[OE-core][scarthgap][PATCH 1/1] libarchive: upgrade 3.7.2 -> 3.7.4

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Changlog:

   rar: Fix OOB in rar e8 filter
   zip: Fix out of boundary access
   7zip: Limit amount of properties
   bsdtar: Fix error handling around strtol() usages
   passphrase: Improve newline handling on Windows
   passphrase: Never allow empty passwords
   rar: Fix "File CRC Error" when extracting specific rar4 archives
   xar: Avoid infinite link loop
   zip: Update AppleDouble support for directories
   zstd: Implement core detection
   PCRE2 support
   add trailing letter b to bsdtar(1) substitute pattern
   add support for long options "--group" and "--owner" to tar(1)
   Fix possible vulnerability in tar error reporting introduced in f27c173
   ISO9660: preserve the natural order of links
   rar5: fix decoding unicode filenames on Windows
   rar5: fix infinite loop if during rar5 decompression the last block produced 
no data
   xz filter: fix incorrect eof at the end of an lzip member
   zip: fix end-of-data marker processing when decompressing zip archives
   multiple bsdunzip(1) fixes
   filetime truncation fix on Windows

Adjusted configurehack.patch to align with upgraded version.

Signed-off-by: Yogita Urade 
---
 .../libarchive/libarchive/configurehack.patch | 19 ---
 ...ibarchive_3.7.2.bb => libarchive_3.7.4.bb} |  2 +-
 2 files changed, 13 insertions(+), 8 deletions(-)
 rename meta/recipes-extended/libarchive/{libarchive_3.7.2.bb => 
libarchive_3.7.4.bb} (96%)

diff --git a/meta/recipes-extended/libarchive/libarchive/configurehack.patch 
b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
index f3989d99eb..44720fdd53 100644
--- a/meta/recipes-extended/libarchive/libarchive/configurehack.patch
+++ b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
@@ -2,12 +2,15 @@ To work with autoconf 2.73, tweak the macro ordering in 
configure.in.
 
 Upstream-Status: Pending
 Signed-off-by: Richard Purdie 
+---
+ configure.ac | 26 +-
+ 1 file changed, 13 insertions(+), 13 deletions(-)
 
-Index: libarchive-3.6.2/configure.ac
-===
 libarchive-3.6.2.orig/configure.ac
-+++ libarchive-3.6.2/configure.ac
-@@ -357,6 +357,19 @@ if test "x$with_bz2lib" != "xno"; then
+diff --git a/configure.ac b/configure.ac
+index 5668d41..7e65e49 100644
+--- a/configure.ac
 b/configure.ac
+@@ -414,6 +414,19 @@ if test "x$with_bz2lib" != "xno"; then
esac
  fi
  
@@ -27,9 +30,9 @@ Index: libarchive-3.6.2/configure.ac
  AC_ARG_WITH([libb2],
AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through 
libb2]))
  
-@@ -558,19 +571,6 @@ LDFLAGS=$save_LDFLAGS
+@@ -678,19 +691,6 @@ fi
  
- AC_SUBST(GC_SECTIONS)
+ AC_SUBST(DEAD_CODE_REMOVAL)
  
 -# Checks for typedefs, structures, and compiler characteristics.
 -AC_C_CONST
@@ -47,3 +50,5 @@ Index: libarchive-3.6.2/configure.ac
  # Check for tm_gmtoff in struct tm
  AC_CHECK_MEMBERS([struct tm.tm_gmtoff, struct tm.__tm_gmtoff],,,
  [
+--
+2.40.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.2.bb 
b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
similarity index 96%
rename from meta/recipes-extended/libarchive/libarchive_3.7.2.bb
rename to meta/recipes-extended/libarchive/libarchive_3.7.4.bb
index 91f521fa4d..da85764116 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -33,7 +33,7 @@ SRC_URI = 
"http://libarchive.org/downloads/libarchive-${PV}.tar.gz;
 SRC_URI += "file://configurehack.patch"
 UPSTREAM_CHECK_URI = "http://libarchive.org/;
 
-SRC_URI[sha256sum] = 
"df404eb7222cf30b4f8f93828677890a2986b66ff8bf39dac32a804e96ddf104"
+SRC_URI[sha256sum] = 
"7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
 
 CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that 
reported function is not thread-safe"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16): 
https://lists.openembedded.org/g/openembedded-core/message/16
Mute This Topic: https://lists.openembedded.org/mt/106365834/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/1] libarchive: upgrade 3.7.3 -> 3.7.4

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Changelog:
=
   rar: Fix OOB in rar e8 filter
   zip: Fix out of boundary access
   7zip: Limit amount of properties
   bsdtar: Fix error handling around strtol() usages
   passphrase: Improve newline handling on Windows
   passphrase: Never allow empty passwords
   rar: Fix "File CRC Error" when extracting specific rar4 archives
   xar: Avoid infinite link loop
   zip: Update AppleDouble support for directories
   zstd: Implement core detection

Signed-off-by: Yogita Urade 
---
 .../libarchive/{libarchive_3.7.3.bb => libarchive_3.7.4.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/libarchive/{libarchive_3.7.3.bb => 
libarchive_3.7.4.bb} (96%)

diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.3.bb 
b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
similarity index 96%
rename from meta/recipes-extended/libarchive/libarchive_3.7.3.bb
rename to meta/recipes-extended/libarchive/libarchive_3.7.4.bb
index bea91b6e97..da85764116 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.3.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -33,7 +33,7 @@ SRC_URI = 
"http://libarchive.org/downloads/libarchive-${PV}.tar.gz;
 SRC_URI += "file://configurehack.patch"
 UPSTREAM_CHECK_URI = "http://libarchive.org/;
 
-SRC_URI[sha256sum] = 
"f27a97bc22ceb996e72502df47dc19f99f9a0f09181ae909f09f3c9eb17b67e2"
+SRC_URI[sha256sum] = 
"7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
 
 CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that 
reported function is not thread-safe"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199508): 
https://lists.openembedded.org/g/openembedded-core/message/199508
Mute This Topic: https://lists.openembedded.org/mt/106150187/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] libarchive: fix CVE-2024-26256

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

libarchive Remote Code Execution Vulnerability

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-26256
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-26256

Signed-off-by: Yogita Urade 
---
 .../libarchive/CVE-2024-26256.patch   | 29 +++
 .../libarchive/libarchive_3.6.2.bb|  4 ++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch 
b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
new file mode 100644
index 00..717a31f0e1
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
@@ -0,0 +1,29 @@
+From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan 
+Date: Tue, 14 May 2024 08:50:44 +
+Subject: [PATCH] fix: OOB in rar e8 filter (#2135) This patch fixes an
+ out-of-bound error in rar e8 filter.
+
+CVE: CVE-2024-26256
+Upstream-Status: Backport 
[https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
+
+Signed-off-by: Yogita Urade 
+---
+ libarchive/archive_read_support_format_rar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c 
b/libarchive/archive_read_support_format_rar.c
+index 793e8e9..b8397d0 100644
+--- a/libarchive/archive_read_support_format_rar.c
 b/libarchive/archive_read_support_format_rar.c
+@@ -3624,7 +3624,7 @@ execute_filter_e8(struct rar_filter *filter, struct 
rar_virtual_machine *vm, siz
+   uint32_t filesize = 0x100;
+   uint32_t i;
+
+-  if (length > PROGRAM_WORK_SIZE || length < 4)
++  if (length > PROGRAM_WORK_SIZE || length <= 4)
+ return 0;
+
+   for (i = 0; i <= length - 5; i++)
+--
+2.40.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb 
b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index 0219ffa720..e091646e16 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -28,7 +28,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 
 EXTRA_OECONF += "--enable-largefile --without-iconv"
 
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz;
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+   file://CVE-2024-26256.patch \
+   "
 UPSTREAM_CHECK_URI = "http://libarchive.org/;
 
 SRC_URI[sha256sum] = 
"ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199269): 
https://lists.openembedded.org/g/openembedded-core/message/199269
Mute This Topic: https://lists.openembedded.org/mt/106108472/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] ruby: fix CVE-2024-27281

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

ruby: RCE vulnerability with .rdoc_options in RDoc

References:
https://github.com/ruby/ruby/pull/10316
https://security-tracker.debian.org/tracker/CVE-2024-27281

Signed-off-by: Yogita Urade 
---
 .../ruby/ruby/CVE-2024-27281.patch| 97 +++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb  |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch 
b/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch
new file mode 100644
index 00..6f4b35a786
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch
@@ -0,0 +1,97 @@
+From da7a0c7553ef7250ca665a3fecdc01dbaacbb43d Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada 
+Date: Mon, 15 Apr 2024 11:40:00 +
+Subject: [PATCH] Filter marshaled objets
+
+CVE: CVE-2024-27281
+Upstream-Status: Backport 
[https://github.com/ruby/rdoc/commit/da7a0c7553ef7250ca665a3fecdc01dbaacbb43d]
+
+Signed-off-by: Yogita Urade 
+---
+ lib/rdoc/store.rb | 45 ++---
+ 1 file changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5ba671c..c793e49 100644
+--- a/lib/rdoc/store.rb
 b/lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+   def load_cache
+ #orig_enc = @encoding
+
+-File.open cache_path, 'rb' do |io|
+-  @cache = Marshal.load io.read
+-end
++@cache = marshal_load(cache_path)
+
+ load_enc = @cache[:encoding]
+
+@@ -615,9 +613,7 @@ class RDoc::Store
+   def load_class_data klass_name
+ file = class_file klass_name
+
+-File.open file, 'rb' do |io|
+-  Marshal.load io.read
+-end
++marshal_load(file)
+   rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, klass_name)
+ error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+ file = method_file klass_name, method_name
+
+-File.open file, 'rb' do |io|
+-  obj = Marshal.load io.read
+-  obj.store = self
+-  obj.parent =
+-find_class_or_module(klass_name) || load_class(klass_name) unless
+-  obj.parent
+-  obj
+-end
++obj = marshal_load(file)
++obj.store = self
++obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++obj
+   rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, klass_name + method_name)
+ error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+   def load_page page_name
+ file = page_file page_name
+
+-File.open file, 'rb' do |io|
+-  obj = Marshal.load io.read
+-  obj.store = self
+-  obj
+-end
++obj = marshal_load(file)
++obj.store = self
++obj
+   rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, page_name)
+ error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+ @unique_modules
+   end
+
++  private
++  def marshal_load(file)
++File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++case obj
++when true, false, nil, Array, Class, Encoding, Hash, Integer, String, 
Symbol, RDoc::Text
++else
++  unless obj.class.name.start_with?("RDoc::")
++raise TypeError, "not permitted class: #{obj.class.name}"
++  end
++end
++obj
++  end
++  private_constant :MarshalFilter
++
+ end
+--
+2.35.5
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb 
b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index 1f43d8f167..4f7c9cb10b 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -33,6 +33,7 @@ SRC_URI = 
"http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://CVE-2023-28755.patch \
file://CVE-2023-36617_1.patch \
file://CVE-2023-36617_2.patch \
+   file://CVE-2024-27281.patch \
"
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/;
 
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198434): 
https://lists.openembedded.org/g/openembedded-core/message/198434
Mute This Topic: https://lists.openembedded.org/mt/105553951/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3019

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

A DMA reentrancy issue leading to a use-after-free error was
found in the e1000e NIC emulation code in QEMU. This issue
could allow a privileged guest user to crash the QEMU process
on the host, resulting in a denial of service.

Fix indent issue in qemu.inc file

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3019

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  19 +-
 .../qemu/qemu/CVE-2023-3019-0001.patch| 135 
 .../qemu/qemu/CVE-2023-3019-0002.patch| 610 ++
 .../qemu/qemu/CVE-2023-3019-0003.patch|  88 +++
 4 files changed, 844 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0003.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index ad6b310137..08ce72546d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -97,17 +97,20 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-3301.patch \
file://CVE-2023-3255.patch \
file://CVE-2023-2861.patch \
-  file://CVE-2020-14394.patch \
-  file://CVE-2023-3354.patch \
-  file://CVE-2023-3180.patch \
-  file://CVE-2021-3638.patch \
-  file://CVE-2023-1544.patch \
-  file://CVE-2023-5088.patch \
-  file://CVE-2024-24474.patch \
-  file://CVE-2023-6693.patch \
+   file://CVE-2020-14394.patch \
+   file://CVE-2023-3354.patch \
+   file://CVE-2023-3180.patch \
+   file://CVE-2021-3638.patch \
+   file://CVE-2023-1544.patch \
+   file://CVE-2023-5088.patch \
+   file://CVE-2024-24474.patch \
+   file://CVE-2023-6693.patch \

file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \

file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch
 \
file://CVE-2023-42467.patch \
+   file://CVE-2023-3019-0001.patch \
+   file://CVE-2023-3019-0002.patch \
+   file://CVE-2023-3019-0003.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
new file mode 100644
index 00..c1ef645eaf
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
@@ -0,0 +1,135 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov 
+Date: Wed, 27 Mar 2024 09:41:44 +
+Subject: [PATCH] memory: prevent dma-reentracy issues
+
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA.  The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+
+Signed-off-by: Alexander Bulekov 
+Reviewed-by: Thomas Huth 
+Message-Id: <20230427211013.2994127-2-alx...@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth 
+
+CVE: CVE-2023-3019
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+
+Signed-off-by: Yogita Urade 
+---
+ include/exec/memory.h  |  5 +
+ include/hw/qdev-core.h |  7 +++
+ softmmu/memory.c   | 16 
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 20f1b2737..e089f90f9 100644
+--- a/include/exec/memory.h
 b/include/exec/memory.h
+@@ -734,6 +734,8 @@ struct MemoryRegion {
+ bool is_iommu;
+ RAMBlock *ram_block;
+ Object *owner;
++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath 
*/
++DeviceState *dev;
+
+ const MemoryRegionOps *ops;
+ void *opaque;
+@@ -757,6 +759,9 @@ struct MemoryRegion {
+ unsigned ioeventfd_nb;
+ MemoryRegionIoeventfd *ioeventfds;
+ 

Re: Patchtest results for [OE-core][kirkstone][PATCH 1/1] tiff: fix CVE-2023-6228

[Urade, Yogita via lists.openembedded.org]

Hi Steve,

I will send v2.

../Yogita

On 19-01-2024 03:56, Steve Sakoman wrote:

**
*CAUTION: This email comes from a non Wind River email account!*
Do not click links or open attachments unless you recognize the sender 
and know the content is safe.



On Thu, Jan 18, 2024 at 12:21 PM Randy MacLeod 
 wrote:


Yogita,

Pleae tell people if you will send a v2 or if you plan to fix the
warning in a follow-up commit.

I don't see your commit in Steve's kirkstone-nut repo so I think
he's expecting a v2.


https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

\


I was expecting a response as to which approach would be taken.  When 
there was no response I removed the patch under the theory that it is 
better not to merge a half right CVE fix.


Steve


 Forwarded Message 
Subject:Patchtest results for [OE-core][kirkstone][PATCH 1/1]
tiff: fix CVE-2023-6228
Date:   Thu, 18 Jan 2024 11:03:04 +
From:   Patchtest via lists.openembedded.org




Reply-To:   patcht...@automation.yoctoproject.org
To: yurade 

CC: openembedded-core@lists.openembedded.org



Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch
/home/patchtest/share/mboxes/kirkstone-1-1-tiff-fix-CVE-2023-6228.patch

FAIL: test CVE check ignore: CVE_CHECK_IGNORE is deprecated and
should be replaced by CVE_STATUS
(test_metadata.TestMetadata.test_cve_check_ignore)

PASS: pretest src uri left files
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length
(test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping
test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check
other mailing lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please
submit a
bug at https://bugzilla.yoctoproject.org/


(use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest

[OE-core][kirkstone][PATCH 1/1] tiff: fix CVE-2023-6228

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

CVE-2023-6228:
An issue was found in the tiffcp utility distributed by the
libtiff package where a crafted TIFF file on processing may
cause a heap-based buffer overflow leads to an application
crash.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-6228
https://gitlab.com/libtiff/libtiff/-/issues/606

Signed-off-by: Yogita Urade 
---
 .../libtiff/tiff/CVE-2023-6228.patch  | 31 +++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
new file mode 100644
index 00..f15cc96e19
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
@@ -0,0 +1,31 @@
+From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
+From: Su_Laus 
+Date: Wed, 17 Jan 2024 06:38:24 +
+Subject: [PATCH] codec of input image is available, independently from codec
+ check of output image and return with error if not.
+
+Fixes #606.
+
+CVE: CVE-2023-6228
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
+
+Signed-off-by: Yogita Urade 
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 34b6ef2..17c6524 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -724,6 +724,8 @@ tiffcp(TIFF* in, TIFF* out)
+   else
+   CopyField(TIFFTAG_COMPRESSION, compression);
+   TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, _compression);
++  if (!TIFFIsCODECConfigured(input_compression))
++  return FALSE;
+   TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, _photometric);
+   if (input_compression == COMPRESSION_JPEG) {
+   /* Force conversion to RGB */
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 11e3818c69..d284100ab2 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -47,6 +47,7 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-1916.patch \
file://CVE-2023-40745.patch \
file://CVE-2023-41175.patch \
+   file://CVE-2023-6228.patch \
"
 
 SRC_URI[sha256sum] = 
"0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193973): 
https://lists.openembedded.org/g/openembedded-core/message/193973
Mute This Topic: https://lists.openembedded.org/mt/103805749/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/1] tiff: fix CVE-2023-6228

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

CVE-2023-6228:
An issue was found in the tiffcp utility distributed by the
libtiff package where a crafted TIFF file on processing may
cause a heap-based buffer overflow leads to an application
crash.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-6228
https://gitlab.com/libtiff/libtiff/-/issues/606

Signed-off-by: Yogita Urade 
---
 .../libtiff/tiff/CVE-2023-6228.patch  | 31 +++
 meta/recipes-multimedia/libtiff/tiff_4.6.0.bb |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
new file mode 100644
index 00..2020508fdf
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
@@ -0,0 +1,31 @@
+From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
+From: Su_Laus 
+Date: Wed, 17 Jan 2024 06:57:08 +
+Subject: [PATCH] codec of input image is available, independently from codec
+ check of output image and return with error if not.
+
+Fixes #606.
+
+CVE: CVE-2023-6228
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
+
+Signed-off-by: Yogita Urade 
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index aff0626..a4f7f6b 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
+ if (!TIFFIsCODECConfigured(compression))
+ return FALSE;
+ TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, _compression);
++if (!TIFFIsCODECConfigured(input_compression))
++  return FALSE;
+ TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, _photometric);
+ if (input_compression == COMPRESSION_JPEG)
+ {
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 4c472f8ef6..eb8a096f19 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -12,6 +12,7 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \

file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch 
\

file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch
 \
file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
+   file://CVE-2023-6228.patch \
"
 
