[OE-core] [hardknott] [PATCH 2/2] nfs-utils: add krb5 PACKAGECONFIG to allow building with gss and svcgss
When building nfs-utils with gss and svcgss if the Host OS has krb5
development package build works, but it looks like a host pollution.
Signed-off-by: Stefan Ghinea
---
...with-enable-gss-enable-svcgss-option.patch | 52 +++
.../nfs-utils/nfs-utils_2.5.3.bb | 5 +-
2 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Enable-building-with-enable-gss-enable-svcgss-option.patch
diff --git
a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Enable-building-with-enable-gss-enable-svcgss-option.patch
b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Enable-building-with-enable-gss-enable-svcgss-option.patch
new file mode 100644
index 00..23232ec099
--- /dev/null
+++
b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Enable-building-with-enable-gss-enable-svcgss-option.patch
@@ -0,0 +1,52 @@
+From d4494617c98fdf4e956d74ce34b847a46ff36e0d Mon Sep 17 00:00:00 2001
+From: Stefan Ghinea
+Date: Wed, 11 Oct 2023 22:36:32 +0300
+Subject: [PATCH] Enable building with --enable-gss --enable-svcgss options in
+ Yocto
+
+With $dir being used as base search for both libgssapi and krb5-config, in
+Yocto krb5-config is found in $dir/bin/crossscripts instead of $dir/bin so
+add this to the search posibillities relative to $dir.
+Remove check for needing to set -rpath in KRBLDFLAGS.
+
+Upstream-Status: Inappropriate [oe-core specific]
+
+Signed-off-by: Stefan Ghinea
+---
+ aclocal/kerberos5.m4 | 13 ++---
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
+index bf0e88b..ba683eb 100644
+--- a/aclocal/kerberos5.m4
b/aclocal/kerberos5.m4
+@@ -24,6 +24,8 @@ AC_DEFUN([AC_KERBEROS_V5],[
+ K5CONFIG=""
+ if test -f $dir/bin/krb5-config; then
+ K5CONFIG=$dir/bin/krb5-config
++elif test -f $dir/bin/crossscripts/krb5-config; then
++ K5CONFIG=$dir/bin/crossscripts/krb5-config
+ elif test -f "/usr/kerberos/bin/krb5-config"; then
+ K5CONFIG="/usr/kerberos/bin/krb5-config"
+ elif test -f "/usr/lib/mit/bin/krb5-config"; then
+@@ -71,17 +73,6 @@ AC_DEFUN([AC_KERBEROS_V5],[
+ fi
+ AC_MSG_RESULT($KRBDIR)
+
+- dnl Check if -rpath=$(KRBDIR)/lib is needed
+- echo "The current KRBDIR is $KRBDIR"
+- if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
+- -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
+-KRBLDFLAGS="";
+- elif /sbin/ldconfig -p | grep > /dev/null "=> $KRBDIR/lib/"; then
+-KRBLDFLAGS="";
+- else
+-KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
+- fi
+-
+ dnl Now check for functions within gssapi library
+ AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
+ AC_DEFINE(HAVE_LUCID_CONTEXT_SUPPORT, 1, [Define this if the Kerberos GSS
library supports gss_krb5_export_lucid_sec_context]), ,$KRBLIBS)
+--
+2.42.0
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.3.bb
b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.3.bb
index d8c6391b3d..1b4f281175 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.3.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.3.bb
@@ -30,6 +30,7 @@ SRC_URI =
"${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x
file://bugfix-adjust-statd-service-name.patch \
file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
file://clang-warnings.patch \
+
file://0001-Enable-building-with-enable-gss-enable-svcgss-option.patch \
"
SRC_URI[sha256sum] =
"b54d6d8ea2ee62d64111278301ba4631b7bb19174e7f717a724fe5d463900c80"
@@ -53,7 +54,6 @@ EXTRA_OECONF = "--with-statduser=rpcuser \
--enable-mountconfig \
--enable-libmount-mount \
--enable-uuid \
---disable-gss \
--disable-nfsdcltrack \
--with-statdpath=/var/lib/nfs/statd \
--with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \
@@ -61,6 +61,7 @@ EXTRA_OECONF = "--with-statduser=rpcuser \
PACKAGECONFIG ??= "tcp-wrappers \
${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'krb5', 'nfsv4 krb5', '', d)} \
"
PACKAGECONFIG_remove_libc-musl = "tcp-wrappers"
PACKAGECONFIG[tcp-wrappers] =
"--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
@@ -69,6 +70,8 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
PACKAGECONFIG[nfsv41] =
"--enable-nfsv41,--disable-nfsv41,libdevmapper,libdevmapper"
# keyutils is available in meta-oe
PACKAGECONFIG[nfsv4] = "--enable-nfsv4,--disable-nfsv4,keyutils,python3-core"
+# krb5 is available in meta-oe
+PACKA
[OE-core] [hardknott] [PATCH 1/2] libtirpc: add support for configuring and building with --enable-gssapi
nfs-utils with gss and svcgss has libtirpc configured with gssapi option
as a dependency.
