 @@ -56,12 +55,12 @@ index 15c0e79b0..f9e4669a5 100644 #include "hw/9pfs/9p-proxy.h" +#include "hw/9pfs/9p-util.h" #include "fsdev/9p-iov-marshal.h" - + #define PROGNAME "virtfs-proxy-helper" @@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) } } - + +/* + * Open regular file or directory. Attempts to open any special file are + * rejected. @@ -106,22 +105,30 @@ index 15c0e79b0..f9e4669a5 100644 ret = -errno; } diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h -index 546f46dc7..54e270ac6 100644 +index 546f46dc7..23000e917 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h -@@ -13,6 +13,8 @@ +@@ -13,12 +13,16 @@ #ifndef QEMU_9P_UTIL_H #define QEMU_9P_UTIL_H - + +#include "qemu/error-report.h" + #ifdef O_PATH #define O_PATH_9P_UTIL O_PATH #else -@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd) + #define O_PATH_9P_UTIL 0 + #endif + ++#define qemu_fstat fstat ++ + static inline void close_preserve_errno(int fd) + { + int serrno = errno; +@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) errno = serrno; } - + +/** + * close_if_special_file() - Close @fd if neither regular file nor directory. + * @@ -157,10 +164,10 @@ index 546f46dc7..54e270ac6 100644 static inline int openat_dir(int dirfd, const char *name) { return openat(dirfd, name, -@@ -56,6 +90,10 @@ again: +@@ -56,6