 SRC_URI[sha256sum] = 
"88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193963): 
https://lists.openembedded.org/g/openembedded-core/message/193963
Mute This Topic: https://lists.openembedded.org/mt/103803465/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] grub: fix CVE-2023-4692

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

An out-of-bounds write flaw was found in grub2's NTFS filesystem driver.
This issue may allow an attacker to present a specially crafted NTFS
filesystem image, leading to grub's heap metadata corruption. In some
circumstances, the attack may also corrupt the UEFI firmware heap metadata.
As a result, arbitrary code execution and secure boot protection bypass
may be achieved.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4692
https://bugzilla.redhat.com/show_bug.cgi?id=2236613

Signed-off-by: Yogita Urade 
---
 .../grub/files/CVE-2023-4692.patch| 97 +++
 meta/recipes-bsp/grub/grub2.inc   |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch 
b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 00..4780e35b7a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
+From  43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov 
+Date: Thu, 16 Nov 2023 07:21:50 +
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
+ attribute for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Reported-by: Maxim Suhanov 
+Signed-off-by: Maxim Suhanov 
+Reviewed-by: Daniel Kiper 
+
+CVE: CVE-2023-4692
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
+
+Signed-off-by: Yogita Urade 
+---
+ grub-core/fs/ntfs.c | 18 +-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2f34f76..6009e49 100644
+--- a/grub-core/fs/ntfs.c
 b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ }
+   if (at->attr_end)
+ {
+-  grub_uint8_t *pa;
++  grub_uint8_t *pa, *pa_end;
+
+   at->emft_buf = grub_malloc (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR);
+   if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+   }
+ at->attr_nxt = at->edat_buf;
+ at->attr_end = at->edat_buf + u32at (pa, 0x30);
++pa_end = at->edat_buf + n;
+   }
+   else
+   {
+ at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ at->attr_end = at->attr_end + u32at (pa, 4);
++pa_end = at->mft->buf + (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR);
+   }
+   at->flags |= GRUB_NTFS_AF_ALST;
+   while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ at->flags |= GRUB_NTFS_AF_GPOS;
+ at->attr_cur = at->attr_nxt;
+ pa = at->attr_cur;
++
++if ((pa >= pa_end) || (pa_end - pa < 0x18))
++  {
++grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++return NULL;
++  }
++
+ grub_set_unaligned32 ((char *) pa + 0x10,
+   grub_cpu_to_le32 (at->mft->data->mft_start));
+ grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+   {
+ if (*pa != attr)
+   break;
++
++  if ((pa >= pa_end) || (pa_end - pa < 0x18))
++{
++grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++return NULL;
++  }
++
+ if (read_attr
+ (at, pa + 0x10,
+  u32at (pa, 0x10) * (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR),
+--
+2.40.0
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index c14fe315d3..aaee8a1e03 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ 

[OE-core][mickledore][PATCH 1/1] libx11: upgrade to 1.8.7

[Urade, Yogita via lists.openembedded.org]

From: Ross Burton 

This incorporates fixes for the following CVEs:

- CVE-2023-43785
- CVE-2023-43786
- CVE-2023-43787

Signed-off-by: Ross Burton 
Signed-off-by: Richard Purdie 
(cherry picked from commit a1534bb34b680bfc5cb2f35b5fd5a0c2afed6368)
Signed-off-by: Yogita Urade 
---
 .../xorg-lib/{libx11_1.8.6.bb => libx11_1.8.7.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/xorg-lib/{libx11_1.8.6.bb => libx11_1.8.7.bb} 
(92%)

diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb 
b/meta/recipes-graphics/xorg-lib/libx11_1.8.7.bb
similarity index 92%
rename from meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb
rename to meta/recipes-graphics/xorg-lib/libx11_1.8.7.bb
index 1cfa56b21e..5f14e62446 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.8.6.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.8.7.bb
@@ -24,7 +24,7 @@ XORG_PN = "libX11"
 
 SRC_URI += "file://disable_tests.patch"
 
-SRC_URI[sha256sum] = 
"59535b7cc6989ba806a022f7e8533b28c4397b9d86e9d07b6df0c0703fa25cc9"
+SRC_URI[sha256sum] = 
"05f267468e3c851ae2b5c830bcf74251a90f63f04dd7c709ca94dc155b7e99ee"
 
 inherit gettext
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189495): 
https://lists.openembedded.org/g/openembedded-core/message/189495
Mute This Topic: https://lists.openembedded.org/mt/102075524/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore][PATCH 1/1] libxpm: upgrade to 3.5.17

[Urade, Yogita via lists.openembedded.org]

From: Ross Burton 

This release fixes the following CVEs:

- CVE-2023-43788
- CVE-2023-43789

Signed-off-by: Ross Burton 
Signed-off-by: Richard Purdie 
(cherry picked from commit 46dd8ce41756dbc2aa0f9001416f208cced1c8d5)
Signed-off-by: Yogita Urade 
---
 .../xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} 
(88%)

diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb 
b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
similarity index 88%
rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb
rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
index c3d01f1bb3..8e15ecc0d4 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.16.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
@@ -22,6 +22,6 @@ PACKAGES =+ "sxpm cxpm"
 FILES:cxpm = "${bindir}/cxpm"
 FILES:sxpm = "${bindir}/sxpm"
 
-SRC_URI[sha256sum] = 
"e6bc5da7a69dbd9bcc67e87c93d4904fe2f5177a0711c56e71fa2f6eff649f51"
+SRC_URI[sha256sum] = 
"64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43"
 
 BBCLASSEXTEND = "native"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189494): 
https://lists.openembedded.org/g/openembedded-core/message/189494
Mute This Topic: https://lists.openembedded.org/mt/102075523/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] libx11: fix CVE-2023-43787

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

A vulnerability was found in libX11 due to an integer overflow
within the XCreateImage() function. This flaw allows a local
user to trigger an integer overflow and execute arbitrary code
with elevated privileges.

Reference:
https://security-tracker.debian.org/tracker/CVE-2023-43787
https://www.openwall.com/lists/oss-security/2023/10/03/1

Signed-off-by: Yogita Urade 
---
 .../xorg-lib/libx11/CVE-2023-43787.patch  | 64 +++
 .../xorg-lib/libx11_1.7.3.1.bb|  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch
new file mode 100644
index 00..48cb56831b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch
@@ -0,0 +1,64 @@
+From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
+From: Yair Mizrahi 
+Date: Tue, 17 Oct 2023 08:26:32 +
+Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
+  a heap overflow
+
+When the format is `Pixmap` it calculates the size of the image data as:
+ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+There is no validation on the `width` of the image, and so this
+calculation exceeds the capacity of a 4-byte integer, causing an overflow.
+
+Signed-off-by: Alan Coopersmith 
+
+CVE: CVE-2023-43787
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
+
+Signed-off-by: Yogita Urade 
+---
+ src/ImUtil.c | 20 +++-
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/ImUtil.c b/src/ImUtil.c
+index 36f08a0..fbfad33 100644
+--- a/src/ImUtil.c
 b/src/ImUtil.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from 
The Open Group.
+ #include 
+ #include 
+ #include 
++#include 
+ #include "ImUtil.h"
+
+ static int _XDestroyImage(XImage *);
+@@ -361,13 +362,22 @@ XImage *XCreateImage (
+   /*
+* compute per line accelerator.
+*/
+-  {
+-  if (format == ZPixmap)
++  if (format == ZPixmap) {
++  if ((INT_MAX / bits_per_pixel) < width) {
++  Xfree(image);
++  return NULL;
++  }
++
+   min_bytes_per_line =
+- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+-  else
++  ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
++  } else {
++  if ((INT_MAX - offset) < width) {
++  Xfree(image);
++  return NULL;
++  }
++
+   min_bytes_per_line =
+-  ROUNDUP((width + offset), image->bitmap_pad);
++  ROUNDUP((width + offset), image->bitmap_pad);
+   }
+   if (image_bytes_per_line == 0) {
+   image->bytes_per_line = min_bytes_per_line;
+--
+2.35.5
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb 
b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
index 19687d546b..e77b148d76 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb
@@ -18,6 +18,7 @@ SRC_URI += "file://disable_tests.patch \
 file://CVE-2022-3554.patch \
 file://CVE-2022-3555.patch \
 file://CVE-2023-3138.patch \
+file://CVE-2023-43787.patch \
"
 SRC_URI[sha256sum] = 
"2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989"
 
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189493): 
https://lists.openembedded.org/g/openembedded-core/message/189493
Mute This Topic: https://lists.openembedded.org/mt/102075512/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/1] qemu: fix CVE-2023-42467

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset
in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not
prevent s->qdev.blocksize from being 256. This stops QEMU and the guest
immediately.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-42467
https://gitlab.com/qemu-project/qemu/-/issues/1813

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-42467.patch| 49 +++
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 9664b747b3..b331f87c0d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://fixmips.patch \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
+  file://CVE-2023-42467.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
new file mode 100644
index 00..86ab7cf81a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
@@ -0,0 +1,49 @@
+From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Thu, 5 Oct 2023 06:01:10 +
+Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
+ [CVE-2023-42467]
+
+We are doing things like
+
+nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
+
+in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
+the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
+with a division by 0 exception. Thus disallow block sizes of 256
+bytes to avoid this situation.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
+CVE: 2023-42467
+Signed-off-by: Thomas Huth 
+Message-ID: <20230925091854.49198-1-th...@redhat.com>
+Signed-off-by: Paolo Bonzini 
+
+CVE: CVE-2023-42467
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c]
+
+Signed-off-by: Yogita Urade 
+---
+ hw/scsi/scsi-disk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e0d79c796..477ee2bcd 100644
+--- a/hw/scsi/scsi-disk.c
 b/hw/scsi/scsi-disk.c
+@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq 
*r, uint8_t *inbuf)
+  * Since the existing code only checks/updates bits 8-15 of the block
+  * size, restrict ourselves to the same requirement for now to ensure
+  * that a block size set by a block descriptor and then read back by
+- * a subsequent SCSI command will be the same
++ * a subsequent SCSI command will be the same. Also disallow a block
++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
+  */
+-if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
++if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
+ s->qdev.blocksize = bs;
+ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
+ }
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188719): 
https://lists.openembedded.org/g/openembedded-core/message/188719
Mute This Topic: https://lists.openembedded.org/mt/101774310/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore][PATCH 1/1] qemu: fix CVE-2023-42467

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset
in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not
prevent s->qdev.blocksize from being 256. This stops QEMU and the guest
immediately.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-42467
https://gitlab.com/qemu-project/qemu/-/issues/1813

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-42467.patch| 49 +++
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index c8e1d28654..33f5516fa3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -41,6 +41,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2023-3255.patch \
   file://CVE-2023-2861.patch \
   file://CVE-2023-3354.patch \
+  file://CVE-2023-42467.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
new file mode 100644
index 00..0ca93494f0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
@@ -0,0 +1,49 @@
+From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Wed, 4 Oct 2023 08:54:13 +
+Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
+ [CVE-2023-42467]
+
+We are doing things like
+
+nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
+
+in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
+the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
+with a division by 0 exception. Thus disallow block sizes of 256
+bytes to avoid this situation.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
+CVE: 2023-42467
+Signed-off-by: Thomas Huth 
+Message-ID: <20230925091854.49198-1-th...@redhat.com>
+Signed-off-by: Paolo Bonzini 
+
+CVE: CVE-2023-42467
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c]
+
+Signed-off-by: Yogita Urade 
+---
+ hw/scsi/scsi-disk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e493c2881..915e0369c 100644
+--- a/hw/scsi/scsi-disk.c
 b/hw/scsi/scsi-disk.c
+@@ -1624,9 +1624,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq 
*r, uint8_t *inbuf)
+  * Since the existing code only checks/updates bits 8-15 of the block
+  * size, restrict ourselves to the same requirement for now to ensure
+  * that a block size set by a block descriptor and then read back by
+- * a subsequent SCSI command will be the same
++ * a subsequent SCSI command will be the same. Also disallow a block
++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
+  */
+-if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
++if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
+ s->qdev.blocksize = bs;
+ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
+ }
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188674): 
https://lists.openembedded.org/g/openembedded-core/message/188674
Mute This Topic: https://lists.openembedded.org/mt/101752787/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2023-32439

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

A type confusion issue was addressed with improved checks.
This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, Safari
16.5.1, macOS Ventura 13.4.1, iOS 15.7.7 and iPadOS 15.7.7.
Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that
this issue may have been actively exploited.

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2023-32439.patch | 127 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 128 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
new file mode 100644
index 00..f8d7b613fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
@@ -0,0 +1,127 @@
+From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001
+From: Yijia Huang 
+Date: Tue, 26 Sep 2023 09:23:31 +
+Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c).
+ https://bugs.webkit.org/show_bug.cgi?id=256567
+
+EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have 
different heap location kinds
+https://bugs.webkit.org/show_bug.cgi?id=256567
+rdar://109089013
+
+Reviewed by Yusuke Suzuki.
+
+EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG 
nodes. However,
+they might introduce the same heap location kind in DFGClobberize.h which 
might lead to
+hash collision. We should introduce a new locationn kind for 
EnumeratorNextUpdateIndexAndMode.
+
+* JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
+(foo):
+* Source/JavaScriptCore/dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
+(WTF::printInternal):
+* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
+
+Canonical link: https://commits.webkit.org/263909@main
+
+Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40
+
+CVE: CVE-2023-32439
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e]
+
+Signed-off-by: Yogita Urade 
+---
+ .../stress/heap-location-collision-dfg-clobberize.js | 12 
+ Source/JavaScriptCore/dfg/DFGClobberize.h|  7 ---
+ Source/JavaScriptCore/dfg/DFGHeapLocation.cpp|  4 
+ Source/JavaScriptCore/dfg/DFGHeapLocation.h  |  1 +
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js
+
+diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js 
b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+new file mode 100644
+index ..ed40601e
+--- /dev/null
 b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+@@ -0,0 +1,12 @@
++//@ runDefault("--watchdog=300", "--watchdog-exception-ok")
++const arr = [0];
++
++function foo() {
++for (let _ in arr) {
++0 in arr;
++while(1);
++}
++}
++
++
++foo();
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h 
b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index f96e21d2..af3e864b 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
 b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -371,6 +371,7 @@ void clobberize(Graph& graph, Node* node, const 
ReadFunctor& read, const WriteFu
+
+ read(JSObject_butterfly);
+ ArrayMode mode = node->arrayMode();
++LocationKind locationKind = node->op() == 
EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : 
HasIndexedPropertyLoc;
+ switch (mode.type()) {
+ case Array::ForceExit: {
+ write(SideState);
+@@ -380,7 +381,7 @@ void clobberize(Graph& graph, Node* node, const 
ReadFunctor& read, const WriteFu
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedInt32Properties);
+-def(HeapLocation(HasIndexedPropertyLoc, 
IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 
1)), LazyNode(node));
++def(HeapLocation(locationKind, IndexedInt32Properties, 
graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ return;
+ }
+ break;
+@@ -390,7 +391,7 @@ void clobberize(Graph& graph, Node* node, const 
ReadFunctor& read, const WriteFu
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedDoubleProperties);
+-def(HeapLocation(HasIndexedPropertyLoc, 
IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 
1)), LazyNode(node));
++def(HeapLocation(locationKind, IndexedDoubleProperties, 
graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ return;
+ }
+ break;
+@@ -400,7 +401,7 

[OE-core][kirkstone][PATCH 1/1] cups: fix CVE-2023-32360

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

An authentication issue was addressed with improved state management.
This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6,
macOS Ventura 13.4. An unauthenticated user may be able to access
recently printed documents.