Signed-off-by: Stefan Ghinea
---
meta/recipes-extended/libtirpc/libtirpc_1.3.1.bb | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.1.bb
b/meta/recipes-extended/libtirpc/libtirpc_1.3.1.bb
index 32fb651130..5ae91b6df3 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.1.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.1.bb
@@ -18,7 +18,11 @@ SRC_URI[sha256sum] =
"245895caf066bec5e3d4375942c8cb4366adad184c29c618d97f724ea3
inherit autotools pkgconfig
-EXTRA_OECONF = "--disable-gssapi"
+PACKAGECONFIG ??= "\
+${@bb.utils.filter('DISTRO_FEATURES', 'krb5', d)} \
+"
+# krb5 is available in meta-oe
+PACKAGECONFIG[krb5] = "--enable-gssapi,--disable-gssapi,krb5"
do_install_append() {
chown root:root ${D}${sysconfdir}/netconfig
--
2.42.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190931):
https://lists.openembedded.org/g/openembedded-core/message/190931
Mute This Topic: https://lists.openembedded.org/mt/102716185/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] boost: fix do_fetch failure
Bintray service has been discontinued causing boost do_fetch to fail:
WARNING: boost-1.76.0-r0 do_fetch: Failed to fetch URL
https://dl.bintray.com/boostorg/release/1.76.0/source/boost_1_76_0.tar.bz2,
attempting MIRRORS if available
Signed-off-by: Stefan Ghinea
---
meta/recipes-support/boost/boost-1.76.0.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/boost/boost-1.76.0.inc
b/meta/recipes-support/boost/boost-1.76.0.inc
index eb5d484976..c02f38b047 100644
--- a/meta/recipes-support/boost/boost-1.76.0.inc
+++ b/meta/recipes-support/boost/boost-1.76.0.inc
@@ -11,7 +11,7 @@ BOOST_VER = "${@"_".join(d.getVar("PV").split("."))}"
BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}"
BOOST_P = "boost_${BOOST_VER}"
-SRC_URI =
"https://dl.bintray.com/boostorg/release/${PV}/source/${BOOST_P}.tar.bz2;
+SRC_URI =
"https://boostorg.jfrog.io/artifactory/main/release/${PV}/source/${BOOST_P}.tar.bz2;
SRC_URI[sha256sum] =
"f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41"
UPSTREAM_CHECK_URI = "http://www.boost.org/users/download/;
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#151984):
https://lists.openembedded.org/g/openembedded-core/message/151984
Mute This Topic: https://lists.openembedded.org/mt/82892718/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [oe-core] xserver-xorg: fix CVE-2021-3472
Insufficient checks on the lengths of the XInput extension
ChangeFeedbackControl request can lead to out of bounds memory accesses
in the X server.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-3472
Upstream patches:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd
Signed-off-by: Stefan Ghinea
---
.../xserver-xorg/CVE-2021-3472.patch | 43 +++
.../xorg-xserver/xserver-xorg_1.20.10.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
diff --git
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
new file mode 100644
index 00..5480f71871
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch
@@ -0,0 +1,43 @@
+From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb
+Date: Sun, 21 Mar 2021 18:38:57 +0100
+Subject: [PATCH] Fix XChangeFeedbackControl() request underflow
+
+CVE-2021-3472 / ZDI-CAN-1259
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb
+
+Upstream-Status: Backport
+CVE: CVE-2021-3472
+
+Reference to upstream patch:
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd]
+
+Signed-off-by: Stefan Ghinea
+---
+ Xi/chgfctl.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 1de4da9..7a597e4 100644
+--- a/Xi/chgfctl.c
b/Xi/chgfctl.c
+@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ break;
+ case StringFeedbackClass:
+ {
+-xStringFeedbackCtl *f = ((xStringFeedbackCtl *) [1]);
++xStringFeedbackCtl *f;
+
++REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
++sizeof(xStringFeedbackCtl));
++f = ((xStringFeedbackCtl *) [1]);
+ if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
+--
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
index 5c6dbac4d7..755a762a73 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb
@@ -7,6 +7,7 @@ SRC_URI +=
"file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \
+ file://CVE-2021-3472.patch \
"
SRC_URI[sha256sum] =
"977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#151109):
https://lists.openembedded.org/g/openembedded-core/message/151109
Mute This Topic: https://lists.openembedded.org/mt/82461305/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] libssh2: fix build failure with option no-ecdsa
libssh2 fails at do_compile if
DEPRECATED_CRYPTO_FLAGS = "no-ecdsa" is set in recipe:
../src/.libs/libssh2.so: undefined reference to
`LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY'
References:
https://github.com/libssh2/libssh2/issues/549
Upstream patches:
https://github.com/libssh2/libssh2/commit/1f76151c92e1b52e9c24ebf06adc77fbd6c062bc
Signed-off-by: Stefan Ghinea
---
...EC-macro-outside-of-if-check-549-550.patch | 112 ++
meta/recipes-support/libssh2/libssh2_1.9.0.bb | 1 +
2 files changed, 113 insertions(+)
create mode 100644
meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch
diff --git
a/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch
b/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch
new file mode 100644
index 00..b331c1bf81
--- /dev/null
+++
b/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch
@@ -0,0 +1,112 @@
+From 1f76151c92e1b52e9c24ebf06adc77fbd6c062bc Mon Sep 17 00:00:00 2001
+From: Will Cosgrove
+Date: Tue, 26 Jan 2021 11:41:21 -0800
+Subject: [PATCH] kex.c: move EC macro outside of if check #549 (#550)
+
+File: kex.c
+
+Notes:
+Moved the macro LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY outside of the
LIBSSH2_ECDSA since it's also now used by the ED25519 code.
+
+Sha 256, 384 and 512 need to be defined for all backends now even if they
aren't used directly. I believe this is already the case, but just a heads up.
+
+Credit:
+Stefan-Ghinea
+
+Upstream-Status: Backport
+
+Reference to upstream patch:
+https://github.com/libssh2/libssh2/commit/1f76151c92e1b52e9c24ebf06adc77fbd6c062bc
+
+Signed-off-by: Stefan Ghinea
+---
+ src/kex.c | 66 +++
+ 1 file changed, 33 insertions(+), 33 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index cb16639..19ab6ec 100644
+--- a/src/kex.c
b/src/kex.c
+@@ -1885,39 +1885,6 @@
kex_method_diffie_hellman_group_exchange_sha256_key_exchange
+ }
+
+
+-#if LIBSSH2_ECDSA
+-
+-/* kex_session_ecdh_curve_type
+- * returns the EC curve type by name used in key exchange
+- */
+-
+-static int
+-kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type)
+-{
+-int ret = 0;
+-libssh2_curve_type type;
+-
+-if(name == NULL)
+-return -1;
+-
+-if(strcmp(name, "ecdh-sha2-nistp256") == 0)
+-type = LIBSSH2_EC_CURVE_NISTP256;
+-else if(strcmp(name, "ecdh-sha2-nistp384") == 0)
+-type = LIBSSH2_EC_CURVE_NISTP384;
+-else if(strcmp(name, "ecdh-sha2-nistp521") == 0)
+-type = LIBSSH2_EC_CURVE_NISTP521;
+-else {
+-ret = -1;
+-}
+-
+-if(ret == 0 && out_type) {
+-*out_type = type;
+-}
+-
+-return ret;
+-}
+-
+-
+ /* LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY
+ *
+ * Macro that create and verifies EC SHA hash with a given digest bytes
+@@ -2027,6 +1994,39 @@ kex_session_ecdh_curve_type(const char *name,
libssh2_curve_type *out_type)
+ } \
+
+
++#if LIBSSH2_ECDSA
++
++/* kex_session_ecdh_curve_type
++ * returns the EC curve type by name used in key exchange
++ */
++
++static int
++kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type)
++{
++int ret = 0;
++libssh2_curve_type type;
++
++if(name == NULL)
++return -1;
++
++if(strcmp(name, "ecdh-sha2-nistp256") == 0)
++type = LIBSSH2_EC_CURVE_NISTP256;
++else if(strcmp(name, "ecdh-sha2-nistp384") == 0)
++type = LIBSSH2_EC_CURVE_NISTP384;
++else if(strcmp(name, "ecdh-sha2-nistp521") == 0)
++type = LIBSSH2_EC_CURVE_NISTP521;
++else {
++ret = -1;
++}
++
++if(ret == 0 && out_type) {
++*out_type = type;
++}
++
++return ret;
++}
++
++
+ /* ecdh_sha2_nistp
+ * Elliptic Curve Diffie Hellman Key Exchange
+ */
+--
+2.17.1
+
diff --git a/meta/recipes-support/libssh2/libssh2_1.9.0.bb
b/meta/recipes-support/libssh2/libssh2_1.9.0.bb
index 0b8ccbd217..a5451628e7 100644
--- a/meta/recipes-support/libssh2/libssh2_1.9.0.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.9.0.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://CVE-2019-17498.patch \
file://0001-configure-Conditionally-undefine-backend-m4-macro.patch
\
file://run-ptest \
+ file://0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch \
"
SRC_URI_append_ptest = "
file://0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150861):
https://lists.openembedded.org/g/openembedded-core/message/150861
Mute This Topic: ht
[PATCH] [OE-core] wpa-supplicant: fix CVE-2021-30004
In wpa_supplicant and hostapd 2.9, forging attacks may occur because
AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and
tls/x509v3.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30004
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
Signed-off-by: Stefan Ghinea
---
.../wpa-supplicant/CVE-2021-30004.patch | 123 ++
.../wpa-supplicant/wpa-supplicant_2.9.bb | 1 +
2 files changed, 124 insertions(+)
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
diff --git
a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 00..e2540fc26b
--- /dev/null
+++
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+
+Signed-off-by: Jouni Malinen
+
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+
+Signed-off-by: Stefan Ghinea
+---
+ src/tls/pkcs1.c | 21 +
+ src/tls/x509v3.c | 20
+ 2 files changed, 41 insertions(+)
+
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
++ hdr.payload, hdr.length);
+
+ pos = hdr.payload;
+ end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
++ hdr.payload, hdr.length);
+ da_end = hdr.payload + hdr.length;
+
+ if (asn1_get_oid(hdr.payload, hdr.length, , )) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ os_free(decrypted);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
++ next, da_end - next);
++
++ /*
++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++ * omit the parameters, but there are implementation that encode these
++ * as a NULL element. Allow these two cases and reject anything else.
++ */
++ if (da_end > next &&
++ (asn1_get_next(next, da_end - next, ) < 0 ||
++ !asn1_is_null() ||
++ hdr.payload + hdr.length != da_end)) {
++ wpa_printf(MSG_DEBUG,
++ "PKCS #1: Unexpected digest algorithm parameters");
++ os_free(decrypted);
++ return -1;
++ }
+
+ if (!asn1_oid_equal(, hash_alg)) {
+ char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+
+ pos = hdr.payload;
+ end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
++ hdr.payload, hdr.length);
+ da_end = hdr.payload + hdr.length;
+
+ if (asn1_get_oid(hdr.payload, hdr.length, , )) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate
*issuer,
+ os_free(data);
+ return -1;
+ }
++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
++ next, da_end - next);
++
++ /*
++ * RFC 5754: The correct encoding for the SHA2
[PATCH] [OE-core] [meta-openembedded] quagga: fix do_fetch warning
WARNING: quagga-1.2.4-r0 do_fetch: Failed to fetch URL
https://download.savannah.gnu.org/releases/quagga/quagga-1.2.4.tar.gz;,
attempting MIRRORS if available
Signed-off-by: Stefan Ghinea
---
meta-networking/recipes-protocols/quagga/quagga.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc
b/meta-networking/recipes-protocols/quagga/quagga.inc
index 6df72427b..6680fec01 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -20,7 +20,7 @@ SNMP_CONF="${@bb.utils.contains('DISTRO_FEATURES', 'snmp',
'--enable-snmp', '',
# the "ip" command from busybox is not sufficient (flush by protocol flushes
all routes)
RDEPENDS_${PN} += "iproute2"
-SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \
+SRC_URI =
"https://github.com/Quagga/quagga/releases/download/${BP}/${BP}.tar.gz; \
file://quagga.init \
file://quagga.default \
file://watchquagga.init \
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149301):
https://lists.openembedded.org/g/openembedded-core/message/149301
Mute This Topic: https://lists.openembedded.org/mt/81260832/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] [meta-openembedded] hostapd: fix CVE-2021-27803
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant
before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests.
It could result in denial of service or other impact (potentially
execution of arbitrary code), for an attacker within radio range.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-27803
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32
Signed-off-by: Stefan Ghinea
---
.../hostapd/hostapd/CVE-2021-27803.patch | 58 +++
.../hostapd/hostapd_2.9.bb| 1 +
2 files changed, 59 insertions(+)
create mode 100644
meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
new file mode 100644
index 0..004b1dbd1
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery
Request")
+Signed-off-by: Jouni Malinen
+
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+
+Signed-off-by: Stefan Ghinea
+---
+ src/p2p/p2p_pd.c | 12 +---
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p,
const u8 *sa,
+ goto out;
+ }
+
++ dev = p2p_get_device(p2p, sa);
+ if (!dev) {
+- dev = p2p_get_device(p2p, sa);
+- if (!dev) {
+- p2p_dbg(p2p,
+- "Provision Discovery device not found "
+- MACSTR, MAC2STR(sa));
+- goto out;
+- }
++ p2p_dbg(p2p,
++ "Provision Discovery device not found "
++ MACSTR, MAC2STR(sa));
++ goto out;
+ }
+ } else if (msg.wfd_subelems) {
+ wpabuf_free(dev->info.wfd_subelems);
+--
+2.17.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 68dc12370..ae497b6ae 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
file://init \
file://hostapd.service \
file://CVE-2019-16275.patch \
+file://CVE-2021-27803.patch \
"
SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148904):
https://lists.openembedded.org/g/openembedded-core/message/148904
Mute This Topic: https://lists.openembedded.org/mt/81059507/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] wpa-supplicant: fix CVE-2021-27803
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant
before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests.