References:
https://ubuntu.com/security/CVE-2023-32360
https://security-tracker.debian.org/tracker/CVE-2023-32360

Signed-off-by: Yogita Urade 
---
 meta/recipes-extended/cups/cups.inc   |  1 +
 .../cups/cups/CVE-2023-32360.patch| 35 +++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch

diff --git a/meta/recipes-extended/cups/cups.inc 
b/meta/recipes-extended/cups/cups.inc
index 87f220590f..4d0c52eab8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -17,6 +17,7 @@ SRC_URI = 
"https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
file://cups-volatiles.conf \
file://CVE-2023-32324.patch \
file://CVE-2023-34241.patch \
+  file://CVE-2023-32360.patch \
"
 
 UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases;
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch 
b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
new file mode 100644
index 00..f1b0f9f918
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,35 @@
+From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Thu, 14 Sep 2023 09:16:45 +
+Subject: [PATCH] Require authentication for CUPS-Get-Document.
+
+CVE: CVE-2023-32360
+
+Upstream-Status: Backport 
[https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
+
+Signed-off-by: Yogita Urade 
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849..08f5070 100644
+--- a/conf/cupsd.conf.in
 b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+   
+
+-  
++  
++Require user @OWNER @SYSTEM
++Order deny,allow
++  
++
++  
++AuthType Defaul
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+   
+--
+2.35.5
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187659): 
https://lists.openembedded.org/g/openembedded-core/message/187659
Mute This Topic: https://lists.openembedded.org/mt/101375329/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 2/2] tiff: fix CVE-2023-41175

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

libtiff: potential integer overflow in raw2tiff.c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2235264
https://security-tracker.debian.org/tracker/CVE-2023-41175
https://gitlab.com/libtiff/libtiff/-/issues/592

Signed-off-by: Yogita Urade 
---
 .../libtiff/files/CVE-2023-41175.patch| 63 +++
 meta/recipes-multimedia/libtiff/tiff_4.5.1.bb |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 00..cca30b2196
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,63 @@
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel 
+Date: Thu, 14 Sep 2023 04:36:58 +
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
+   #592)
+
+CVE: CVE-2023-41175
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+
+Signed-off-by: Yogita Urade 
+---
+ tools/raw2tiff.c | 28 
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index 4ee59e5..a811077 100644
+--- a/tools/raw2tiff.c
 b/tools/raw2tiff.c
+@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
+ int fd;
+ char *outfilename = NULL;
+ TIFF *out;
++uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
+
+ uint32_t row, col, band;
+ int c;
+@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
+ if (guessSize(fd, dtype, hdr_size, nbands, swab, , ) < 0)
+ return EXIT_FAILURE;
+
++/* check for integer overflow in */
++/* hdr_size + (*width) * (*length) * nbands * depth */
++
++if ((width == 0) || (length == 0) ){
++fprintf(stderr, "Too large nbands value specified.\n");
++return (EXIT_FAILURE);
++}
++
++temp_limit_check = nbands * depth;
++
++if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
++fprintf(stderr, "Too large length size specified.\n");
++return (EXIT_FAILURE);
++}
++temp_limit_check = temp_limit_check * length;
++
++if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
++fprintf(stderr, "Too large width size specified.\n");
++return (EXIT_FAILURE);
++}
++temp_limit_check = temp_limit_check * width;
++
++if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
++fprintf(stderr, "Too large header size specified.\n");
++return (EXIT_FAILURE);
++}
++
+ if (outfilename == NULL)
+ outfilename = argv[optind + 1];
+ out = TIFFOpen(outfilename, "w");
+--
+2.35.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index d002e1b233..2b5e66b8f3 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -10,6 +10,7 @@ CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-40745.patch \
+   file://CVE-2023-41175.patch \
"
 
 SRC_URI[sha256sum] = 
"d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187658): 
https://lists.openembedded.org/g/openembedded-core/message/187658
Mute This Topic: https://lists.openembedded.org/mt/101375305/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/2] tiff: fix CVE-2023-40745

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

libtiff: integer overflow in tiffcp.c

References:
https://security-tracker.debian.org/tracker/CVE-2023-40745
https://gitlab.com/libtiff/libtiff/-/issues/591
https://bugzilla.redhat.com/show_bug.cgi?id=2235265

Signed-off-by: Yogita Urade 
---
 .../libtiff/files/CVE-2023-40745.patch| 35 +++
 meta/recipes-multimedia/libtiff/tiff_4.5.1.bb |  4 ++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
new file mode 100644
index 00..73f1f37bab
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,35 @@
+From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
+From: Arie Haenel 
+Date: Thu, 14 Sep 2023 04:31:35 +
+Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
+ (fixes #591)
+
+CVE: CVE-2023-40745
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
+
+Signed-off-by: Yogita Urade 
+---
+ tools/tiffcp.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 3b2d1dd..57fa6e8 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+   "Width * Samples/Pixel)");
+ return 0;
+ }
++
++if ( (imagew - tilew * spp) > INT_MAX ){
++TIFFError(TIFFFileName(in),
++  "Error, image raster scan line size is too large");
++return 0;
++}
++
+ iskew = imagew - tilew * spp;
+ tilebuf = limitMalloc(tilesize);
+ if (tilebuf == 0)
+--
+2.35.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 6171a538e5..d002e1b233 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = 
"file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 
 CVE_PRODUCT = "libtiff"
 
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz;
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+   file://CVE-2023-40745.patch \
+   "
 
 SRC_URI[sha256sum] = 
"d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
 
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187657): 
https://lists.openembedded.org/g/openembedded-core/message/187657
Mute This Topic: https://lists.openembedded.org/mt/101375304/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore][PATCH 2/2] tiff: fix CVE-2023-41175

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

libtiff: potential integer overflow in raw2tiff.c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2235264
https://security-tracker.debian.org/tracker/CVE-2023-41175
https://gitlab.com/libtiff/libtiff/-/issues/592

Signed-off-by: Yogita Urade 
---
 .../libtiff/files/CVE-2023-41175.patch| 63 +++
 meta/recipes-multimedia/libtiff/tiff_4.5.1.bb |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 00..a23c1463c4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,63 @@
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel 
+Date: Wed, 13 Sep 2023 11:54:37 +
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
+  #592)
+
+CVE: CVE-2023-41175
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+
+Signed-off-by: Yogita Urade 
+---
+ tools/raw2tiff.c | 28 
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index 4ee59e5..0d6b0b6 100644
+--- a/tools/raw2tiff.c
 b/tools/raw2tiff.c
+@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
+ int fd;
+ char *outfilename = NULL;
+ TIFF *out;
++uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
+
+ uint32_t row, col, band;
+ int c;
+@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
+ if (guessSize(fd, dtype, hdr_size, nbands, swab, , ) < 0)
+ return EXIT_FAILURE;
+
++/* check for integer overflow in */
++/* hdr_size + (*width) * (*length) * nbands * depth */
++
++if ((width == 0) || (length == 0) ){
++fprintf(stderr, "Too large nbands value specified.\n");
++return (EXIT_FAILURE);
++}
++
++temp_limit_check = nbands * depth;
++
++if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
++fprintf(stderr, "Too large length size specified.\n");
++return (EXIT_FAILURE);
++}
++temp_limit_check = temp_limit_check * length;
++
++if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
++fprintf(stderr, "Too large width size specified.\n");
++return (EXIT_FAILURE);
++}
++temp_limit_check = temp_limit_check * width;
++
++if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
++fprintf(stderr, "Too large header size specified.\n");
++return (EXIT_FAILURE);
++}
++
+ if (outfilename == NULL)
+ outfilename = argv[optind + 1];
+ out = TIFFOpen(outfilename, "w");
+--
+2.35.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 9279a19431..a24bb8f2c9 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -10,6 +10,7 @@ CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-40745.patch \
+   file://CVE-2023-41175.patch \
   "
 
 SRC_URI[sha256sum] = 
"d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187656): 
https://lists.openembedded.org/g/openembedded-core/message/187656
Mute This Topic: https://lists.openembedded.org/mt/101375276/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore][PATCH 1/2] tiff: fix CVE-2023-40745

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

libtiff: integer overflow in tiffcp.c

References:
https://security-tracker.debian.org/tracker/CVE-2023-40745
https://gitlab.com/libtiff/libtiff/-/issues/591
https://bugzilla.redhat.com/show_bug.cgi?id=2235265

Signed-off-by: Yogita Urade 
---
 .../libtiff/files/CVE-2023-40745.patch| 35 +++
 meta/recipes-multimedia/libtiff/tiff_4.5.1.bb |  4 ++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
new file mode 100644
index 00..a88a01c5a8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,35 @@
+From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
+From: Arie Haenel 
+Date: Wed, 13 Sep 2023 11:07:05 +
+Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
+ (fixes #591)
+
+CVE: CVE-2023-40745
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
+
+Signed-off-by: Yogita Urade 
+---
+ tools/tiffcp.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 3b2d1dd..80b3982 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+   "Width * Samples/Pixel)");
+ return 0;
+ }
++
++if ( (imagew - tilew * spp) > INT_MAX ){
++TIFFError(TIFFFileName(in),
++  "Error, image raster scan line size is too large");
++return 0;
++}
++
+ iskew = imagew - tilew * spp;
+ tilebuf = limitMalloc(tilesize);
+ if (tilebuf == 0)
+--
+2.35.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 5af3f84265..9279a19431 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = 
"file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 
 CVE_PRODUCT = "libtiff"
 
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz;
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+   file://CVE-2023-40745.patch \
+  "
 
 SRC_URI[sha256sum] = 
"d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
 
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187655): 
https://lists.openembedded.org/g/openembedded-core/message/187655
Mute This Topic: https://lists.openembedded.org/mt/101375275/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.

Summary of the problem from Peter Maydell:
https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com

Reference:
https://gitlab.com/qemu-project/qemu/-/issues/556

qemu.git$ git log --no-merges --oneline   --grep CVE-2023-0330
b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller 
(CVE-2023-0330)
a2e1753b80 memory: prevent dma-reentracy issues

Included second commit as well as commit log of a2e1753b80 says it
resolves CVE-2023-0330

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |   3 +-
 ...23-0330.patch => CVE-2023-0330-0001.patch} |   0
 .../qemu/qemu/CVE-2023-0330-0002.patch| 136 ++
 3 files changed, 138 insertions(+), 1 deletion(-)
 rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => 
CVE-2023-0330-0001.patch} (100%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 2efe63cdc0..1a50e4d524 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,7 +36,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
file://ppc.patch \
-  file://CVE-2023-0330.patch \
+  file://CVE-2023-0330-0001.patch \
+  file://CVE-2023-0330-0002.patch \
   file://CVE-2023-3301.patch \
   file://CVE-2023-3255.patch \
   file://CVE-2023-2861.patch \
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch
new file mode 100644
index 00..a21b01bd25
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch
@@ -0,0 +1,136 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov 
+Date: Tue, 12 Sep 2023 10:49:46 +
+Subject: [PATCH] memory: prevent dma-reentracy issues
+
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA.  The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+
+Signed-off-by: Alexander Bulekov 
+Reviewed-by: Thomas Huth 
+Message-Id: <20230427211013.2994127-2-alx...@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth 
+
+CVE: CVE-2023-0330
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+
+Signed-off-by: Yogita Urade 
+---
+ include/exec/memory.h  |  5 +
+ include/hw/qdev-core.h |  7 +++
+ softmmu/memory.c   | 16 
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 91f8a2395..124628ada 100644
+--- a/include/exec/memory.h
 b/include/exec/memory.h
+@@ -741,6 +741,8 @@ struct MemoryRegion {
+ bool is_iommu;
+ RAMBlock *ram_block;
+ Object *owner;
++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath 
*/
++DeviceState *dev;
+
+ const MemoryRegionOps *ops;
+ void *opaque;
+@@ -765,6 +767,9 @@ struct MemoryRegion {
+ unsigned ioeventfd_nb;
+ MemoryRegionIoeventfd *ioeventfds;
+ RamDiscardManager *rdm; /* Only for RAM */
++
++/* For devices designed to perform re-entrant IO into their own IO MRs */
++bool disable_reentrancy_guard;
+ };
+
+ struct IOMMUMemoryRegion {
+diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
+index 785dd5a56..886f6bb79 100644
+--- a/include/hw/qdev-core.h
 b/include/hw/qdev-core.h
+@@ -162,6 +162,10 @@ struct NamedClockList {
+ 

[OE-core][mickledore][PATCH 1/2] qemu: fix CVE-2023-3354

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

A flaw was found in the QEMU built-in VNC server. When a client connects
to the VNC server, QEMU checks whether the current number of connections
crosses a certain threshold and if so, cleans up the previous connection.
If the previous connection happens to be in the handshake phase and fails,
QEMU cleans up the connection again, resulting in a NULL pointer dereference
issue. This could allow a remote unauthenticated client to cause a denial
of service.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3354

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3354.patch | 88 +++
 2 files changed, 89 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index bc0d956e18..2efe63cdc0 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2023-3301.patch \
   file://CVE-2023-3255.patch \
   file://CVE-2023-2861.patch \
+  file://CVE-2023-3354.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
new file mode 100644
index 00..b3958ecbf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
@@ -0,0 +1,88 @@
+From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrangé 
+Date: Tue, 12 Sep 2023 06:38:03 +
+Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The TLS handshake make take some time to complete, during which time an
+I/O watch might be registered with the main loop. If the owner of the
+I/O channel invokes qio_channel_close() while the handshake is waiting
+to continue the I/O watch must be removed. Failing to remove it will
+later trigger the completion callback which the owner is not expecting
+to receive. In the case of the VNC server, this results in a SEGV as
+vnc_disconnect_start() tries to shutdown a client connection that is
+already gone / NULL.
+
+CVE-2023-3354
+Reported-by: jiangyegen 
+Signed-off-by: Daniel P. Berrangé 
+
+CVE: CVE-2023-3354
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4]
+
+Signed-off-by: Yogita Urade 
+---
+ include/io/channel-tls.h |  1 +
+ io/channel-tls.c | 18 --
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
+index 5672479e9..ccd510ade 100644
+--- a/include/io/channel-tls.h
 b/include/io/channel-tls.h
+@@ -48,6 +48,7 @@ struct QIOChannelTLS {
+ QIOChannel *master;
+ QCryptoTLSSession *session;
+ QIOChannelShutdown shutdown;
++guint hs_ioc_tag;
+ };
+
+ /**
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index 4ce890a53..17d73f02e 100644
+--- a/io/channel-tls.c
 b/io/channel-tls.c
+@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS 
*ioc,
+ }
+
+ trace_qio_channel_tls_handshake_pending(ioc, status);
+-qio_channel_add_watch_full(ioc->master,
+-   condition,
+-   qio_channel_tls_handshake_io,
+-   data,
+-   NULL,
+-   context);
++ioc->hs_ioc_tag =
++qio_channel_add_watch_full(ioc->master,
++   condition,
++   qio_channel_tls_handshake_io,
++   data,
++   NULL,
++   context);
+ }
+ }
+
+@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel 
*ioc,
+ QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
+ qio_task_get_source(task));
+
++tioc->hs_ioc_tag = 0;
+ g_free(data);
+ qio_channel_tls_handshake_task(tioc, task, context);
+
+@@ -374,6 +376,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
+ {
+ QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+
++if (tioc->hs_ioc_tag) {
++g_clear_handle_id(>hs_ioc_tag, g_source_remove);
++}
++
+ return qio_channel_close(tioc->master, errp);
+ }
+
+--
+2.35.5
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187552): 
https://lists.openembedded.org/g/openembedded-core/message/187552
Mute This Topic: https://lists.openembedded.org/mt/101332758/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org

[OE-core][PATCH 1/1] dropbear: fix CVE-2023-36328

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Integer Overflow vulnerability in mp_grow in libtom libtommath before
commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to
execute arbitrary code and cause a denial of service (DoS).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36328
https://github.com/libtom/libtommath/pull/546

Signed-off-by: Yogita Urade 
---
 .../dropbear/dropbear/CVE-2023-36328.patch| 144 ++
 .../recipes-core/dropbear/dropbear_2022.83.bb |   1 +
 2 files changed, 145 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch 
b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
new file mode 100644
index 00..ec50d69816
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
@@ -0,0 +1,144 @@
+From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
+From: czurnieden 
+Date: Fri, 8 Sep 2023 10:07:32 +
+Subject: [PATCH] Fix possible integer overflow
+
+CVE: CVE-2023-36328
+
+Upstream-Status: Backport 
[https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
+
+Signed-off-by: Yogita Urade 
+---
+ libtommath/bn_mp_2expt.c| 4 
+ libtommath/bn_mp_grow.c | 4 
+ libtommath/bn_mp_init_size.c| 5 +
+ libtommath/bn_mp_mul_2d.c   | 4 
+ libtommath/bn_s_mp_mul_digs.c   | 4 
+ libtommath/bn_s_mp_mul_digs_fast.c  | 4 
+ libtommath/bn_s_mp_mul_high_digs.c  | 4 
+ libtommath/bn_s_mp_mul_high_digs_fast.c | 4 
+ 8 files changed, 33 insertions(+)
+
+diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
+index 0ae3df1..ca6fbc3 100644
+--- a/libtommath/bn_mp_2expt.c
 b/libtommath/bn_mp_2expt.c
+@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
+ {
+mp_errerr;
+
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* zero a as per default */
+mp_zero(a);
+
+diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
+index 9e904c5..2b16826 100644
+--- a/libtommath/bn_mp_grow.c
 b/libtommath/bn_mp_grow.c
+@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
+int i;
+mp_digit *tmp;
+
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+/* if the alloc size is smaller alloc more ram */
+if (a->alloc < size) {
+   /* reallocate the array a->dp
+diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
+index d622687..5fefa96 100644
+--- a/libtommath/bn_mp_init_size.c
 b/libtommath/bn_mp_init_size.c
+@@ -6,6 +6,11 @@
+ /* init an mp_init for a given size */
+ mp_err mp_init_size(mp_int *a, int size)
+ {
++
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+size = MP_MAX(MP_MIN_PREC, size);
+
+/* alloc mem */
+diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
+index 87354de..2744163 100644
+--- a/libtommath/bn_mp_mul_2d.c
 b/libtommath/bn_mp_mul_2d.c
+@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
+mp_digit d;
+mp_err   err;
+
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* copy */
+if (a != c) {
+   if ((err = mp_copy(a, c)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
+index 64509d4..2d2f5b0 100644
+--- a/libtommath/bn_s_mp_mul_digs.c
 b/libtommath/bn_s_mp_mul_digs.c
+@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_word r;
+mp_digit tmpx, *tmpt, *tmpy;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if ((digs < MP_WARRAY) &&
+(MP_MIN(a->used, b->used) < MP_MAXFAST)) {
+diff --git a/libtommath/bn_s_mp_mul_digs_fast.c 
b/libtommath/bn_s_mp_mul_digs_fast.c
+index b2a287b..d6dd3cc 100644
+--- a/libtommath/bn_s_mp_mul_digs_fast.c
 b/libtommath/bn_s_mp_mul_digs_fast.c
+@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_digit W[MP_WARRAY];
+mp_word  _W;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* grow the destination as required */
+if (c->alloc < digs) {
+   if ((err = mp_grow(c, digs)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_high_digs.c 
b/libtommath/bn_s_mp_mul_high_digs.c
+index 2bb2a50..c9dd355 100644
+--- a/libtommath/bn_s_mp_mul_high_digs.c
 b/libtommath/bn_s_mp_mul_high_digs.c
+@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_word  r;
+mp_digit tmpx, *tmpt, *tmpy;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
+&& ((a->used + b->used + 1) < MP_WARRAY)
+diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c 
b/libtommath/bn_s_mp_mul_high_digs_fast.c
+index a2c4fb6..afe3e4b 100644
+--- 

[OE-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-48503

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

The issue was addressed with improved bounds checks. This issue
is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6,
macOS Monterey 12.5, Safari 15.6. Processing web content may
lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-48503
https://support.apple.com/en-us/HT213340
https://bugs.webkit.org/show_bug.cgi?id=241931