It could result in denial of service or other impact (potentially
execution of arbitrary code), for an attacker within radio range.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-27803
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32
Signed-off-by: Stefan Ghinea
---
.../wpa-supplicant/CVE-2021-27803.patch | 58 +++
.../wpa-supplicant/wpa-supplicant_2.9.bb | 1 +
2 files changed, 59 insertions(+)
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
diff --git
a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 00..004b1dbd19
--- /dev/null
+++
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery
Request")
+Signed-off-by: Jouni Malinen
+
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+
+Signed-off-by: Stefan Ghinea
+---
+ src/p2p/p2p_pd.c | 12 +---
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p,
const u8 *sa,
+ goto out;
+ }
+
++ dev = p2p_get_device(p2p, sa);
+ if (!dev) {
+- dev = p2p_get_device(p2p, sa);
+- if (!dev) {
+- p2p_dbg(p2p,
+- "Provision Discovery device not found "
+- MACSTR, MAC2STR(sa));
+- goto out;
+- }
++ p2p_dbg(p2p,
++ "Provision Discovery device not found "
++ MACSTR, MAC2STR(sa));
++ goto out;
+ }
+ } else if (msg.wfd_subelems) {
+ wpabuf_free(dev->info.wfd_subelems);
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index caa6018ce8..357c28634a 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz
\
file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
file://CVE-2021-0326.patch \
+ file://CVE-2021-27803.patch \
"
SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
SRC_URI[sha256sum] =
"fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148903):
https://lists.openembedded.org/g/openembedded-core/message/148903
Mute This Topic: https://lists.openembedded.org/mt/81059490/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] cups: fix CVE-2020-10001
A buffer (read) overflow in the ippReadIO function.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-10001
Upstream patches:
https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9
Signed-off-by: Stefan Ghinea
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2020-10001.patch| 74 +++
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2020-10001.patch
diff --git a/meta/recipes-extended/cups/cups.inc
b/meta/recipes-extended/cups/cups.inc
index e7a704134c..eaf7206480 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,7 @@ SRC_URI =
"https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
file://0004-cups-fix-multilib-install-file-conflicts.patch \
file://volatiles.99_cups \
file://cups-volatiles.conf \
+ file://CVE-2020-10001.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases;
diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
new file mode 100644
index 00..09a0a5765d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch
@@ -0,0 +1,74 @@
+From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet
+Date: Mon, 1 Feb 2021 15:02:32 -0500
+Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
+
+Upstream-Status: Backport
+CVE: CVE-2020-10001
+
+Reference to upstream patch:
+[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9]
+
+[SG: Addapted for version 2.3.3]
+Signed-off-by: Stefan Ghinea
+---
+ CHANGES.md | 2 ++
+ cups/ipp.c | 8 +---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index df72892..5ca12da 100644
+--- a/CHANGES.md
b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24
+ Changes in CUPS v2.3.3
+ --
+
++- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
++ (CVE-2020-10001)
+ - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
+ constraint. `ppdcSource::get_resolution` function did not handle
+ invalid resolution strings.
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 3d52934..adbb26f 100644
+--- a/cups/ipp.c
b/cups/ipp.c
+@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data
source */
+ unsigned char *buffer,/* Data buffer */
+ string[IPP_MAX_TEXT],
+ /* Small string buffer */
+- *bufptr;/* Pointer into buffer */
++ *bufptr,/* Pointer into buffer */
++ *bufend;/* End of buffer */
+ ipp_attribute_t *attr; /* Current attribute */
+ ipp_tag_t tag;/* Current tag */
+ ipp_tag_t value_tag; /* Current value tag */
+@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data
source */
+ }
+
+ bufptr = buffer;
++bufend = buffer + n;
+
+ /*
+ * text-with-language and name-with-language are composite
+@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data
source */
+
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >=
(int)sizeof(string))
++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP language length overflows value."), 1);
+@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data
source */
+ bufptr += 2 + n;
+ n = (bufptr[0] << 8) | bufptr[1];
+
+- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
++ if ((bufptr + 2 + n) > bufend)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
+ _("IPP string length overflows value."), 1);
+--
+2.17.1
+
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148615):
https://lists.openembedded.org/g/openembedded-core/message/148615
Mute This Topic: https://lists.openembedded.org/mt/80909294/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] [meta-openembedded] hostapd: fix CVE-2021-0326
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write
due to a missing bounds check. This could lead to remote code execution
if the target device is performing a Wi-Fi Direct search, with no
additional execution privileges needed. User interaction is not needed
for exploitation.Product: AndroidVersions: Android-10 Android-11
Android-8.1 Android-9 Android ID: A-172937525
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-0326
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e
Signed-off-by: Stefan Ghinea
---
.../hostapd/hostapd/CVE-2021-0326.patch | 45 +++
.../hostapd/hostapd_2.9.bb| 1 +
2 files changed, 46 insertions(+)
create mode 100644
meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
new file mode 100644
index 0..8c90fa342
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen
+Signed-off-by: Stefan Ghinea
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+ dev->info.config_methods = cli->config_methods;
+ os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+ dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+ os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+ dev->info.wps_sec_dev_type_list_len);
+ }
+--
+2.17.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 68dc12370..e518b0e22 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
file://init \
file://hostapd.service \
file://CVE-2019-16275.patch \
+file://CVE-2021-0326.patch \
"
SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148521):
https://lists.openembedded.org/g/openembedded-core/message/148521
Mute This Topic: https://lists.openembedded.org/mt/80859586/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] wpa-supplicant: fix CVE-2021-0326
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write
due to a missing bounds check. This could lead to remote code execution
if the target device is performing a Wi-Fi Direct search, with no
additional execution privileges needed. User interaction is not needed
for exploitation.Product: AndroidVersions: Android-10 Android-11
Android-8.1 Android-9 Android ID: A-172937525
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-0326
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e
Signed-off-by: Stefan Ghinea
---
.../wpa-supplicant/CVE-2021-0326.patch| 45 +++
.../wpa-supplicant/wpa-supplicant_2.9.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
diff --git
a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 00..8c90fa3421
--- /dev/null
+++
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen
+Signed-off-by: Stefan Ghinea
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+ dev->info.config_methods = cli->config_methods;
+ os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+ dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+ os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+ dev->info.wps_sec_dev_type_list_len);
+ }
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..85ac28d881 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz
\
file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
+ file://CVE-2021-0326.patch \
"
SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
SRC_URI[sha256sum] =
"fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148520):
https://lists.openembedded.org/g/openembedded-core/message/148520
Mute This Topic: https://lists.openembedded.org/mt/80859574/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[PATCH] [OE-core] [meta-openembedded] python3-django: fix CVE-2021-3281
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the
django.utils.archive.extract method (used by startapp --template and
startproject --template) allows directory traversal via an archive with
absolute paths or relative paths with dot segments.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-3281
Upstream patches:
https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
Signed-off-by: Stefan Ghinea
---
.../python3-django-2.2.16/CVE-2021-3281.patch | 138 ++
.../python3-django-3.1.1/CVE-2021-3281.patch | 135 +
.../python/python3-django_2.2.16.bb | 2 +
.../python/python3-django_3.1.1.bb| 3 +
4 files changed, 278 insertions(+)
create mode 100644
meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-3281.patch
create mode 100644
meta-python/recipes-devtools/python/python3-django-3.1.1/CVE-2021-3281.patch
diff --git
a/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-3281.patch
b/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-3281.patch
new file mode 100644
index 0..36591ce6f
--- /dev/null
+++
b/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-3281.patch
@@ -0,0 +1,138 @@
+From 21e7622dec1f8612c85c2fc37fe8efbfd3311e37 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak
+Date: Fri, 22 Jan 2021 12:23:18 +0100
+Subject: [PATCH] Fixed CVE-2021-3281 -- Fixed potential directory-traversal
+ via archive.extract().
+
+Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.
+
+Thanks Wang Baohua for the report.
+
+Backport of 05413afa8c18cdb978fcdf470e09f7a12b234a23 from master.
+
+Upstream-Status: Backport
+CVE: CVE-2021-3281
+
+Reference to upstream patch:
+[https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37]
+
+[SG: Adapted stable/2.2.x patch for 2.2.16]
+Signed-off-by: Stefan Ghinea
+---
+ django/utils/archive.py | 17 ++---
+ docs/releases/2.2.16.txt | 10 ++
+ tests/utils_tests/test_archive.py | 21 +
+ 3 files changed, 45 insertions(+), 3 deletions(-)
+
+diff --git a/django/utils/archive.py b/django/utils/archive.py
+index 5b9998f..f2f153a 100644
+--- a/django/utils/archive.py
b/django/utils/archive.py
+@@ -27,6 +27,8 @@ import stat
+ import tarfile
+ import zipfile
+
++from django.core.exceptions import SuspiciousOperation
++
+
+ class ArchiveException(Exception):
+ """
+@@ -133,6 +135,13 @@ class BaseArchive:
+ return False
+ return True
+
++def target_filename(self, to_path, name):
++target_path = os.path.abspath(to_path)
++filename = os.path.abspath(os.path.join(target_path, name))
++if not filename.startswith(target_path):
++raise SuspiciousOperation("Archive contains invalid path: '%s'" %
name)
++return filename
++
+ def extract(self):
+ raise NotImplementedError('subclasses of BaseArchive must provide an
extract() method')
+
+@@ -155,7 +164,7 @@ class TarArchive(BaseArchive):
+ name = member.name
+ if leading:
+ name = self.split_leading_dir(name)[1]
+-filename = os.path.join(to_path, name)
++filename = self.target_filename(to_path, name)
+ if member.isdir():
+ if filename and not os.path.exists(filename):
+ os.makedirs(filename)
+@@ -198,11 +207,13 @@ class ZipArchive(BaseArchive):
+ info = self._archive.getinfo(name)
+ if leading:
+ name = self.split_leading_dir(name)[1]
+-filename = os.path.join(to_path, name)
++if not name:
++continue
++filename = self.target_filename(to_path, name)
+ dirname = os.path.dirname(filename)
+ if dirname and not os.path.exists(dirname):
+ os.makedirs(dirname)
+-if filename.endswith(('/', '\\')):
++if name.endswith(('/', '\\')):
+ # A directory
+ if not os.path.exists(filename):
+ os.makedirs(filename)
+diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
+index 31231fb..94682a1 100644
+--- a/docs/releases/2.2.16.txt
b/docs/releases/2.2.16.txt
+@@ -4,6 +4,16 @@ Django 2.2.16 release notes
+
+ *September 1, 2020*
+
++Backported from Django 2.2.18 a fix for a security issue.
++
++CVE-2021-3281: Potential directory-traversal via ``archive.extract()``
++==
++
++The ``django.utils.archive.extract()`` function, used by
++:option:`startapp --template` and :option:`startproject --template`, allowed
++directory-traversal via an archive with absolute paths or relative paths with
++
[OE-core] [PATCH] [zeus] qemu: CVE-2020-10756
An out-of-bounds read vulnerability was found in the SLiRP networking
implementation of the QEMU emulator. This flaw occurs in the
icmp6_send_echoreply() routine while replying to an ICMP echo request,
also known as ping. This flaw allows a malicious guest to leak the
contents of the host memory, resulting in possible information disclosure.
This flaw affects versions of libslirp before 4.3.1.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-10756
https://bugzilla.redhat.com/show_bug.cgi?id=1835986
Upstream patches:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
Signed-off-by: Stefan Ghinea
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-10756.patch| 40 +++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index 5cdba1f02c..6b7c05ca4e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-11869.patch \
file://CVE-2020-13765.patch \
file://CVE-2020-10702.patch \
+ file://CVE-2020-10756.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
new file mode 100644
index 00..306aef061b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
@@ -0,0 +1,40 @@
+From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
+From: Ralf Haferkamp
+Date: Fri, 3 Jul 2020 14:51:16 +0200
+Subject: [PATCH] Drop bogus IPv6 messages
+
+Drop IPv6 message shorter than what's mentioned in the payload
+length header (+ the size of the IPv6 header). They're invalid an could
+lead to data leakage in icmp6_send_echoreply().