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-48503.patch | 225 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 226 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch
new file mode 100644
index 00..b67751736d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch
@@ -0,0 +1,225 @@
+From 612c245823a515c8c70c2ad486957bd8a850f0f9 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki 
+Date: Tue, 5 Sep 2023 08:40:19 +
+Subject: [PATCH] [JSC] Refactor wasm section ordering code
+ https://bugs.webkit.org/show_bug.cgi?id=241931 rdar://83326477
+
+Reviewed by Keith Miller.
+
+This patch refactors existing validateOrder code since it is too adhoc right 
now.
+
+* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
+(JSC::Wasm::ModuleInformation::dataSegmentsCount const):
+* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
+(JSC::Wasm::SectionParser::parseData):
+(JSC::Wasm::SectionParser::parseDataCount):
+* Source/JavaScriptCore/wasm/WasmSectionParser.h:
+* Source/JavaScriptCore/wasm/WasmSections.h:
+(JSC::Wasm::orderingNumber):
+(JSC::Wasm::isKnownSection):
+(JSC::Wasm::validateOrder):
+(JSC::Wasm::makeString):
+* Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:
+(JSC::Wasm::StreamingParser::parseSectionPayload):
+(JSC::Wasm::StreamingParser::finalize):
+
+Canonical link: https://commits.webkit.org/251800@main
+
+CVE: CVE-2022-48503
+
+Upstream-Status: Backport 
[https://github.com/WebKit/WebKit/commit/612c245823a515c8c70c2ad486957bd8a850f0f9]
+
+Signed-off-by: Yogita Urade 
+---
+ .../wasm/WasmModuleInformation.h  |  4 +-
+ .../JavaScriptCore/wasm/WasmSectionParser.cpp |  3 ++
+ .../JavaScriptCore/wasm/WasmSectionParser.h   |  2 +-
+ Source/JavaScriptCore/wasm/WasmSections.h | 52 +++
+ .../wasm/WasmStreamingParser.cpp  | 11 +++-
+ 5 files changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/Source/JavaScriptCore/wasm/WasmModuleInformation.h 
b/Source/JavaScriptCore/wasm/WasmModuleInformation.h
+index ae6bbeed..f9f1baf7 100644
+--- a/Source/JavaScriptCore/wasm/WasmModuleInformation.h
 b/Source/JavaScriptCore/wasm/WasmModuleInformation.h
+@@ -86,7 +86,7 @@ struct ModuleInformation : public 
ThreadSafeRefCounted {
+ uint32_t memoryCount() const { return memory ? 1 : 0; }
+ uint32_t tableCount() const { return tables.size(); }
+ uint32_t elementCount() const { return elements.size(); }
+-uint32_t dataSegmentsCount() const { return numberOfDataSegments; }
++uint32_t dataSegmentsCount() const { return 
numberOfDataSegments.value_or(0); }
+
+ const TableInformation& table(unsigned index) const { return 
tables[index]; }
+
+@@ -131,7 +131,7 @@ struct ModuleInformation : public 
ThreadSafeRefCounted {
+ Vector customSections;
+ Ref nameSection;
+ BranchHints branchHints;
+-uint32_t numberOfDataSegments { 0 };
++std::optional numberOfDataSegments;
+
+ BitVector m_declaredFunctions;
+ BitVector m_declaredExceptions;
+diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp 
b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+index 5b511811..c55ee3c0 100644
+--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
 b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+@@ -768,6 +768,8 @@ auto SectionParser::parseData() -> PartialResult
+ uint32_t segmentCount;
+ WASM_PARSER_FAIL_IF(!parseVarUInt32(segmentCount), "can't get Data 
section's count");
+ WASM_PARSER_FAIL_IF(segmentCount > maxDataSegments, "Data section's count 
is too big ", segmentCount, " maximum ", maxDataSegments);
++if (m_info->numberOfDataSegments)
++WASM_PARSER_FAIL_IF(segmentCount != 
m_info->numberOfDataSegments.value(), "Data section's count ", segmentCount, " 
is different from Data Count section's count ", 
m_info->numberOfDataSegments.value());
+ WASM_PARSER_FAIL_IF(!m_info->data.tryReserveCapacity(segmentCount), 
"can't allocate enough memory for Data section's ", segmentCount, " segments");
+
+ for (uint32_t segmentNumber = 0; segmentNumber < segmentCount; 
++segmentNumber) {
+@@ -847,6 +849,7 @@ auto SectionParser::parseDataCount() -> PartialResult
+ {
+ uint32_t numberOfDataSegments;
+ WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfDataSegments), "can't get 
Data Count section's count");
++WASM_PARSER_FAIL_IF(numberOfDataSegments > maxDataSegments, 

[OE-core][mickledore][PATCH 1/1] dropbear: fix CVE-2023-36328

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Integer Overflow vulnerability in mp_grow in libtom libtommath before
commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to
execute arbitrary code and cause a denial of service (DoS).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36328
https://github.com/libtom/libtommath/pull/546

Signed-off-by: Yogita Urade 
---
 .../dropbear/dropbear/CVE-2023-36328.patch| 144 ++
 .../recipes-core/dropbear/dropbear_2022.83.bb |   1 +
 2 files changed, 145 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch 
b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
new file mode 100644
index 00..932503e507
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
@@ -0,0 +1,144 @@
+From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
+From: czurnieden 
+Date: Fri, 8 Sep 2023 05:01:00 +
+Subject: [PATCH] Fix possible integer overflow
+
+CVE: CVE-2023-36328
+
+Upstream-Status: Backport 
[https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
+
+Signed-off-by: Yogita Urade 
+---
+ libtommath/bn_mp_2expt.c| 4 
+ libtommath/bn_mp_grow.c | 4 
+ libtommath/bn_mp_init_size.c| 5 +
+ libtommath/bn_mp_mul_2d.c   | 4 
+ libtommath/bn_s_mp_mul_digs.c   | 4 
+ libtommath/bn_s_mp_mul_digs_fast.c  | 4 
+ libtommath/bn_s_mp_mul_high_digs.c  | 4 
+ libtommath/bn_s_mp_mul_high_digs_fast.c | 4 
+ 8 files changed, 33 insertions(+)
+
+diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
+index 0ae3df1..ca6fbc3 100644
+--- a/libtommath/bn_mp_2expt.c
 b/libtommath/bn_mp_2expt.c
+@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
+ {
+mp_errerr;
+
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* zero a as per default */
+mp_zero(a);
+
+diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
+index 9e904c5..b9321f7 100644
+--- a/libtommath/bn_mp_grow.c
 b/libtommath/bn_mp_grow.c
+@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
+int i;
+mp_digit *tmp;
+
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+/* if the alloc size is smaller alloc more ram */
+if (a->alloc < size) {
+   /* reallocate the array a->dp
+diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
+index d622687..5fefa96 100644
+--- a/libtommath/bn_mp_init_size.c
 b/libtommath/bn_mp_init_size.c
+@@ -6,6 +6,11 @@
+ /* init an mp_init for a given size */
+ mp_err mp_init_size(mp_int *a, int size)
+ {
++
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+size = MP_MAX(MP_MIN_PREC, size);
+
+/* alloc mem */
+diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
+index 87354de..2744163 100644
+--- a/libtommath/bn_mp_mul_2d.c
 b/libtommath/bn_mp_mul_2d.c
+@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
+mp_digit d;
+mp_err   err;
+
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* copy */
+if (a != c) {
+   if ((err = mp_copy(a, c)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
+index 64509d4..2d2f5b0 100644
+--- a/libtommath/bn_s_mp_mul_digs.c
 b/libtommath/bn_s_mp_mul_digs.c
+@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_word r;
+mp_digit tmpx, *tmpt, *tmpy;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if ((digs < MP_WARRAY) &&
+(MP_MIN(a->used, b->used) < MP_MAXFAST)) {
+diff --git a/libtommath/bn_s_mp_mul_digs_fast.c 
b/libtommath/bn_s_mp_mul_digs_fast.c
+index b2a287b..d6dd3cc 100644
+--- a/libtommath/bn_s_mp_mul_digs_fast.c
 b/libtommath/bn_s_mp_mul_digs_fast.c
+@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_digit W[MP_WARRAY];
+mp_word  _W;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* grow the destination as required */
+if (c->alloc < digs) {
+   if ((err = mp_grow(c, digs)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_high_digs.c 
b/libtommath/bn_s_mp_mul_high_digs.c
+index 2bb2a50..860ebcb 100644
+--- a/libtommath/bn_s_mp_mul_high_digs.c
 b/libtommath/bn_s_mp_mul_high_digs.c
+@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_word  r;
+mp_digit tmpx, *tmpt, *tmpy;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
+&& ((a->used + b->used + 1) < MP_WARRAY)
+diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c 
b/libtommath/bn_s_mp_mul_high_digs_fast.c
+index a2c4fb6..afe3e4b 100644
+--- 

[OE-core][kirkstone][PATCH 2/2] qemu: fix CVE-2021-3638

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to
out-of-bounds write.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3638
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2021-3638.patch | 88 +++
 2 files changed, 89 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 15c7465308..cadca6f687 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2020-14394.patch \
   file://CVE-2023-3354.patch \
   file://CVE-2023-3180.patch \
+  file://CVE-2021-3638.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
new file mode 100644
index 00..3cbb34c54c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
@@ -0,0 +1,88 @@
+From 205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daudé 
+Date: Thu, 10 Aug 2023 07:30:54 +
+Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt
+ (CVE-2021-3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When building QEMU with DEBUG_ATI defined then running with
+'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
+we get:
+
+  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
+  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
+  ati_mm_write 4 0x16c8 DP_MIX <- 0xff
+  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
+  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
+  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe0
+  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
+  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
+  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
+  ati_2d_blt: vram:0x7fff5fa0 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 
rop:0xff
+  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
+  ati_2d_blt: pixman_fill(dst:0x7fff5fa0, stride:254, bpp:8, x:16383, 
y:16383, w:16383, h:16383, xor:0xff00)
+  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
+  (gdb) bt
+  #0  0x77f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
+  #1  0x77f09278 in pixman_fill () at /lib64/libpixman-1.so.0
+  #2  0x57b5a9af in ati_2d_blt (s=0x63128800) at 
hw/display/ati_2d.c:196
+  #3  0x57b4b5a2 in ati_mm_write (opaque=0x63128800, addr=5512, 
data=1073692671, size=4) at hw/display/ati.c:843
+  #4  0x58b90ec4 in memory_region_write_accessor (mr=0x63139cc0, 
addr=5512, ..., size=4, ...) at softmmu/memory.c:492
+
+Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
+the local dst_x and dst_y which adjust the (x, y) coordinates
+depending on the direction in the SRCCOPY ROP3 operation, but
+forgot to address the same issue for the PATCOPY, BLACKNESS and
+WHITENESS operations, which also call pixman_fill().
+
+Fix that now by using the adjusted coordinates in the pixman_fill
+call, and update the related debug printf().
+
+Reported-by: Qiang Liu 
+Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
+Signed-off-by: Philippe Mathieu-Daudé 
+Tested-by: Mauro Matteo Cascella 
+Message-Id: <20210906153103.1661195-1-phi...@redhat.com>
+Signed-off-by: Gerd Hoffmann 
+
+CVE: CVE-2021-3638
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643]
+
+Signed-off-by: Yogita Urade 
+---
+ hw/display/ati_2d.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 4dc10ea79..692bec91d 100644
+--- a/hw/display/ati_2d.c
 b/hw/display/ati_2d.c
+@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
+ DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
+ s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
+ s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
+-s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
++s->regs.src_x, s->regs.src_y, dst_x, dst_y,
+ s->regs.dst_width, s->regs.dst_height,
+ (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
+ (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
+@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
+ dst_stride /= sizeof(uint32_t);
+ DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
+ dst_bits, dst_stride, bpp,
+-

[OE-core][kirkstone][PATCH 1/2] qemu: fix CVE-2023-0330

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.

Summary of the problem from Peter Maydell:
https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com

Reference:
https://gitlab.com/qemu-project/qemu/-/issues/556

qemu.git$ git log --no-merges --oneline   --grep CVE-2023-0330
b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller 
(CVE-2023-0330)
a2e1753b80 memory: prevent dma-reentracy issues

Included second commit as well as commit log of a2e1753b80 says it
resolves CVE-2023-0330

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |   3 +-
 ...-2023-0330.patch => CVE-2023-0330_1.patch} |   0
 .../qemu/qemu/CVE-2023-0330_2.patch   | 136 ++
 3 files changed, 138 insertions(+), 1 deletion(-)
 rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => 
CVE-2023-0330_1.patch} (100%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index d77c376bb6..15c7465308 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -93,7 +93,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2022-4144.patch \

file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \

file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
-   file://CVE-2023-0330.patch \
+   file://CVE-2023-0330_1.patch \
+  file://CVE-2023-0330_2.patch \
file://CVE-2023-3301.patch \
file://CVE-2023-3255.patch \
file://CVE-2023-2861.patch \
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
new file mode 100644
index 00..a45ee0490a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
@@ -0,0 +1,136 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov 
+Date: Fri, 11 Aug 2023 07:41:04 +
+Subject: [PATCH] memory: prevent dma-reentracy issues
+
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA.  The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+
+Signed-off-by: Alexander Bulekov 
+Reviewed-by: Thomas Huth 
+Message-Id: <20230427211013.2994127-2-alx...@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth 
+
+CVE: CVE-2023-0330
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+
+Signed-off-by: Yogita Urade 
+---
+ include/exec/memory.h  |  5 +
+ include/hw/qdev-core.h |  7 +++
+ softmmu/memory.c   | 16 
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 20f1b2737..e089f90f9 100644
+--- a/include/exec/memory.h
 b/include/exec/memory.h
+@@ -734,6 +734,8 @@ struct MemoryRegion {
+ bool is_iommu;
+ RAMBlock *ram_block;
+ Object *owner;
++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath 
*/
++DeviceState *dev;
+
+ const MemoryRegionOps *ops;
+ void *opaque;
+@@ -757,6 +759,9 @@ struct MemoryRegion {
+ unsigned ioeventfd_nb;
+ MemoryRegionIoeventfd *ioeventfds;
+ RamDiscardManager *rdm; /* Only for RAM */
++
++/* For devices designed to perform re-entrant IO into their own IO MRs */
++bool disable_reentrancy_guard;
+ };
+
+ struct IOMMUMemoryRegion {
+diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
+index 20d306659..14226f860 100644
+--- a/include/hw/qdev-core.h
 

[OE-core][kirkstone][PATCH 1/1] dropbear: fix CVE-2023-36328

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Integer Overflow vulnerability in mp_grow in libtom libtommath before
commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to
execute arbitrary code and cause a denial of service (DoS).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36328
https://github.com/libtom/libtommath/pull/546

Signed-off-by: Yogita Urade 
---
 meta/recipes-core/dropbear/dropbear.inc   |   1 +
 .../dropbear/dropbear/CVE-2023-36328.patch| 144 ++
 2 files changed, 145 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch

diff --git a/meta/recipes-core/dropbear/dropbear.inc 
b/meta/recipes-core/dropbear/dropbear.inc
index f3f085b616..e61930f7db 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -29,6 +29,7 @@ SRC_URI = 
"http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', 
'', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 
'file://dropbear-disable-weak-ciphers.patch', '', d)} \
   file://CVE-2021-36369.patch \
+  file://CVE-2023-36328.patch \
   "
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch 
b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
new file mode 100644
index 00..4d8c40f70b
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
@@ -0,0 +1,144 @@
+From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
+From: czurnieden 
+Date: Wed, 6 Sep 2023 10:48:58 +
+Subject: [PATCH] Fix possible integer overflow
+
+CVE: CVE-2023-36328
+
+Upstream-Status: Backport 
[https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
+
+Signed-off-by: Yogita Urade 
+---
+ libtommath/bn_mp_2expt.c| 4 
+ libtommath/bn_mp_grow.c | 4 
+ libtommath/bn_mp_init_size.c| 5 +
+ libtommath/bn_mp_mul_2d.c   | 4 
+ libtommath/bn_s_mp_mul_digs.c   | 4 
+ libtommath/bn_s_mp_mul_digs_fast.c  | 4 
+ libtommath/bn_s_mp_mul_high_digs.c  | 4 
+ libtommath/bn_s_mp_mul_high_digs_fast.c | 4 
+ 8 files changed, 33 insertions(+)
+
+diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
+index 0ae3df1..7d4d884 100644
+--- a/libtommath/bn_mp_2expt.c
 b/libtommath/bn_mp_2expt.c
+@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
+ {
+mp_errerr;
+
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* zero a as per default */
+mp_zero(a);
+
+diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
+index 9e904c5..e7b186c 100644
+--- a/libtommath/bn_mp_grow.c
 b/libtommath/bn_mp_grow.c
+@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
+int i;
+mp_digit *tmp;
+
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+/* if the alloc size is smaller alloc more ram */
+if (a->alloc < size) {
+   /* reallocate the array a->dp
+diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
+index d622687..5fefa96 100644
+--- a/libtommath/bn_mp_init_size.c
 b/libtommath/bn_mp_init_size.c
+@@ -6,6 +6,11 @@
+ /* init an mp_init for a given size */
+ mp_err mp_init_size(mp_int *a, int size)
+ {
++
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+size = MP_MAX(MP_MIN_PREC, size);
+
+/* alloc mem */
+diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
+index 87354de..2744163 100644
+--- a/libtommath/bn_mp_mul_2d.c
 b/libtommath/bn_mp_mul_2d.c
+@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
+mp_digit d;
+mp_err   err;
+
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* copy */
+if (a != c) {
+   if ((err = mp_copy(a, c)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
+index 64509d4..2d2f5b0 100644
+--- a/libtommath/bn_s_mp_mul_digs.c
 b/libtommath/bn_s_mp_mul_digs.c
+@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_word r;
+mp_digit tmpx, *tmpt, *tmpy;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if ((digs < MP_WARRAY) &&
+(MP_MIN(a->used, b->used) < MP_MAXFAST)) {
+diff --git a/libtommath/bn_s_mp_mul_digs_fast.c 
b/libtommath/bn_s_mp_mul_digs_fast.c
+index b2a287b..d6dd3cc 100644
+--- a/libtommath/bn_s_mp_mul_digs_fast.c
 b/libtommath/bn_s_mp_mul_digs_fast.c
+@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, 
mp_int *c, int digs)
+mp_digit W[MP_WARRAY];
+mp_word  _W;
+
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* grow the destination as required */
+if (c->alloc < digs) {
+   if ((err = mp_grow(c, digs)) != MP_OKAY) {
+diff --git 

[OE-core][mickledore][PATCH 1/1] nghttp2: fix CVE-2023-35945

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945
https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