+
+CVE: CVE-2020-10756
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
+
+[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and
adjusted context]
+Signed-off-by: Stefan Ghinea
+---
+ slirp/src/ip6_input.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
+index d9d2b7e9..0f2b1785 100644
+--- a/slirp/src/ip6_input.c
b/slirp/src/ip6_input.c
+@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
+ goto bad;
+ }
+
++// Check if the message size is big enough to hold what's
++// set in the payload length header. If not this is an invalid
++// packet
++if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
++goto bad;
++}
++
+ /* check ip_ttl for a correct ICMP reply */
+ if (ip6->ip_hl == 0) {
+ icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+--
+2.17.1
+
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#141698):
https://lists.openembedded.org/g/openembedded-core/message/141698
Mute This Topic: https://lists.openembedded.org/mt/76336505/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] pulseaudio: fix for ARM thumb + frame pointers compilation error
From: Catalin Enache
When compiling for Thumb or Thumb2, frame pointers _must_ be disabled
since the Thumb frame pointer in r7 clashes with pulseaudio's use of inline
asm to make syscalls (where r7 is used for the syscall NR).
In most cases, frame pointers will be disabled automatically due to
the optimisation level, but appending an explicit -fomit-frame-pointer
to CFLAGS handles cases where optimisation is set to -O0 or frame
pointers have been enabled by -fno-omit-frame-pointer earlier in
CFLAGS, etc.
References:
https://www.openwall.com/lists/musl/2017/10/09/2
Signed-off-by: Catalin Enache
Signed-off-by: Stefan Ghinea
---
meta/recipes-multimedia/pulseaudio/pulseaudio.inc | 8
1 file changed, 8 insertions(+)
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index 4e32b27087..c7f3e67022 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -63,6 +63,14 @@ DEPENDS += "speexdsp libxml-parser-perl-native libcap"
inherit autotools bash-completion pkgconfig useradd gettext perlnative systemd
manpages gsettings
+# When compiling for Thumb or Thumb2, frame pointers _must_ be disabled since
the
+# Thumb frame pointer in r7 clashes with pulseaudio's use of inline asm to
make syscalls
+# (where r7 is used for the syscall NR). In most cases, frame pointers will be
+# disabled automatically due to the optimisation level, but append an explicit
+# -fomit-frame-pointer to handle cases where optimisation is set to -O0 or
frame
+# pointers have been enabled by -fno-omit-frame-pointer earlier in CFLAGS, etc.
+CFLAGS_append_arm = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb',
'-fomit-frame-pointer', '', d)}"
+
# *.desktop rules wont be generated during configure and build will fail
# if using --disable-nls
USE_NLS = "yes"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#136756):
https://lists.openembedded.org/g/openembedded-core/message/136756
Mute This Topic: https://lists.openembedded.org/mt/72566057/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] [zeus] aspell: CVE-2019-20433
libaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a string
ending with a single '\0' byte, if the encoding is set to ucs-2 or ucs-4
outside of the application, as demonstrated by the ASPELL_CONF environment
variable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-20433
Upstream patches:
https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b
https://github.com/GNUAspell/aspell/commit/cefd447e5528b08bb0cd6656bc52b4255692cefc
Signed-off-by: Stefan Ghinea
---
.../aspell/aspell/CVE-2019-20433-0001.patch | 999 ++
.../aspell/aspell/CVE-2019-20433-0002.patch | 68 ++
meta/recipes-support/aspell/aspell_0.60.7.bb | 2 +
3 files changed, 1069 insertions(+)
create mode 100644 meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
create mode 100644 meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
new file mode 100644
index 00..fd68461e32
--- /dev/null
+++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
@@ -0,0 +1,999 @@
+From de29341638833ba7717bd6b5e6850998454b044b Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson
+Date: Sat, 17 Aug 2019 17:06:53 -0400
+Subject: [PATCH 1/2] Don't allow null-terminated UCS-2/4 strings using the
+ original API.
+
+Detect if the encoding is UCS-2/4 and the length is -1 in affected API
+functions and refuse to convert the string. If the string ends up
+being converted somehow, abort with an error message in DecodeDirect
+and ConvDirect. To convert a null terminated string in
+Decode/ConvDirect, a negative number corresponding to the width of the
+underlying character type for the encoding is expected; for example,
+if the encoding is "ucs-2" then a the size is expected to be -2.
+
+Also fix a 1-3 byte over-read in DecodeDirect when reading UCS-2/4
+strings when a size is provided (found by OSS-Fuzz).
+
+Also fix a bug in DecodeDirect that caused DocumentChecker to return
+the wrong offsets when working with UCS-2/4 strings.