Signed-off-by: Yogita Urade 
---
 .../nghttp2/nghttp2/CVE-2023-35945.patch  | 151 ++
 .../recipes-support/nghttp2/nghttp2_1.52.0.bb |   1 +
 2 files changed, 152 insertions(+)
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch

diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch 
b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch
new file mode 100644
index 00..04d2086e1c
--- /dev/null
+++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch
@@ -0,0 +1,151 @@
+From ce385d3f55a4b76da976b3bdf71fe2deddf315ba Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa 
+Date: Mon, 4 Sep 2023 06:48:30 +
+Subject: [PATCH] Fix memory leak
+
+This commit fixes memory leak that happens when PUSH_PROMISE or
+HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
+fails with a fatal error.  For example, if GOAWAY frame has been
+received, a HEADERS frame that opens new stream cannot be sent.
+
+This issue has already been made public via CVE-2023-35945 [1] issued
+by envoyproxy/envoy project.  During embargo period, the patch to fix
+this bug was accidentally submitted to nghttp2/nghttp2 repository [2].
+And they decided to disclose CVE early.  I was notified just 1.5 hours
+before disclosure.  I had no time to respond.
+
+PoC described in [1] is quite simple, but I think it is not enough to
+trigger this bug.  While it is true that receiving GOAWAY prevents a
+client from opening new stream, and nghttp2 enters error handling
+branch, in order to cause the memory leak,
+nghttp2_session_close_stream function must return a fatal error.
+nghttp2 defines 2 fatal error codes:
+
+- NGHTTP2_ERR_NOMEM
+- NGHTTP2_ERR_CALLBACK_FAILURE
+
+NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory.  It
+is unlikely that a process gets short of memory with this simple PoC
+scenario unless application does something memory heavy processing.
+
+NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined
+callback function (nghttp2_on_stream_close_callback, in this case),
+which indicates something fatal happened inside a callback, and a
+connection must be closed immediately without any further action.  As
+nghttp2_on_stream_close_error_callback documentation says, any error
+code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
+error code.  More specifically, it is treated as if
+NGHTTP2_ERR_CALLBACK_FAILURE is returned.  I guess that envoy returns
+NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated
+into NGHTTP2_ERR_CALLBACK_FAILURE.
+
+[1] https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
+[2] https://github.com/nghttp2/nghttp2/pull/1929
+
+CVE: CVE-2023-35945
+
+Upstream-Status: Backport 
[https://github.com/nghttp2/nghttp2/commit/ce385d3f55a4b76da976b3bdf71fe2deddf315ba]
+
+Signed-off-by: Yogita Urade 
+---
+ lib/nghttp2_session.c| 10 +-
+ tests/nghttp2_session_test.c | 34 ++
+ 2 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 93f3f07..9bb32b2 100644
+--- a/lib/nghttp2_session.c
 b/lib/nghttp2_session.c
+@@ -3300,6 +3300,7 @@ static ssize_t 
nghttp2_session_mem_send_internal(nghttp2_session *session,
+   if (rv < 0) {
+ int32_t opened_stream_id = 0;
+ uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
++int rv2 = 0;
+
+ DEBUGF("send: frame preparation failed with %s\n",
+nghttp2_strerror(rv));
+@@ -3342,19 +3343,18 @@ static ssize_t 
nghttp2_session_mem_send_internal(nghttp2_session *session,
+ }
+ if (opened_stream_id) {
+   /* careful not to override rv */
+-  int rv2;
+   rv2 = nghttp2_session_close_stream(session, opened_stream_id,
+  error_code);
+-
+-  if (nghttp2_is_fatal(rv2)) {
+-return rv2;
+-  }
+ }
+
+ nghttp2_outbound_item_free(item, mem);
+ nghttp2_mem_free(mem, item);
+ 

[OE-core][mickledore][PATCH 1/1] inetutils: fix CVE-2023-40303

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

GNU inetutils through 2.4 may allow privilege escalation because
of unchecked return values of set*id() family functions in ftpd,
rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant
if the setuid system call fails when a process is trying to drop
privileges before letting an ordinary user control the activities
of the process.

Refernces:
https://nvd.nist.gov/vuln/detail/CVE-2023-40303

Signed-off-by: Yogita Urade 
---
 ...tpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 284 ++
 ...03-Indent-changes-in-previous-commit.patch | 258 
 .../inetutils/inetutils_2.4.bb|   2 +
 3 files changed, 544 insertions(+)
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch

diff --git 
a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 00..04fd9b1f85
--- /dev/null
+++ 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,284 @@
+From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux 
+Date: Mon, 28 Aug 2023 15:35:19 +
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+Signed-off-by: Jeffrey Bencteux 
+Signed-off-by: Simon Josefsson 
+
+CVE: CVE-2023-40303
+
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+
+Signed-off-by: Yogita Urade 
+---
+ ftpd/ftpd.c  | 10 +++---
+ src/rcp.c| 39 +--
+ src/rlogin.c | 11 +--
+ src/rsh.c| 25 +
+ src/rshd.c   | 20 +---
+ src/uucpd.c  | 15 +--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 92b2cca..009f3f1 100644
+--- a/ftpd/ftpd.c
 b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+ {
+   logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+
+   if (data >= 0)
+ return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+ goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else/* !AF_INET6 */
+ ((struct sockaddr_in *) _addr)->sin_port = 0;
+
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
+ {
+   if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index 75adb25..f913256 100644
+--- a/src/rcp.c
 b/src/rcp.c
+@@ -345,14 +345,23 @@ main (int argc, char *argv[])
+   if (from_option)
+ { /* Follow "protocol", send data. */
+   response ();
+-  setuid (userid);
++
++  if (setuid (userid) == -1)
++  {
++  error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++  }
++
+   source (argc, argv);
+   exit (errs);
+ }
+
+   if (to_option)
+ { /* Receive data. */
+-  setuid (userid);
++  if (setuid (userid) == -1)
++  {
++  error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++  }
++
+   sink (argc, argv);
+   exit (errs);
+ }
+@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[])
+ if (response () < 0)
+   exit (EXIT_FAILURE);
+ free (bp);
+-setuid (userid);
++
++if (setuid (userid) == -1)
++{
++  error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++}
+   }
+ source (1, argv + i);
+ close (rem);
+@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[])
+ ++errs;
+ continue;
+   }
+-  seteuid (userid);
++
++  if (seteuid (userid) == -1)
++  {
++  error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++  }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+   sslen = sizeof (ss);
+   (void) 

[OE-core][kirkstone][PATCH 1/1] nghttp2: fix CVE-2023-35945

[Urade, Yogita via lists.openembedded.org]

From: Yogita Urade 

Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945
https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

Signed-off-by: Yogita Urade 
---
 .../nghttp2/nghttp2/CVE-2023-35945.patch  | 151 ++
 .../recipes-support/nghttp2/nghttp2_1.47.0.bb |   1 +
 2 files changed, 152 insertions(+)
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch

diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch 
b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch
new file mode 100644
index 00..e03915fda8
--- /dev/null
+++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch
@@ -0,0 +1,151 @@
+From ce385d3f55a4b76da976b3bdf71fe2deddf315ba Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa 
+Date: Thu, 24 Aug 2023 09:34:26 +
+Subject: [PATCH] Fix memory leak
+
+This commit fixes memory leak that happens when PUSH_PROMISE or
+HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
+fails with a fatal error.  For example, if GOAWAY frame has been
+received, a HEADERS frame that opens new stream cannot be sent.
+
+This issue has already been made public via CVE-2023-35945 [1] issued
+by envoyproxy/envoy project.  During embargo period, the patch to fix
+this bug was accidentally submitted to nghttp2/nghttp2 repository [2].
+And they decided to disclose CVE early.  I was notified just 1.5 hours
+before disclosure.  I had no time to respond.
+
+PoC described in [1] is quite simple, but I think it is not enough to
+trigger this bug.  While it is true that receiving GOAWAY prevents a
+client from opening new stream, and nghttp2 enters error handling
+branch, in order to cause the memory leak,
+nghttp2_session_close_stream function must return a fatal error.
+nghttp2 defines 2 fatal error codes:
+
+- NGHTTP2_ERR_NOMEM
+- NGHTTP2_ERR_CALLBACK_FAILURE
+
+NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory.  It
+is unlikely that a process gets short of memory with this simple PoC
+scenario unless application does something memory heavy processing.
+
+NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined
+callback function (nghttp2_on_stream_close_callback, in this case),
+which indicates something fatal happened inside a callback, and a
+connection must be closed immediately without any further action.  As
+nghttp2_on_stream_close_error_callback documentation says, any error
+code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
+error code.  More specifically, it is treated as if
+NGHTTP2_ERR_CALLBACK_FAILURE is returned.  I guess that envoy returns
+NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated
+into NGHTTP2_ERR_CALLBACK_FAILURE.
+
+[1] https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
+[2] https://github.com/nghttp2/nghttp2/pull/1929
+
+CVE: CVE-2023-35945
+
+Upstream-Status: Backport 
[https://github.com/nghttp2/nghttp2/commit/ce385d3f55a4b76da976b3bdf71fe2deddf315ba]
+
+Signed-off-by: Yogita Urade 
+---
+ lib/nghttp2_session.c| 10 +-
+ tests/nghttp2_session_test.c | 34 ++
+ 2 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 380a47c..2d9285f 100644
+--- a/lib/nghttp2_session.c
 b/lib/nghttp2_session.c
+@@ -2940,6 +2940,7 @@ static ssize_t 
nghttp2_session_mem_send_internal(nghttp2_session *session,
+   if (rv < 0) {
+ int32_t opened_stream_id = 0;
+ uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
++int rv2 = 0;
+
+ DEBUGF("send: frame preparation failed with %s\n",
+nghttp2_strerror(rv));
+@@ -2982,19 +2983,18 @@ static ssize_t 
nghttp2_session_mem_send_internal(nghttp2_session *session,
+ }
+ if (opened_stream_id) {
+   /* careful not to override rv */
+-  int rv2;
+   rv2 = nghttp2_session_close_stream(session, opened_stream_id,
+  error_code);
+-
+-  if (nghttp2_is_fatal(rv2)) {
+-return rv2;
+-  }
+ }
+
+ nghttp2_outbound_item_free(item, mem);
+ nghttp2_mem_free(mem, item);
+ 

[OE-core][mickledore][PATCH 3/3] qemu: fix CVE-2023-2861

[Urade, Yogita via lists.openembedded.org]

qemu: 9pfs: prevent opening special files

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-2861

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |   1 +
 .../qemu/qemu/CVE-2023-2861.patch | 171 ++
 2 files changed, 172 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 0112c29a8c..bc0d956e18 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2023-0330.patch \
   file://CVE-2023-3301.patch \
   file://CVE-2023-3255.patch \
+  file://CVE-2023-2861.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
new file mode 100644
index 00..34be8afe16
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -0,0 +1,171 @@
+From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
+From: Christian Schoenebeck 
+Date: Wed, 2 Aug 2023 13:02:55 +
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
+
+The 9p protocol does not specifically define how server shall behave when
+client tries to open a special file, however from security POV it does
+make sense for 9p server to prohibit opening any special file on host side
+in general. A sane Linux 9p client for instance would never attempt to
+open a special file on host side, it would always handle those exclusively
+on its guest side. A malicious client however could potentially escape
+from the exported 9p tree by creating and opening a device file on host
+side.
+
+With QEMU this could only be exploited in the following unsafe setups:
+
+  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
+security model.
+
+or
+
+  - Using 9p 'proxy' fs driver (which is running its helper daemon as
+root).
+
+These setups were already discouraged for safety reasons before,
+however for obvious reasons we are now tightening behaviour on this.
+
+Fixes: CVE-2023-2861
+Reported-by: Yanwu Shen 
+Reported-by: Jietao Xiao 
+Reported-by: Jinku Li 
+Reported-by: Wenbo Shen 
+Signed-off-by: Christian Schoenebeck 
+Reviewed-by: Greg Kurz 
+Reviewed-by: Michael Tokarev 
+Message-Id: 
+
+CVE: CVE-2023-2861
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
+
+Signed-off-by: Yogita Urade 
+---
+ fsdev/virtfs-proxy-helper.c | 27 --
+ hw/9pfs/9p-util.h   | 38 +
+ 2 files changed, 63 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+index 5cafcd770..d9511f429 100644
+--- a/fsdev/virtfs-proxy-helper.c
 b/fsdev/virtfs-proxy-helper.c
+@@ -26,6 +26,7 @@
+ #include "qemu/xattr.h"
+ #include "9p-iov-marshal.h"
+ #include "hw/9pfs/9p-proxy.h"
++#include "hw/9pfs/9p-util.h"
+ #include "fsdev/9p-iov-marshal.h"
+
+ #define PROGNAME "virtfs-proxy-helper"
+@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
+ }
+ }
+
++/*
++ * Open regular file or directory. Attempts to open any special file are
++ * rejected.
++ *
++ * returns file descriptor or -1 on error
++ */
++static int open_regular(const char *pathname, int flags, mode_t mode)
++{
++int fd;
++
++fd = open(pathname, flags, mode);
++if (fd < 0) {
++return fd;
++}
++
++if (close_if_special_file(fd) < 0) {
++return -1;
++}
++
++return fd;
++}
++
+ /*
+  * send response in two parts
+  * 1) ProxyHeader
+@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
+ if (ret < 0) {
+ goto unmarshal_err_out;
+ }
+-ret = open(path.data, flags, mode);
++ret = open_regular(path.data, flags, mode);
+ if (ret < 0) {
+ ret = -errno;
+ }
+@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
+ if (ret < 0) {
+ goto err_out;
+ }
+-ret = open(path.data, flags);
++ret = open_regular(path.data, flags, 0);
+ if (ret < 0) {
+ ret = -errno;
+ }
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index c3526144c..6b44e5f7a 100644
+--- a/hw/9pfs/9p-util.h
 b/hw/9pfs/9p-util.h
+@@ -13,6 +13,8 @@
+ #ifndef QEMU_9P_UTIL_H
+ #define QEMU_9P_UTIL_H
+
++#include "qemu/error-report.h"
++
+ #ifdef O_PATH
+ #define O_PATH_9P_UTIL O_PATH
+ #else
+@@ -112,6 +114,38 @@ static inline void close_preserve_errno(int fd)
+ errno = serrno;
+ }
+
++/**
++ * close_if_special_file() - Close @fd if neither regular file nor directory.
++ *
++ * @fd: file descriptor of open file
++ * Return: 0 on regular file or directory, -1 otherwise
++ *
++ * CVE-2023-2861: Prohibit opening any special 

[OE-core][mickledore][PATCH 2/3] qemu: fix CVE-2023-3255

[Urade, Yogita via lists.openembedded.org]

QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3255

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3255.patch | 65 +++
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index f5b408036a..0112c29a8c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://ppc.patch \
   file://CVE-2023-0330.patch \
   file://CVE-2023-3301.patch \
+  file://CVE-2023-3255.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch
new file mode 100644
index 00..661af629b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch
@@ -0,0 +1,65 @@
+From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella 
+Date: Wed, 2 Aug 2023 12:29:55 +
+Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
+ (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain;
+ charset=UTF-8 Content-Transfer-Encoding: 8bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A wrong exit condition may lead to an infinite loop when inflating a
+valid zlib buffer containing some extra bytes in the `inflate_buffer`
+function. The bug only occurs post-authentication. Return the buffer
+immediately if the end of the compressed data has been reached
+(Z_STREAM_END).
+
+Fixes: CVE-2023-3255
+Fixes: 0bf41cab ("ui/vnc: clipboard support")
+Reported-by: Kevin Denis 
+Signed-off-by: Mauro Matteo Cascella 
+Reviewed-by: Marc-André Lureau 
+Tested-by: Marc-André Lureau 
+Message-ID: <20230704084210.101822-1-mcasc...@redhat.com>
+
+CVE: CVE-2023-3255
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b]
+
+Signed-off-by: Yogita Urade 
+---
+ ui/vnc-clipboard.c | 10 --
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
+index 8aeadfaa2..c759be343 100644
+--- a/ui/vnc-clipboard.c
 b/ui/vnc-clipboard.c
+@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t 
in_len, uint32_t *size)
+ ret = inflate(, Z_FINISH);
+ switch (ret) {
+ case Z_OK:
+-case Z_STREAM_END:
+ break;
++case Z_STREAM_END:
++*size = stream.total_out;
++inflateEnd();
++return out;
+ case Z_BUF_ERROR:
+ out_len <<= 1;
+ if (out_len > (1 << 20)) {
+@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t 
in_len, uint32_t *size)
+ }
+ }
+
+-*size = stream.total_out;
+-inflateEnd();
+-
+-return out;
+-
+ err_end:
+ inflateEnd();
+ err:
+--
+2.40.0
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185726): 
https://lists.openembedded.org/g/openembedded-core/message/185726
Mute This Topic: https://lists.openembedded.org/mt/100659285/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore][PATCH 1/3] qemu: fix CVE-2023-3301

[Urade, Yogita via lists.openembedded.org]

qemu: hotplug/hotunplug mlx vdpa device to the occupied addr port,
then qemu core dump occurs after shutdown guest

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3301

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3301.patch | 65 +++
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 9233378925..f5b408036a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.udev \
file://ppc.patch \
   file://CVE-2023-0330.patch \
+  file://CVE-2023-3301.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch
new file mode 100644
index 00..977f017ed2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch
@@ -0,0 +1,65 @@
+From a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 Sep 17 00:00:00 2001
+From: Ani Sinha 
+Date: Wed, 2 Aug 2023 09:25:27 +
+Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if
+ peer nic is present
+
+When a peer nic is still attached to the vdpa backend, it is too early to free
+up the vhost-net and vdpa structures. If these structures are freed here, then
+QEMU crashes when the guest is being shut down. The following call chain
+would result in an assertion failure since the pointer returned from
+vhost_vdpa_get_vhost_net() would be NULL:
+
+do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
+virtio_net_vhost_status() -> get_vhost_net().
+
+Therefore, we defer freeing up the structures until at guest shutdown
+time when qemu_cleanup() calls net_cleanup() which then calls
+qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
+again to free up the structures. This time, the loop in net_cleanup()
+ensures that vhost_vdpa_cleanup() will be called one last time when
+all the peer nics are detached and freed.
+
+All unit tests pass with this change.
+
+CC: imamm...@redhat.com
+CC: jus...@redhat.com
+CC: m...@redhat.com
+Fixes: CVE-2023-3301
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929
+Signed-off-by: Ani Sinha 
+Message-Id: <20230619065209.442185-1-anisi...@redhat.com>
+Reviewed-by: Michael S. Tsirkin 
+Signed-off-by: Michael S. Tsirkin 
+
+CVE: CVE-2023-3301
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8]
+
+Signed-off-by: Yogita Urade 
+---
+ net/vhost-vdpa.c | 9 +
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
+index 2b4b85d8f..8dbe929c1 100644
+--- a/net/vhost-vdpa.c
 b/net/vhost-vdpa.c
+@@ -158,6 +158,15 @@ err_init:
+ static void vhost_vdpa_cleanup(NetClientState *nc)
+ {
+ VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
++
++/*
++ * If a peer NIC is attached, do not cleanup anything.
++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
++ * when the guest is shutting down.
++ */
++if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
++  return;
++}
+ struct vhost_dev *dev = >vhost_net->dev;
+
+ qemu_vfree(s->cvq_cmd_out_buffer);
+--
+2.40.0
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185725): 
https://lists.openembedded.org/g/openembedded-core/message/185725
Mute This Topic: https://lists.openembedded.org/mt/100659284/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2020-14394