+
+CVE: CVE-2019-20433
+Upstream-Status: Backport
[https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b]
+
+[SG: - adjusted context
+ - discarded test changes as test framework is not available
+ - discarded manual entry changes for features that aren't backported]
+Signed-off-by: Stefan Ghinea
+---
+ auto/MkSrc/CcHelper.pm | 99 ++---
+ auto/MkSrc/Create.pm| 5 +-
+ auto/MkSrc/Info.pm | 5 +-
+ auto/MkSrc/ProcCc.pm| 24 +
+ auto/MkSrc/ProcImpl.pm | 57 +++--
+ auto/MkSrc/Read.pm | 4 +-
+ auto/mk-src.in | 44 +++--
+ common/convert.cpp | 39 ---
+ common/convert.hpp | 38 +-
+ common/document_checker.cpp | 17 ++-
+ common/document_checker.hpp | 1 +
+ common/version.cpp | 15 --
+ configure.ac| 8 +++
+ manual/aspell.texi | 58 --
+ manual/readme.texi | 70 +-
+ 15 files changed, 409 insertions(+), 75 deletions(-)
+
+diff --git a/auto/MkSrc/CcHelper.pm b/auto/MkSrc/CcHelper.pm
+index f2de991..0044335 100644
+--- a/auto/MkSrc/CcHelper.pm
b/auto/MkSrc/CcHelper.pm
+@@ -10,8 +10,8 @@ BEGIN {
+ use Exporter;
+ our @ISA = qw(Exporter);
+ our @EXPORT = qw(to_c_return_type c_error_cond
+- to_type_name make_desc make_func call_func
+- make_c_method call_c_method form_c_method
++ to_type_name make_desc make_func call_func get_c_func_name
++ make_c_method make_wide_macro call_c_method form_c_method
+ make_cxx_method);
+ }
+
+@@ -90,6 +90,69 @@ sub make_func ( $ \@ $ ; \% ) {
+ ')'));
+ }
+
++=item make_wide_version NAME @TYPES PARMS ; %ACCUM
++
++Creates the wide character version of the function if needed
++
++=cut
++
++sub make_wide_version ( $ \@ $ ; \% ) {
++ my ($name, $d, $p, $accum) = @_;
++ my @d = @$d;
++ shift @d;
++ return '' unless grep {$_->{type} eq 'encoded string'} @d;
++ $accum->{sys_headers}{'stddef.h'} = true;
++ $accum->{suffix}[5] = <<'---';
++
++/*** private implemantion details */
++
++#ifdef __cplusplus
++# define aspell_cast_(type, expr) (static_cast(expr))
++# define aspell_cast_from_wide_(str) (static_cast(str))
++#else
++# define aspell_cast_(type, expr) ((type)(expr))
++# define aspell_cast_from_wide_(str) ((const char *)(str))
++#endif
++---
++ my @parms = map {$_->{type} eq 'encoded string'
++ ? ($_->{name}, $_->{name}.'_size')
++ : $_->{name}} @d;
++ $name = to_lower $name;
++ $accum->{suffix}[0] = <<'---';
++/*
[OE-core] [PATCH] ghostscript: CVE-2019-14869
A flaw was found in all versions of ghostscript 9.x before 9.28,
where the `.charkeys` procedure, where it did not properly secure
its privileged calls, enabling scripts to bypass `-dSAFER` restrictions.
An attacker could abuse this flaw by creating a specially crafted
PostScript file that could escalate privileges within the Ghostscript
and access files outside of restricted areas or execute commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14869
Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904
Signed-off-by: Stefan Ghinea
---
.../ghostscript/CVE-2019-14869-0001.patch | 70 +++
.../ghostscript/ghostscript_9.27.bb | 2 +
2 files changed, 72 insertions(+)
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
diff --git
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
new file mode 100644
index 00..715ec1c450
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
@@ -0,0 +1,70 @@
+From 485904772c5f0aa1140032746e5a0abfc40f4cef Mon Sep 17 00:00:00 2001
+From: Chris Liddell
+Date: Tue, 5 Nov 2019 09:45:27 +
+Subject: [PATCH] Bug 701841: remove .forceput from /.charkeys
+
+When loading Type 1 or Truetype fonts from disk, we attempt to extend the glyph
+name table to include all identifiable glyph names from the Adobe Glyph List.
+
+In the case of Type 1 fonts, the font itself (almost always) marks the
+CharStrings dictionary as read-only, hence we have to use .forceput for that
+case.
+
+But for Truetype fonts, the CharStrings dictionary is created internally and is
+not read-only until *after* we have fully populated it (including the extended
+glyph names from the AGL), hence there is no need for .forceput, and no need to
+carry the security risk of using it.
+
+Replace with regular put.
+
+CVE: CVE-2019-14869
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Stefan Ghinea
+---
+ Resource/Init/gs_ttf.ps | 8
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
+index e34967d..5354ff0 100644
+--- a/Resource/Init/gs_ttf.ps
b/Resource/Init/gs_ttf.ps
+@@ -1301,7 +1301,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ TTFDEBUG { (\n1 setting alias: ) print dup ==only
+ ( to be the same as ) print 2 index //== exec } if
+
+- 7 index 2 index 3 -1 roll exch .forceput
++ 7 index 2 index 3 -1 roll exch put
+ } forall
+ pop pop pop
+ }
+@@ -1319,7 +1319,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ exch pop
+ TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
+ ( to use glyph index: ) print dup //== exec } if
+- 5 index 3 1 roll .forceput
++ 5 index 3 1 roll put
+ //false
+ }
+ {
+@@ -1336,7 +1336,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ {% CharStrings(dict) isunicode(boolean)
cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
+ TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
+ ( to be index: ) print dup //== exec } if
+- exch pop 5 index 3 1 roll .forceput
++ exch pop 5 index 3 1 roll put
+ }
+ {
+ pop pop
+@@ -1366,7 +1366,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
+ } ifelse
+ ]
+ TTFDEBUG { (Encoding: ) print dup === flush } if
+-} .bind executeonly odef % hides .forceput
++} .bind odef
+
+ % CIDFontType 2 font loading %
+
+--
+2.20.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
index 9e1f3e2f49..a7eab5e603 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
@@ -28,6 +28,8 @@ SRC_URI_BASE =
"https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://CVE-2019-14811-0001.patch \
file://CVE-2019-14817-0001.patch \
file://CVE-2019-14817-0002.patch \
+file://CVE-2019-14869-0001.patch \
+
"
SRC_URI = "${SRC_URI_BASE} \
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] ghostscript: CVE-2019-14811, CVE-2019-14817
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdf_hook_DSC_Creator procedure where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdfexectoken and other procedures where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14811
https://nvd.nist.gov/vuln/detail/CVE-2019-14817
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
Signed-off-by: Stefan Ghinea
---
.../ghostscript/CVE-2019-14811-0001.patch | 68 +
.../ghostscript/CVE-2019-14817-0001.patch | 270 ++
.../ghostscript/CVE-2019-14817-0002.patch | 236 +++
.../ghostscript/ghostscript_9.27.bb | 3 +
4 files changed, 577 insertions(+)
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch
diff --git
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
new file mode 100644
index 00..3f28555e8a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
@@ -0,0 +1,68 @@
+From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
+From: Ken Sharp
+Date: Tue, 20 Aug 2019 10:10:28 +0100
+Subject: [PATCH] make .forceput inaccessible
+
+Bug #701343, #701344, #701345
+
+More defensive programming. We don't want people to access .forecput
+even though it is no longer sufficient to bypass SAFER. The exploit
+in #701343 didn't work anyway because of earlier work to stop the error
+handler being used, but nevertheless, prevent access to .forceput from
+.setuserparams2.