[Urade, Yogita via lists.openembedded.org]

QEMU: infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c

Reference:
https://gitlab.com/qemu-project/qemu/-/issues/646

Signed-off-by: Yogita Urade 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2020-14394.patch| 79 +++
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 96a1cc93a5..8182342f92 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -97,6 +97,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-3301.patch \
file://CVE-2023-3255.patch \
file://CVE-2023-2861.patch \
+  file://CVE-2020-14394.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch
new file mode 100644
index 00..aff91a7355
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch
@@ -0,0 +1,79 @@
+From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Tue, 8 Aug 2023 10:44:51 +
+Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
+ xhci_ring_chain_length() (CVE-2020-14394)
+
+The loop condition in xhci_ring_chain_length() is under control of
+the guest, and additionally the code does not check for failed DMA
+transfers (e.g. if reaching the end of the RAM), so the loop there
+could run for a very long time or even forever. Fix it by checking
+the return value of dma_memory_read() and by introducing a maximum
+loop length.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
+Message-Id: <20220804131300.96368-1-th...@redhat.com>
+Reviewed-by: Mauro Matteo Cascella 
+Acked-by: Gerd Hoffmann 
+Signed-off-by: Thomas Huth 
+
+CVE: CVE-2020-14394
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc]
+
+Signed-off-by: Yogita Urade 
+---
+ hw/usb/hcd-xhci.c | 23 +++
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 14bdb8967..c63a36dcc 100644
+--- a/hw/usb/hcd-xhci.c
 b/hw/usb/hcd-xhci.c
+@@ -21,6 +21,7 @@
+
+ #include "qemu/osdep.h"
+ #include "qemu/timer.h"
++#include "qemu/log.h"
+ #include "qemu/module.h"
+ #include "qemu/queue.h"
+ #include "migration/vmstate.h"
+@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const 
XHCIRing *ring)
+ bool control_td_set = 0;
+ uint32_t link_cnt = 0;
+
+-while (1) {
++do {
+ TRBType type;
+-dma_memory_read(xhci->as, dequeue, , TRB_SIZE,
+-MEMTXATTRS_UNSPECIFIED);
++  if (dma_memory_read(xhci->as, dequeue, , TRB_SIZE,
++MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
++qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
++  __func__);
++return -1;
++  }
+ le64_to_cpus();
+ le32_to_cpus();
+ le32_to_cpus();
+@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const 
XHCIRing *ring)
+ if (!control_td_set && !(trb.control & TRB_TR_CH)) {
+ return length;
+ }
+-}
++
++  /*
++   * According to the xHCI spec, Transfer Ring segments should have
++   * a maximum size of 64 kB (see chapter "6 Data Structures")
++   */
++} while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
++
++qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring 
size!\n",
++  __func__);
++
++return -1;
+ }
+
+ static void xhci_er_reset(XHCIState *xhci, int v)
+--
+2.35.5
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185688): 
https://lists.openembedded.org/g/openembedded-core/message/185688
Mute This Topic: https://lists.openembedded.org/mt/100638374/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] bind: fix CVE-2023-2911

[Urade, Yogita via lists.openembedded.org]

If the `recursive-clients` quota is reached on a BIND 9 resolver
configured with both `stale-answer-enable yes;` and
`stale-answer-client-timeout 0;`, a sequence of serve-stale-related
lookups could cause `named` to loop and terminate unexpectedly due
to a stack overflow.
This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7
through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1
through 9.18.15-S1.

References:
https://kb.isc.org/docs/cve-2023-2911
https://downloads.isc.org/isc/bind9/9.18.16/doc/arm/html/notes.html#notes-for-bind-9-18-16

Signed-off-by: Yogita Urade 
---
 .../bind/bind-9.18.11/CVE-2023-2911.patch | 109 ++
 .../recipes-connectivity/bind/bind_9.18.11.bb |   1 +
 2 files changed, 110 insertions(+)
 create mode 100644 
meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch

diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch 
b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
new file mode 100644
index 00..729d13ee18
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
@@ -0,0 +1,109 @@
+From 2d6982985021ee354469a0fc380008d6c6fa8ae2 Mon Sep 17 00:00:00 2001
+From: Michal Nowak 
+Date: Thu, 20 Jul 2023 08:07:32 +
+Subject: [PATCH] Merge branch '4089-confidential-stale-query-loop-bind-9.18'
+ into 'security-bind-9.18'
+
+[9.18][CVE-2023-2911] Fix stale-answer-client-timeout 0 crash
+
+See merge request isc-private/bind9!523
+
+CVE-2023-2911
+
+Upstream-Status: Backport 
[https://gitlab.isc.org/isc-projects/bind9/-/commit/2d6982985021ee354469a0fc380008d6c6fa8ae2]
+
+Signed-off-by: Yogita Urade 
+---
+ CHANGES|  7 +++
+ lib/ns/query.c | 29 +
+ 2 files changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index ca2f3a3..0e18f27 100644
+--- a/CHANGES
 b/CHANGES
+@@ -1,3 +1,10 @@
++6192. [security]  A query that prioritizes stale data over lookup
++  triggers a fetch to refresh the stale data in cache.
++  If the fetch is aborted for exceeding the recursion
++  quota, it was possible for 'named' to enter an infinite
++  callback loop and crash due to stack overflow. This has
++  been fixed. (CVE-2023-2911) [GL #4089]
++
+   --- 9.18.11 released ---
+
+ 6067. [security]  Fix serve-stale crash when recursive clients soft quota
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 0d2ba6b..7a812e6 100644
+--- a/lib/ns/query.c
 b/lib/ns/query.c
+@@ -5824,6 +5824,7 @@ query_refresh_rrset(query_ctx_t *orig_qctx) {
+   qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+ DNS_DBFIND_STALEOK |
+ DNS_DBFIND_STALEENABLED);
++  qctx.client->nodetach = false;
+
+   /*
+* We'll need some resources...
+@@ -6076,7 +6077,13 @@ query_lookup(query_ctx_t *qctx) {
+   "%s stale answer used, an attempt to "
+   "refresh the RRset will still be made",
+   namebuf);
++
+   qctx->refresh_rrset = STALE(qctx->rdataset);
++  /*
++   * If we are refreshing the RRSet, we must not
++   * detach from the client in query_send().
++   */
++  qctx->client->nodetach = qctx->refresh_rrset;
+   ns_client_extendederror(
+   qctx->client, ede,
+   "stale data prioritized over lookup");
+@@ -6503,7 +6510,7 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t 
qtype, dns_name_t *qname,
+   if (recparam_match(>query.recparam, qtype, qname, qdomain)) {
+   ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
+ ISC_LOG_INFO, "recursion loop detected");
+-  return (ISC_R_FAILURE);
++  return (ISC_R_ALREADYRUNNING);
+   }
+
+   recparam_update(>query.recparam, qtype, qname, qdomain);
+@@ -7620,10 +7627,21 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) 
{
+   return (false);
+   }
+
+-  if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) {
++  if (qctx->refresh_rrset) {
++  /*
++   * This is a refreshing query, we have already prioritized
++   * stale data, so don't enable serve-stale again.
++   */
++  return (false);
++  }
++
++  if (result == DNS_R_DUPLICATE || result == DNS_R_DROP ||
++  result == ISC_R_ALREADYRUNNING)
++  {
+   /*
+* Don't enable serve-stale if the result signals a duplicate
+-   * query or 

[oe-core][mickledore][PATCH 1/1] dmidecode: fix CVE-2023-30630

[Urade, Yogita via lists.openembedded.org]

Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
This has security relevance because, for example, execution of
Dmidecode via Sudo is plausible.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30630
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html

Signed-off-by: Yogita Urade 
---
 .../dmidecode/CVE-2023-30630_1.patch  | 237 ++
 .../dmidecode/CVE-2023-30630_2.patch  |  81 ++
 .../dmidecode/CVE-2023-30630_3.patch  |  69 +
 .../dmidecode/CVE-2023-30630_4.patch  | 137 ++
 .../dmidecode/dmidecode_3.4.bb|   4 +
 5 files changed, 528 insertions(+)
 create mode 100644 
meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch
 create mode 100644 
meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch
 create mode 100644 
meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch
 create mode 100644 
meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch

diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch 
b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch
new file mode 100644
index 00..53480d6299
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch
@@ -0,0 +1,237 @@
+From  d8cfbc808f387e87091c25e7d5b8c2bb348bb206 Mon Sep 17 00:00:00 2001
+From: Jean Delvare 
+Date: Tue, 27 Jun 2023 09:40:23 +
+Subject: [PATCH] dmidecode: Write the whole dump file at once
+
+When option --dump-bin is used, write the whole dump file at once,
+instead of opening and closing the file separately for the table
+and then for the entry point.
+
+As the file writing function is no longer generic, it gets moved
+from util.c to dmidecode.c.
+
+One minor functional change resulting from the new implementation is
+that the entry point is written first now, so the messages printed
+are swapped.
+
+Signed-off-by: Jean Delvare 
+Reviewed-by: Jerry Hoemann 
+
+CVE: CVE-2023-30630
+
+Reference: 
https://github.com/mirror/dmidecode/commit/39b2dd7b6ab719b920e96ed832cfb4bdd664e808
+
+Upstream-Status: Backport 
[https://github.com/mirror/dmidecode/commit/d8cfbc808f387e87091c25e7d5b8c2bb348bb206]
+
+Signed-off-by: Yogita Urade 
+---
+ dmidecode.c | 79 +++--
+ util.c  | 40 ---
+ util.h  |  1 -
+ 3 files changed, 58 insertions(+), 62 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index 9aeff91..5477309 100644
+--- a/dmidecode.c
 b/dmidecode.c
+@@ -5427,11 +5427,56 @@ static void dmi_table_string(const struct dmi_header 
*h, const u8 *data, u16 ver
+   }
+ }
+
+-static void dmi_table_dump(const u8 *buf, u32 len)
++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
++u32 table_len)
+ {
++  FILE *f;
++
++  f = fopen(opt.dumpfile, "wb");
++  if (!f)
++  {
++  fprintf(stderr, "%s: ", opt.dumpfile);
++  perror("fopen");
++  return -1;
++  }
++
++  if (!(opt.flags & FLAG_QUIET))
++  pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile);
++  if (fwrite(ep, ep_len, 1, f) != 1)
++  {
++  fprintf(stderr, "%s: ", opt.dumpfile);
++  perror("fwrite");
++  goto err_close;
++  }
++
++  if (fseek(f, 32, SEEK_SET) != 0)
++  {
++  fprintf(stderr, "%s: ", opt.dumpfile);
++  perror("fseek");
++  goto err_close;
++  }
++
+   if (!(opt.flags & FLAG_QUIET))
+-  pr_comment("Writing %d bytes to %s.", len, opt.dumpfile);
+-  write_dump(32, len, buf, opt.dumpfile, 0);
++  pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile);
++  if (fwrite(table, table_len, 1, f) != 1)
++  {
++  fprintf(stderr, "%s: ", opt.dumpfile);
++  perror("fwrite");
++  goto err_close;
++  }
++
++  if (fclose(f))
++  {
++  fprintf(stderr, "%s: ", opt.dumpfile);
++  perror("fclose");
++  return -1;
++  }
++
++  return 0;
++
++err_close:
++  fclose(f);
++  return -1;
+ }
+
+ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+@@ -5648,11 +5693,6 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 
ver, const char *devmem,
+   return;
+   }
+
+-  if (opt.flags & FLAG_DUMP_BIN)
+-  dmi_table_dump(buf, len);
+-  else
+-  dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+   free(buf);
+ }
+
+@@ -5688,8 +5728,9 @@ static void overwrite_smbios3_address(u8 *buf)
+
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-  u32 ver;
++  u32 ver, len;
+   u64 offset;
++  u8 *table;
+
+   /* Don't let checksum run beyond the 

Re: [oe-core][kirkstone][PATCH V2 5/6] webkitgtk: fix CVE-2023-23517 CVE-2023-23518

[Urade, Yogita via lists.openembedded.org]

On 19-06-2023 19:33, Steve Sakoman wrote:

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

I wasn't able to take this patch because it too failed during do_patch
at build time.  Please submit a v2 with this corrected.

I was able to take the other patches in this series though, so you
only need to submit v2 for the two that I wasn't able to take.

Steve


Thanks Steve!

I'll submit V2 for these two patches.

Regards,
Yogita


On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
lists.openembedded.org
 wrote:

The issue was addressed with improved memory handling.
This issue is fixed in macOS Ventura 13.2, macOS Monterey
12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and
iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously
crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-23517
https://support.apple.com/en-us/HT213638
https://bugs.webkit.org/show_bug.cgi?id=248268
https://github.com/WebKit/WebKit/pull/6756

Signed-off-by: Yogita Urade 
---
  .../CVE-2023-23517-CVE-2023-23518.patch   | 131 ++
  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
  2 files changed, 132 insertions(+)
  create mode 100644 
meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch

diff --git 
a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
new file mode 100644
index 00..721f045e0d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
@@ -0,0 +1,131 @@
+From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
+From: Youenn Fablet 
+Date: Mon, 28 Nov 2022 00:43:35 -0800
+Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
+ https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
+
+Reviewed by Eric Carlson.
+
+Make ReadableStreamSource method privates.
+In ReadableStream, use @getters instead of private getters to allow getting 
private values from prototype.
+Covered by added test.
+
+* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
+* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
+* Source/WebCore/Modules/streams/ReadableStream.js:
+(initializeReadableStream):
+* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
+* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
+(WebCore::IDLOperationReturningPromise::call):
+
+Canonical link: https://commits.webkit.org/257063@main
+
+CVE: CVE-2023-23517 CVE-2023-23518
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
+
+Signed-off-by: Yogita Urade 
+---
+ .../fetch/fetch-stream-source-expected.txt|  3 +++
+ .../http/wpt/fetch/fetch-stream-source.html   | 24 +++
+ .../WebCore/Modules/streams/ReadableStream.js |  4 ++--
+ .../Modules/streams/ReadableStreamSource.idl  |  8 +++
+ .../js/JSDOMOperationReturningPromise.h   |  4 +++-
+ 5 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
+
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt 
b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+new file mode 100644
+index ..856ea8180ca2
+--- /dev/null
 b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+@@ -0,0 +1,3 @@
++
++PASS Only JS streams should check type
++
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html 
b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+new file mode 100644
+index ..fbebfa5e524f
+--- /dev/null
 b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+@@ -0,0 +1,24 @@
++
++
++  
++
++Fetch and source
++
++
++  
++  
++
++promise_test(async () => {
++let counter = 0;
++Object.prototype.__defineGetter__("type", function() {
++counter++;
++});
++
++const response = await fetch('/');
++const fetchReadableStream = response.body;
++const [r1, r2] = fetchReadableStream.tee();
++assert_equals(counter, 0);
++}, "Only JS streams should check type");
++
++  
++
+diff --git a/Source/WebCore/Modules/streams/ReadableStream.js 
b/Source/WebCore/Modules/streams/ReadableStream.js
+index ddef56ecd460..7f0def325d84 100644
+--- a/Source/WebCore/Modules/streams/ReadableStream.js
 b/Source/WebCore/Modules/streams/ReadableStream.js
+@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, 
strategy)
+
+ // FIXME: We should introduce 
https://streams.spec.whatwg.org/#create-readable-stream.
+ // For now, we emulate this with underlyingSource with private properties.
+-if (@getByIdDirectP

[oe-core][kirkstone][PATCH V2 6/6] webkitgtk: fix CVE-2022-46700

[Urade, Yogita via lists.openembedded.org]

A memory corruption issue was addressed with improved input validation.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing
maliciously crafted web content may lead to arbitrary code execution.

References:
https://support.apple.com/en-us/HT213531
https://bugs.webkit.org/show_bug.cgi?id=247562
https://github.com/WebKit/WebKit/pull/6266

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-46700.patch | 67 +++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
new file mode 100644
index 00..242b8337fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
+From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
+From: David Degazio 
+Date: Tue, 8 Nov 2022 19:54:33 -0800
+Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
+ script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
+
+Reviewed by Mark Lam.
+
+We currently don't check if IntlLocale::hourCycles returns a null JSArray, 
which allows it
+to be encoded as an empty JSValue and exposed to user code. This patch throws 
a TypeError
+when udatpg_open returns a failed status.
+
+* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
+(main):
+* Source/JavaScriptCore/runtime/IntlLocale.cpp:
+(JSC::IntlLocale::hourCycles):
+
+Canonical link: https://commits.webkit.org/256473@main
+
+CVE:CVE-2022-46700
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
+
+Signed-off-by: Yogita Urade 
+---
+ JSTests/stress/intl-locale-invalid-hourCycles.js | 12 
+ Source/JavaScriptCore/runtime/IntlLocale.cpp |  4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
+
+diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js 
b/JSTests/stress/intl-locale-invalid-hourCycles.js
+new file mode 100644
+index ..7b94eb844764
+--- /dev/null
 b/JSTests/stress/intl-locale-invalid-hourCycles.js
+@@ -0,0 +1,12 @@
++function main() {
++const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
++let empty = v24.hourCycles;
++print(empty);
++}
++
++try {
++main();
++} catch (e) {
++if (!(e instanceof TypeError))
++throw e;
++}
+diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp 
b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+index c3c346163a18..bef424727a8a 100644
+--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
 b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* 
globalObject)
+
+ UErrorCode status = U_ZERO_ERROR;
+ auto generator = std::unique_ptr>(udatpg_open(m_localeID.data(), ));
+-if (U_FAILURE(status))
++if (U_FAILURE(status)) {
++throwTypeError(globalObject, scope, "invalid locale"_s);
+ return nullptr;
++}
+
+ // Use "j" skeleton and parse pattern to retrieve the configured 
hour-cycle information.
+ constexpr const UChar skeleton[] = { 'j', 0 };
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb 
b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 69663c1cb7..e9dd0d0a8d 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://CVE-2022-42867.patch \
file://CVE-2022-42856.patch \
file://CVE-2023-23517-CVE-2023-23518.patch \
+   file://CVE-2022-46700.patch \
"
 SRC_URI[sha256sum] = 
"0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182556): 
https://lists.openembedded.org/g/openembedded-core/message/182556
Mute This Topic: https://lists.openembedded.org/mt/99429030/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH V2 5/6] webkitgtk: fix CVE-2023-23517 CVE-2023-23518

[Urade, Yogita via lists.openembedded.org]

The issue was addressed with improved memory handling.
This issue is fixed in macOS Ventura 13.2, macOS Monterey
12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and
iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously
crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-23517
https://support.apple.com/en-us/HT213638
https://bugs.webkit.org/show_bug.cgi?id=248268
https://github.com/WebKit/WebKit/pull/6756

Signed-off-by: Yogita Urade 
---
 .../CVE-2023-23517-CVE-2023-23518.patch   | 131 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 132 insertions(+)
 create mode 100644 
meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch

diff --git 
a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
new file mode 100644
index 00..721f045e0d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
@@ -0,0 +1,131 @@
+From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
+From: Youenn Fablet 
+Date: Mon, 28 Nov 2022 00:43:35 -0800
+Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
+ https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
+
+Reviewed by Eric Carlson.
+
+Make ReadableStreamSource method privates.
+In ReadableStream, use @getters instead of private getters to allow getting 
private values from prototype.
+Covered by added test.
+
+* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
+* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
+* Source/WebCore/Modules/streams/ReadableStream.js:
+(initializeReadableStream):
+* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
+* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
+(WebCore::IDLOperationReturningPromise::call):
+
+Canonical link: https://commits.webkit.org/257063@main
+
+CVE: CVE-2023-23517 CVE-2023-23518
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
+
+Signed-off-by: Yogita Urade 
+---
+ .../fetch/fetch-stream-source-expected.txt|  3 +++
+ .../http/wpt/fetch/fetch-stream-source.html   | 24 +++
+ .../WebCore/Modules/streams/ReadableStream.js |  4 ++--
+ .../Modules/streams/ReadableStreamSource.idl  |  8 +++
+ .../js/JSDOMOperationReturningPromise.h   |  4 +++-
+ 5 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
+
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt 
b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+new file mode 100644
+index ..856ea8180ca2
+--- /dev/null
 b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+@@ -0,0 +1,3 @@
++
++PASS Only JS streams should check type
++
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html 
b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+new file mode 100644
+index ..fbebfa5e524f
+--- /dev/null
 b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+@@ -0,0 +1,24 @@
++
++
++  
++
++Fetch and source
++
++
++  
++  
++
++promise_test(async () => {
++let counter = 0;
++Object.prototype.__defineGetter__("type", function() {
++counter++;
++});
++
++const response = await fetch('/');
++const fetchReadableStream = response.body;
++const [r1, r2] = fetchReadableStream.tee();
++assert_equals(counter, 0);
++}, "Only JS streams should check type");
++
++  
++
+diff --git a/Source/WebCore/Modules/streams/ReadableStream.js 
b/Source/WebCore/Modules/streams/ReadableStream.js
+index ddef56ecd460..7f0def325d84 100644
+--- a/Source/WebCore/Modules/streams/ReadableStream.js
 b/Source/WebCore/Modules/streams/ReadableStream.js
+@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, 
strategy)
+
+ // FIXME: We should introduce 
https://streams.spec.whatwg.org/#create-readable-stream.
+ // For now, we emulate this with underlyingSource with private properties.
+-if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
++if (underlyingSource.@pull !== @undefined) {
+ const size = @getByIdDirectPrivate(strategy, "size");
+ const highWaterMark = @getByIdDirectPrivate(strategy, 
"highWaterMark");
+-@setupReadableStreamDefaultController(this, underlyingSource, size, 
highWaterMark !== @undefined ? highWaterMark : 1, 
@getByIdDirectPrivate(underlyingSource, "start"), 
@getByIdDirectPrivate(underlyingSource, "pull"), 
@getByIdDirectPrivate(underlyingSource, "cancel"));
++@setupReadableStreamDefaultController(this, underlyingSource, size, 
highWaterMark !== @undefined ? highWaterMark : 1, 

[oe-core][kirkstone][PATCH V2 4/6] webkitgtk: fix CVE-2022-42856

[Urade, Yogita via lists.openembedded.org]

A type confusion issue was addressed with improved state handling.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1,
iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously
crafted web content may lead to arbitrary code execution. Apple is
aware of a report that this issue may have been actively exploited
against versions of iOS released before iOS 15.1.

References:
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
new file mode 100644
index 00..97d58c955a
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
@@ -0,0 +1,110 @@
+From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
+From: Mark Lam 
+Date: Wed, 23 Nov 2022 13:48:49 -0800
+Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
+ incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
+ 
+
+Reviewed by Justin Michaud.
+
+speculateRealNumber does a doubleEqual compare, which filters out double 
values which
+are not NaN.  NaN values will fall through to the `intCase` block.  In the 
`intCase` block,
+the isNotInt32() check there was given a proven type that wrongly filters out 
~SpecFullDouble.
+
+Consider a scenario where the edge was proven to be { SpecInt32Only, 
SpecDoubleReal,
+SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | 
SpecDoubleNaN, and
+SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  Hence, 
the filtering
+of the proven type with ~SpecFullDouble means that isNotInt32() will 
effectively be given
+a proven type of
+
+{ SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, 
SpecDoublePureNaN }
+
+which yields
+
+{ SpecInt32Only }.
+
+As a result, the compiler will think that that isNotIn32() check will always 
fail.  This
+is not correct if the actual incoming value for that edge is actually a 
PureNaN.  In this
+case, speculateRealNumber should have OSR exited, but it doesn't because it 
thinks that
+the isNotInt32() check will always fail and elide the check altogether.
+
+In this patch, we fix this by replacing the ~SpecFullDouble with 
~SpecDoubleReal.  We also
+rename the `intCase` block to `intOrNaNCase` to document what it actually 
handles.
+
+* JSTests/stress/speculate-real-number-in-object-is.js: Added.
+(test.object_is_opt):
+(test):
+* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
+
+CVE: CVE-2022-42856
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
+
+Signed-off-by: Yogita Urade 
+---
+ .../speculate-real-number-in-object-is.js | 22 +++
+ Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp |  8 +++
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+ create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
+
+diff --git a/JSTests/stress/speculate-real-number-in-object-is.js 
b/JSTests/stress/speculate-real-number-in-object-is.js
+new file mode 100644
+index ..0b10799954da
+--- /dev/null
 b/JSTests/stress/speculate-real-number-in-object-is.js
+@@ -0,0 +1,22 @@
++function test() {
++function object_is_opt(value) {
++const tmp = {p0: value};
++
++if (Object.is(value, NaN))
++return 0;
++
++return value;
++}
++
++object_is_opt(NaN);
++
++for (let i = 0; i < 0x2; i++)
++object_is_opt(1.1);
++
++return isNaN(object_is_opt(NaN));
++}
++
++resultIsNaN = test();
++if (resultIsNaN)
++throw "FAILED";
++
+diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 
b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+index 8621b554d578..588298eba350 100644
+--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
 b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
+ LValue value = lowJSValue(edge, ManualOperandSpeculation);
+ LValue doubleValue = unboxDouble(value);
+
+-LBasicBlock intCase = m_out.newBlock();
++LBasicBlock intOrNaNCase = m_out.newBlock();
+ LBasicBlock continuation = m_out.newBlock();
+
+ m_out.branch(
+ m_out.doubleEqual(doubleValue, doubleValue),
+-usually(continuation), rarely(intCase));
++usually(continuation), rarely(intOrNaNCase));
+
+-LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
++LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
+
+ typeCheck(
+ 

[oe-core][kirkstone][PATCH V2 3/6] webkitgtk: fix CVE-2022-42867

[Urade, Yogita via lists.openembedded.org]

A use after free issue was addressed with improved memory management.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web
content may lead to arbitrary code execution.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-42867
https://support.apple.com/en-us/HT213537

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-42867.patch | 104 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
new file mode 100644
index 00..bf06809051
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
+From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001
+From: Yogita Urade 
+Date: Wed, 7 Jun 2023 08:15:11 +
+Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages
+ should take pointer arguments  like other similar functions
+ https://bugs.webkit.org/show_bug.cgi?id=247317  rdar://100273147
+
+Reviewed by Alan Baradlay.
+
+* Source/WebCore/rendering/RenderElement.cpp:
+(WebCore::RenderElement::updateFillImages):
+(WebCore::RenderElement::styleDidChange):
+* Source/WebCore/rendering/RenderElement.h:
+
+Canonical link: https://commits.webkit.org/256215@main
+
+CVE: CVE-2022-42867
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
+
+Signed-off-by: Yogita Urade 
+---
+ Source/WebCore/rendering/RenderElement.cpp | 27 ++
+ Source/WebCore/rendering/RenderElement.h   |  2 +-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/Source/WebCore/rendering/RenderElement.cpp 
b/Source/WebCore/rendering/RenderElement.cpp
+index da43bf3d..931686b8 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
 b/Source/WebCore/rendering/RenderElement.cpp
+@@ -358,7 +358,7 @@ inline bool 
RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
+ return diff == StyleDifference::Repaint || (diff == 
StyleDifference::RepaintIfTextOrBorderOrOutline && 
hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
+ }
+
+-void RenderElement::updateFillImages(const FillLayer* oldLayers, const 
FillLayer& newLayers)
++void RenderElement::updateFillImages(const FillLayer* oldLayers, const 
FillLayer* newLayers)
+ {
+ auto fillImagesAreIdentical = [](const FillLayer* layer1, const 
FillLayer* layer2) -> bool {
+ if (layer1 == layer2)
+@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* 
oldLayers, const FillLayer
+ };
+
+ auto isRegisteredWithNewFillImages = [&]() -> bool {
+-for (auto* layer =  layer; layer = layer->next()) {
++for (auto* layer = newLayers; layer; layer = layer->next()) {
+ if (layer->image() && !layer->image()->hasClient(*this))
+ return false;
+ }
+@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* 
oldLayers, const FillLayer
+
+ // If images have the same characteristics and this element is already 
registered as a
+ // client to the new images, there is nothing to do.
+-if (fillImagesAreIdentical(oldLayers, ) && 
isRegisteredWithNewFillImages())
++if (fillImagesAreIdentical(oldLayers, newLayers) && 
isRegisteredWithNewFillImages())
+ return;
+
+ // Add before removing, to avoid removing all clients of an image that is 
in both sets.
+-for (auto* layer =  layer; layer = layer->next()) {
++for (auto* layer = newLayers; layer; layer = layer->next()) {
+ if (layer->image())
+ layer->image()->addClient(*this);
+ }
+@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, 
const RenderStyle* b)
+
+ void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* 
oldStyle)
+ {
+-updateFillImages(oldStyle ? >backgroundLayers() : nullptr, 
m_style.backgroundLayers());
+-updateFillImages(oldStyle ? >maskLayers() : nullptr, 
m_style.maskLayers());
+-updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, 
m_style.borderImage().image());
+-updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, 
m_style.maskBoxImage().image());
+-updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, 
m_style.shapeOutside());
++auto registerImages = [this](auto* style, auto* oldStyle) {
++if (!style && !oldStyle)
++return;
++updateFillImages(oldStyle ? >backgroundLayers() : nullptr, 
style ? >backgroundLayers() : nullptr);
++updateFillImages(oldStyle ? >maskLayers() : nullptr, style 
? >maskLayers() : nullptr);
++updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, 
style ? 

[oe-core][kirkstone][PATCH V2 2/6] webkitgtk: fix CVE-2022-46699

[Urade, Yogita via lists.openembedded.org]

A memory corruption issue was addressed with improved state management.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web
content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46699
https://support.apple.com/en-us/HT213537

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-46699.patch | 136 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
new file mode 100644
index 00..0752b9c0e2
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
@@ -0,0 +1,136 @@
+From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001
+From: Justin Michaud 
+Date: Wed, 9 Nov 2022 19:20:41 -0800
+Subject: [PATCH] Error() ICs should not cache special properties.
+ https://bugs.webkit.org/show_bug.cgi?id=247699
+
+Reviewed by Yusuke Suzuki.
+
+HasOwnProperty/DeleteProperty are not always cacheable for special Error()
+properties like column. These special properties are materialized on-demand
+in materializeErrorInfoIfNeeded, but this function's behaviour can be changed
+by Error.stackTraceLimit without causing a structure transition or firing 
watchpoints.
+
+That is, we cannot cache property misses, and we cannot assume HasOwnProperty 
is deterministic
+for a given structure if we are using one of these properties.
+
+* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
+(JSC::ErrorInstance::deleteProperty):
+* Source/JavaScriptCore/runtime/ErrorInstance.h:
+
+Canonical link: https://commits.webkit.org/256519@main
+
+CVE: CVE-2022-46699
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68]
+
+Signed-off-by: Yogita Urade 
+---
+ JSTests/stress/delete-cache-error.js  | 19 ++
+ .../get-own-property-slot-cache-error.js  |  6 ++
+ JSTests/stress/get-property-cache-error.js| 20 +++
+ .../JavaScriptCore/runtime/ErrorInstance.cpp  |  4 +++-
+ Source/JavaScriptCore/runtime/ErrorInstance.h |  3 ++-
+ 5 files changed, 50 insertions(+), 2 deletions(-)
+ create mode 100644 JSTests/stress/delete-cache-error.js
+ create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js
+ create mode 100644 JSTests/stress/get-property-cache-error.js
+
+diff --git a/JSTests/stress/delete-cache-error.js 
b/JSTests/stress/delete-cache-error.js
+new file mode 100644
+index ..d77c09185a13
+--- /dev/null
 b/JSTests/stress/delete-cache-error.js
+@@ -0,0 +1,19 @@
++delete Error.stackTraceLimit
++
++// sourceURL is not materialized
++function cacheColumn(o) {
++delete o.sourceURL
++}
++noInline(cacheColumn)
++
++for (let i = 0; i < 200; ++i) {
++let e = Error()
++cacheColumn(e)
++if (e.sourceURL !== undefined)
++throw "Test failed on iteration " + i + " " + e.sourceURL
++
++if (i == 197) {
++// now it is
++Error.stackTraceLimit = 10
++}
++}
+\ No newline at end of file
+diff --git a/JSTests/stress/get-own-property-slot-cache-error.js 
b/JSTests/stress/get-own-property-slot-cache-error.js
+new file mode 100644
+index ..f8202213bf79
+--- /dev/null
 b/JSTests/stress/get-own-property-slot-cache-error.js
+@@ -0,0 +1,6 @@
++delete Error.stackTraceLimit
++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because 
stackString is null.
++Object.hasOwn(Error(), "column")
++Error.stackTraceLimit = 10
++// Now it does
++Object.hasOwn(Error(), "column")
+\ No newline at end of file
+diff --git a/JSTests/stress/get-property-cache-error.js 
b/JSTests/stress/get-property-cache-error.js
+new file mode 100644
+index ..b35272ea6fe2
+--- /dev/null
 b/JSTests/stress/get-property-cache-error.js
+@@ -0,0 +1,20 @@
++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because 
stackString is null.
++delete Error.stackTraceLimit
++expected = undefined
++
++function cacheColumn(o) {
++return o.column
++}
++noInline(cacheColumn)
++
++for (let i = 0; i < 1000; ++i) {
++let val = cacheColumn(Error())
++if (val !== expected)
++throw "Test failed on iteration " + i + ": " + val
++
++if (i == 900) {
++// now it does
++Error.stackTraceLimit = 10
++expected = 32
++}
++}
+\ No newline at end of file
+diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp 
b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+index ddf96869e84a..8e5373257d34 100644
+--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp
 b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, 
JSGlobalObject* globalObject, P
+ {
+ 

[oe-core][kirkstone][PATCH V2 1/6] webkitgtk: fix CVE-2022-46691

[Urade, Yogita via lists.openembedded.org]

A memory consumption issue was addressed with improved memory handling.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing
maliciously crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46691
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-46691.patch | 43 +++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
new file mode 100644
index 00..ff9df40433
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
@@ -0,0 +1,43 @@
+From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
+From: Yijia Huang 
+Date: Mon, 10 Oct 2022 15:42:34 -0700
+Subject: [PATCH] [JSC] Should model BigInt with side effects
+ https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
+
+Reviewed by Yusuke Suzuki.
+
+Operations with two BigInt operands have side effects,
+which should not be hoisted from loops.
+
+* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
+(JSC::DFG::doesWrites):
+* Source/JavaScriptCore/dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+
+Canonical link: https://commits.webkit.org/255368@main
+
+CVE: CVE-2022-46691
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
+
+Signed-off-by: Yogita Urade 
+---
+ Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h 
b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index 0363ab20dcd8..4b1bcfea1fd7 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
 b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const 
ReadFunctor& read, const WriteFu
+ case ValueBitRShift:
+ // FIXME: this use of single-argument isBinaryUseKind would prevent 
us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 
right-operand.
+ if (node->isBinaryUseKind(AnyBigIntUse) || 
node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
++read(World);
++write(SideState);
+ def(PureValue(node));
+ return;
+ }
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb 
b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 1dac4f5677..02258f84e4 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \

file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
file://CVE-2022-32888.patch \
file://CVE-2022-32923.patch \
+   file://CVE-2022-46691.patch \
"
 SRC_URI[sha256sum] = 
"0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182551): 
https://lists.openembedded.org/g/openembedded-core/message/182551
Mute This Topic: https://lists.openembedded.org/mt/99429021/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2023-23517, CVE-2023-23518

[Urade, Yogita via lists.openembedded.org]

The issue was addressed with improved memory handling. This issue is fixed in 
macOS Ventura 13.2, macOS Monterey 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, 
iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously crafted 
web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-23517
https://support.apple.com/en-us/HT213638
https://bugs.webkit.org/show_bug.cgi?id=248268
https://github.com/WebKit/WebKit/pull/6756