+
+CVE: CVE-2019-14811
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Stefan Ghinea
+---
+ Resource/Init/gs_lev2.ps | 6 +++---
+ Resource/Init/gs_pdfwr.ps | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 98d55fe..f1b771f 100644
+--- a/Resource/Init/gs_lev2.ps
b/Resource/Init/gs_lev2.ps
+@@ -158,7 +158,7 @@ end
+ {
+ pop pop
+ } ifelse
+- } forall
++ } executeonly forall
+ % A context switch might have occurred during the above loop,
+ % causing the interpreter-level parameters to be reset.
+ % Set them again to the new values. From here on, we are safe,
+@@ -229,9 +229,9 @@ end
+{ pop pop
+}
+ ifelse
+-}
++} executeonly
+forall pop
+-} .bind odef
++} .bind executeonly odef
+
+ % Initialize the passwords.
+ % NOTE: the names StartJobPassword and SystemParamsPassword are known to
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index 00c19fa..dfe504d 100644
+--- a/Resource/Init/gs_pdfwr.ps
b/Resource/Init/gs_pdfwr.ps
+@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
+ systemdict /.pdf_hooked_DSC_Creator //true .forceput
+ } executeonly if
+ pop
+- } if
++ } executeonly if
+ } {
+ pop
+ } ifelse
+- }
++ } executeonly
+ {
+ pop
+ } ifelse
+--
+2.20.1
+
diff --git
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
new file mode 100644
index 00..c76e21caa6
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
@@ -0,0 +1,270 @@
+From 0bafbd9c1273fab0dc79fd20db0ffc4443683f96 Mon Sep 17 00:00:00 2001
+From: Ken Sharp
+Date: Mon, 29 Apr 2019 11:14:06 +0100
+Subject: [PATCH 1/2] PDF interpreter - Decode ToUnicode entries of the form
+ /Identity-H/V
+
+Bug #701003 "Text searchability broken due to omission of /ToUnicode
/Identity-H"
+
+The PDF references from 1.2 too 2.0 all state that the value associated
+with a ToUnicode key in a FontDescriptor must be a stream object. However
+this file (and one case seen previously, bug 687351) have FontDescriptor
+dictionaries where the value associated with a /ToUnicode key is a
+name object, in both cases /Identity-H.
+
+Although this is clearly not legal, Acrobat not only tolerates it, it
+actually uses it for s
[OE-core] [PATCH] ghostscript: CVE-2019-14811, CVE-2019-14817
Issue: LIN1018-4833, LIN1018-4832
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdf_hook_DSC_Creator procedure where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdfexectoken and other procedures where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14811
https://nvd.nist.gov/vuln/detail/CVE-2019-14817
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
Signed-off-by: Stefan Ghinea
---
.../ghostscript/CVE-2019-14811-0001.patch | 68 +
.../ghostscript/CVE-2019-14817-0001.patch | 270 ++
.../ghostscript/CVE-2019-14817-0002.patch | 236 +++
.../ghostscript/ghostscript_9.27.bb | 3 +
4 files changed, 577 insertions(+)
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
create mode 100644
meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch
diff --git
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
new file mode 100644
index 00..3f28555e8a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
@@ -0,0 +1,68 @@
+From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
+From: Ken Sharp
+Date: Tue, 20 Aug 2019 10:10:28 +0100
+Subject: [PATCH] make .forceput inaccessible
+
+Bug #701343, #701344, #701345
+
+More defensive programming. We don't want people to access .forecput
+even though it is no longer sufficient to bypass SAFER. The exploit
+in #701343 didn't work anyway because of earlier work to stop the error
+handler being used, but nevertheless, prevent access to .forceput from
+.setuserparams2.
+
+CVE: CVE-2019-14811
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Stefan Ghinea
+---
+ Resource/Init/gs_lev2.ps | 6 +++---
+ Resource/Init/gs_pdfwr.ps | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 98d55fe..f1b771f 100644
+--- a/Resource/Init/gs_lev2.ps
b/Resource/Init/gs_lev2.ps
+@@ -158,7 +158,7 @@ end
+ {
+ pop pop
+ } ifelse
+- } forall
++ } executeonly forall
+ % A context switch might have occurred during the above loop,
+ % causing the interpreter-level parameters to be reset.
+ % Set them again to the new values. From here on, we are safe,
+@@ -229,9 +229,9 @@ end
+{ pop pop
+}
+ ifelse
+-}
++} executeonly
+forall pop
+-} .bind odef
++} .bind executeonly odef
+
+ % Initialize the passwords.
+ % NOTE: the names StartJobPassword and SystemParamsPassword are known to
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index 00c19fa..dfe504d 100644
+--- a/Resource/Init/gs_pdfwr.ps
b/Resource/Init/gs_pdfwr.ps
+@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
+ systemdict /.pdf_hooked_DSC_Creator //true .forceput
+ } executeonly if
+ pop
+- } if
++ } executeonly if
+ } {
+ pop
+ } ifelse
+- }
++ } executeonly
+ {
+ pop
+ } ifelse
+--
+2.20.1
+
diff --git
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
new file mode 100644
index 00..c76e21caa6
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
@@ -0,0 +1,270 @@
+From 0bafbd9c1273fab0dc79fd20db0ffc4443683f96 Mon Sep 17 00:00:00 2001
+From: Ken Sharp
+Date: Mon, 29 Apr 2019 11:14:06 +0100
+Subject: [PATCH 1/2] PDF interpreter - Decode ToUnicode entries of the form
+ /Identity-H/V
+
+Bug #701003 "Text searchability broken due to omission of /ToUnicode
/Identity-H"
+
+The PDF references from 1.2 too 2.0 all state that the value associated
+with a ToUnicode key in a FontDescriptor must be a stream object. However
+this file (and one case seen previously, bug 687351) have FontDescriptor
+dictionaries where the value associated with a /ToUnicode key is a
+name object, in both cases /Identity-H.
+
+Although this is clearly not legal, Acrobat not only