Signed-off-by: Yogita Urade 
---
 .../CVE-2023-23517-CVE-2023-23518.patch   | 131 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 132 insertions(+)
 create mode 100644 
meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch

diff --git 
a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
new file mode 100644
index 00..f4116f55cd
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
@@ -0,0 +1,131 @@
+From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
+From: Youenn Fablet 
+Date: Mon, 28 Nov 2022 00:43:35 -0800
+Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
+ https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
+
+Reviewed by Eric Carlson.
+
+Make ReadableStreamSource method privates.
+In ReadableStream, use @getters instead of private getters to allow getting 
private values from prototype.
+Covered by added test.
+
+* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
+* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
+* Source/WebCore/Modules/streams/ReadableStream.js:
+(initializeReadableStream):
+* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
+* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
+(WebCore::IDLOperationReturningPromise::call):
+
+Canonical link: https://commits.webkit.org/257063@main
+
+CVE: CVE-2023-23517 CVE-2023-23518
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
+
+Signed-off-by: Yogita Urade 
+---
+ .../fetch/fetch-stream-source-expected.txt|  3 +++
+ .../http/wpt/fetch/fetch-stream-source.html   | 24 +++
+ .../WebCore/Modules/streams/ReadableStream.js |  4 ++--
+ .../Modules/streams/ReadableStreamSource.idl  |  8 +++
+ .../js/JSDOMOperationReturningPromise.h   |  4 +++-
+ 5 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
+
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt 
b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+new file mode 100644
+index ..856ea8180ca2
+--- /dev/null
 b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+@@ -0,0 +1,3 @@
++
++PASS Only JS streams should check type
++
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html 
b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+new file mode 100644
+index ..fbebfa5e524f
+--- /dev/null
 b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+@@ -0,0 +1,24 @@
++
++
++  
++
++Fetch and source
++
++
++  
++  
++
++promise_test(async () => {
++let counter = 0;
++Object.prototype.__defineGetter__("type", function() {
++counter++;
++});
++
++const response = await fetch('/');
++const fetchReadableStream = response.body;
++const [r1, r2] = fetchReadableStream.tee();
++assert_equals(counter, 0);
++}, "Only JS streams should check type");
++
++  
++
+diff --git a/Source/WebCore/Modules/streams/ReadableStream.js 
b/Source/WebCore/Modules/streams/ReadableStream.js
+index ddef56ecd460..7f0def325d84 100644
+--- a/Source/WebCore/Modules/streams/ReadableStream.js
 b/Source/WebCore/Modules/streams/ReadableStream.js
+@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, 
strategy)
+
+ // FIXME: We should introduce 
https://streams.spec.whatwg.org/#create-readable-stream.
+ // For now, we emulate this with underlyingSource with private properties.
+-if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
++if (underlyingSource.@pull !== @undefined) {
+ const size = @getByIdDirectPrivate(strategy, "size");
+ const highWaterMark = @getByIdDirectPrivate(strategy, 
"highWaterMark");
+-@setupReadableStreamDefaultController(this, underlyingSource, size, 
highWaterMark !== @undefined ? highWaterMark : 1, 
@getByIdDirectPrivate(underlyingSource, "start"), 
@getByIdDirectPrivate(underlyingSource, "pull"), 
@getByIdDirectPrivate(underlyingSource, "cancel"));
++@setupReadableStreamDefaultController(this, underlyingSource, size, 
highWaterMark !== @undefined ? highWaterMark : 

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46700

[Urade, Yogita via lists.openembedded.org]

A memory corruption issue was addressed with improved input validation. This 
issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and 
iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously 
crafted web content may lead to arbitrary code execution.

References:
https://support.apple.com/en-us/HT213531
https://bugs.webkit.org/show_bug.cgi?id=247562
https://github.com/WebKit/WebKit/pull/6266

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-46700.patch | 67 +++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
new file mode 100644
index 00..242b8337fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
+From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
+From: David Degazio 
+Date: Tue, 8 Nov 2022 19:54:33 -0800
+Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
+ script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
+
+Reviewed by Mark Lam.
+
+We currently don't check if IntlLocale::hourCycles returns a null JSArray, 
which allows it
+to be encoded as an empty JSValue and exposed to user code. This patch throws 
a TypeError
+when udatpg_open returns a failed status.
+
+* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
+(main):
+* Source/JavaScriptCore/runtime/IntlLocale.cpp:
+(JSC::IntlLocale::hourCycles):
+
+Canonical link: https://commits.webkit.org/256473@main
+
+CVE:CVE-2022-46700
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
+
+Signed-off-by: Yogita Urade 
+---
+ JSTests/stress/intl-locale-invalid-hourCycles.js | 12 
+ Source/JavaScriptCore/runtime/IntlLocale.cpp |  4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
+
+diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js 
b/JSTests/stress/intl-locale-invalid-hourCycles.js
+new file mode 100644
+index ..7b94eb844764
+--- /dev/null
 b/JSTests/stress/intl-locale-invalid-hourCycles.js
+@@ -0,0 +1,12 @@
++function main() {
++const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
++let empty = v24.hourCycles;
++print(empty);
++}
++
++try {
++main();
++} catch (e) {
++if (!(e instanceof TypeError))
++throw e;
++}
+diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp 
b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+index c3c346163a18..bef424727a8a 100644
+--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
 b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* 
globalObject)
+
+ UErrorCode status = U_ZERO_ERROR;
+ auto generator = std::unique_ptr>(udatpg_open(m_localeID.data(), ));
+-if (U_FAILURE(status))
++if (U_FAILURE(status)) {
++throwTypeError(globalObject, scope, "invalid locale"_s);
+ return nullptr;
++}
+
+ // Use "j" skeleton and parse pattern to retrieve the configured 
hour-cycle information.
+ constexpr const UChar skeleton[] = { 'j', 0 };
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb 
b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 1dac4f5677..699936ec39 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \

file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
file://CVE-2022-32888.patch \
file://CVE-2022-32923.patch \
+   file://CVE-2022-46700.patch \
"
 SRC_URI[sha256sum] = 
"0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182432): 
https://lists.openembedded.org/g/openembedded-core/message/182432
Mute This Topic: https://lists.openembedded.org/mt/99362000/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-42856

[Urade, Yogita via lists.openembedded.org]

A type confusion issue was addressed with improved state handling. This issue 
is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 
15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to 
arbitrary code execution. Apple is aware of a report that this issue may have 
been actively exploited against versions of iOS released before iOS 15.1.

References:
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
new file mode 100644
index 00..97d58c955a
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
@@ -0,0 +1,110 @@
+From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
+From: Mark Lam 
+Date: Wed, 23 Nov 2022 13:48:49 -0800
+Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
+ incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
+ 
+
+Reviewed by Justin Michaud.
+
+speculateRealNumber does a doubleEqual compare, which filters out double 
values which
+are not NaN.  NaN values will fall through to the `intCase` block.  In the 
`intCase` block,
+the isNotInt32() check there was given a proven type that wrongly filters out 
~SpecFullDouble.
+
+Consider a scenario where the edge was proven to be { SpecInt32Only, 
SpecDoubleReal,
+SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | 
SpecDoubleNaN, and
+SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  Hence, 
the filtering
+of the proven type with ~SpecFullDouble means that isNotInt32() will 
effectively be given
+a proven type of
+
+{ SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, 
SpecDoublePureNaN }
+
+which yields
+
+{ SpecInt32Only }.
+
+As a result, the compiler will think that that isNotIn32() check will always 
fail.  This
+is not correct if the actual incoming value for that edge is actually a 
PureNaN.  In this
+case, speculateRealNumber should have OSR exited, but it doesn't because it 
thinks that
+the isNotInt32() check will always fail and elide the check altogether.
+
+In this patch, we fix this by replacing the ~SpecFullDouble with 
~SpecDoubleReal.  We also
+rename the `intCase` block to `intOrNaNCase` to document what it actually 
handles.
+
+* JSTests/stress/speculate-real-number-in-object-is.js: Added.
+(test.object_is_opt):
+(test):
+* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
+
+CVE: CVE-2022-42856
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
+
+Signed-off-by: Yogita Urade 
+---
+ .../speculate-real-number-in-object-is.js | 22 +++
+ Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp |  8 +++
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+ create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
+
+diff --git a/JSTests/stress/speculate-real-number-in-object-is.js 
b/JSTests/stress/speculate-real-number-in-object-is.js
+new file mode 100644
+index ..0b10799954da
+--- /dev/null
 b/JSTests/stress/speculate-real-number-in-object-is.js
+@@ -0,0 +1,22 @@
++function test() {
++function object_is_opt(value) {
++const tmp = {p0: value};
++
++if (Object.is(value, NaN))
++return 0;
++
++return value;
++}
++
++object_is_opt(NaN);
++
++for (let i = 0; i < 0x2; i++)
++object_is_opt(1.1);
++
++return isNaN(object_is_opt(NaN));
++}
++
++resultIsNaN = test();
++if (resultIsNaN)
++throw "FAILED";
++
+diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 
b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+index 8621b554d578..588298eba350 100644
+--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
 b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
+ LValue value = lowJSValue(edge, ManualOperandSpeculation);
+ LValue doubleValue = unboxDouble(value);
+
+-LBasicBlock intCase = m_out.newBlock();
++LBasicBlock intOrNaNCase = m_out.newBlock();
+ LBasicBlock continuation = m_out.newBlock();
+
+ m_out.branch(
+ m_out.doubleEqual(doubleValue, doubleValue),
+-usually(continuation), rarely(intCase));
++usually(continuation), rarely(intOrNaNCase));
+
+-LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
++LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
+
+ typeCheck(
+ 

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-42867

[Urade, Yogita via lists.openembedded.org]

A use after free issue was addressed with improved memory management. This 
issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and 
iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead 
to arbitrary code execution.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-42867
https://support.apple.com/en-us/HT213537

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-42867.patch | 104 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
new file mode 100644
index 00..c7d684097d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
+From 8747a631dff858a27ab1a75edb7f21658c2962e2 Mon Sep 17 00:00:00 2001
+From: Yogita Urade 
+Date: Fri, 2 Jun 2023 10:22:34 +
+Subject: [PATCH] RenderElement::updateFillImages should take pointer arguments
+ like other similar functions https://bugs.webkit.org/show_bug.cgi?id=247317
+ rdar://100273147
+
+Reviewed by Alan Baradlay.
+
+* Source/WebCore/rendering/RenderElement.cpp:
+(WebCore::RenderElement::updateFillImages):
+(WebCore::RenderElement::styleDidChange):
+* Source/WebCore/rendering/RenderElement.h:
+
+Canonical link: https://commits.webkit.org/256215@main
+
+CVE: CVE-2022-42867
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
+
+Signed-off-by: Yogita Urade 
+---
+ Source/WebCore/rendering/RenderElement.cpp | 27 ++
+ Source/WebCore/rendering/RenderElement.h   |  2 +-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/Source/WebCore/rendering/RenderElement.cpp 
b/Source/WebCore/rendering/RenderElement.cpp
+index da43bf3d..eb0a9b4c 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
 b/Source/WebCore/rendering/RenderElement.cpp
+@@ -358,7 +358,7 @@ inline bool 
RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
+ return diff == StyleDifference::Repaint || (diff == 
StyleDifference::RepaintIfTextOrBorderOrOutline && 
hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
+ }
+
+-void RenderElement::updateFillImages(const FillLayer* oldLayers, const 
FillLayer& newLayers)
++void RenderElement::updateFillImages(const FillLayer* oldLayers, const 
FillLayer* newLayers)
+ {
+ auto fillImagesAreIdentical = [](const FillLayer* layer1, const 
FillLayer* layer2) -> bool {
+ if (layer1 == layer2)
+@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* 
oldLayers, const FillLayer
+ };
+
+ auto isRegisteredWithNewFillImages = [&]() -> bool {
+-for (auto* layer =  layer; layer = layer->next()) {
++for (auto* layer = newLayers; layer; layer = layer->next()) {
+ if (layer->image() && !layer->image()->hasClient(*this))
+ return false;
+ }
+@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* 
oldLayers, const FillLayer
+
+ // If images have the same characteristics and this element is already 
registered as a
+ // client to the new images, there is nothing to do.
+-if (fillImagesAreIdentical(oldLayers, ) && 
isRegisteredWithNewFillImages())
++if (fillImagesAreIdentical(oldLayers, newLayers) && 
isRegisteredWithNewFillImages())
+ return;
+
+ // Add before removing, to avoid removing all clients of an image that is 
in both sets.
+-for (auto* layer =  layer; layer = layer->next()) {
++for (auto* layer = newLayers; layer; layer = layer->next()) {
+ if (layer->image())
+ layer->image()->addClient(*this);
+ }
+@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, 
const RenderStyle* b)
+
+ void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* 
oldStyle)
+ {
+-updateFillImages(oldStyle ? >backgroundLayers() : nullptr, 
m_style.backgroundLayers());
+-updateFillImages(oldStyle ? >maskLayers() : nullptr, 
m_style.maskLayers());
+-updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, 
m_style.borderImage().image());
+-updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, 
m_style.maskBoxImage().image());
+-updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, 
m_style.shapeOutside());
++auto registerImages = [this](auto* style, auto* oldStyle) {
++if (!style && !oldStyle)
++return;
++updateFillImages(oldStyle ? >backgroundLayers() : nullptr, 
style ? >backgroundLayers() : nullptr);
++updateFillImages(oldStyle ? >maskLayers() : nullptr, style 
? >maskLayers() : nullptr);
++updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, 
style ? style->borderImage().image() : 

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46699

[Urade, Yogita via lists.openembedded.org]

A memory corruption issue was addressed with improved state management. This 
issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and 
iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead 
to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46699
https://support.apple.com/en-us/HT213537

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-46699.patch | 136 ++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
new file mode 100644
index 00..0752b9c0e2
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
@@ -0,0 +1,136 @@
+From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001
+From: Justin Michaud 
+Date: Wed, 9 Nov 2022 19:20:41 -0800
+Subject: [PATCH] Error() ICs should not cache special properties.
+ https://bugs.webkit.org/show_bug.cgi?id=247699
+
+Reviewed by Yusuke Suzuki.
+
+HasOwnProperty/DeleteProperty are not always cacheable for special Error()
+properties like column. These special properties are materialized on-demand
+in materializeErrorInfoIfNeeded, but this function's behaviour can be changed
+by Error.stackTraceLimit without causing a structure transition or firing 
watchpoints.
+
+That is, we cannot cache property misses, and we cannot assume HasOwnProperty 
is deterministic
+for a given structure if we are using one of these properties.
+
+* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
+(JSC::ErrorInstance::deleteProperty):
+* Source/JavaScriptCore/runtime/ErrorInstance.h:
+
+Canonical link: https://commits.webkit.org/256519@main
+
+CVE: CVE-2022-46699
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68]
+
+Signed-off-by: Yogita Urade 
+---
+ JSTests/stress/delete-cache-error.js  | 19 ++
+ .../get-own-property-slot-cache-error.js  |  6 ++
+ JSTests/stress/get-property-cache-error.js| 20 +++
+ .../JavaScriptCore/runtime/ErrorInstance.cpp  |  4 +++-
+ Source/JavaScriptCore/runtime/ErrorInstance.h |  3 ++-
+ 5 files changed, 50 insertions(+), 2 deletions(-)
+ create mode 100644 JSTests/stress/delete-cache-error.js
+ create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js
+ create mode 100644 JSTests/stress/get-property-cache-error.js
+
+diff --git a/JSTests/stress/delete-cache-error.js 
b/JSTests/stress/delete-cache-error.js
+new file mode 100644
+index ..d77c09185a13
+--- /dev/null
 b/JSTests/stress/delete-cache-error.js
+@@ -0,0 +1,19 @@
++delete Error.stackTraceLimit
++
++// sourceURL is not materialized
++function cacheColumn(o) {
++delete o.sourceURL
++}
++noInline(cacheColumn)
++
++for (let i = 0; i < 200; ++i) {
++let e = Error()
++cacheColumn(e)
++if (e.sourceURL !== undefined)
++throw "Test failed on iteration " + i + " " + e.sourceURL
++
++if (i == 197) {
++// now it is
++Error.stackTraceLimit = 10
++}
++}
+\ No newline at end of file
+diff --git a/JSTests/stress/get-own-property-slot-cache-error.js 
b/JSTests/stress/get-own-property-slot-cache-error.js
+new file mode 100644
+index ..f8202213bf79
+--- /dev/null
 b/JSTests/stress/get-own-property-slot-cache-error.js
+@@ -0,0 +1,6 @@
++delete Error.stackTraceLimit
++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because 
stackString is null.
++Object.hasOwn(Error(), "column")
++Error.stackTraceLimit = 10
++// Now it does
++Object.hasOwn(Error(), "column")
+\ No newline at end of file
+diff --git a/JSTests/stress/get-property-cache-error.js 
b/JSTests/stress/get-property-cache-error.js
+new file mode 100644
+index ..b35272ea6fe2
+--- /dev/null
 b/JSTests/stress/get-property-cache-error.js
+@@ -0,0 +1,20 @@
++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because 
stackString is null.
++delete Error.stackTraceLimit
++expected = undefined
++
++function cacheColumn(o) {
++return o.column
++}
++noInline(cacheColumn)
++
++for (let i = 0; i < 1000; ++i) {
++let val = cacheColumn(Error())
++if (val !== expected)
++throw "Test failed on iteration " + i + ": " + val
++
++if (i == 900) {
++// now it does
++Error.stackTraceLimit = 10
++expected = 32
++}
++}
+\ No newline at end of file
+diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp 
b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+index ddf96869e84a..8e5373257d34 100644
+--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp
 b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, 
JSGlobalObject* globalObject, P
+ {
+   

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[Urade, Yogita via lists.openembedded.org]

A memory consumption issue was addressed with improved memory handling. This 
issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and 
iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously 
crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46691
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade 
---
 .../webkit/webkitgtk/CVE-2022-46691.patch | 43 +++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch 
b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
new file mode 100644
index 00..ff9df40433
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
@@ -0,0 +1,43 @@
+From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
+From: Yijia Huang 
+Date: Mon, 10 Oct 2022 15:42:34 -0700
+Subject: [PATCH] [JSC] Should model BigInt with side effects
+ https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
+
+Reviewed by Yusuke Suzuki.
+
+Operations with two BigInt operands have side effects,
+which should not be hoisted from loops.
+
+* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
+(JSC::DFG::doesWrites):
+* Source/JavaScriptCore/dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+
+Canonical link: https://commits.webkit.org/255368@main
+
+CVE: CVE-2022-46691
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
+
+Signed-off-by: Yogita Urade 
+---
+ Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h 
b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index 0363ab20dcd8..4b1bcfea1fd7 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
 b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const 
ReadFunctor& read, const WriteFu
+ case ValueBitRShift:
+ // FIXME: this use of single-argument isBinaryUseKind would prevent 
us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 
right-operand.
+ if (node->isBinaryUseKind(AnyBigIntUse) || 
node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
++read(World);
++write(SideState);
+ def(PureValue(node));
+ return;
+ }
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb 
b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 1dac4f5677..02258f84e4 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \

file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
file://CVE-2022-32888.patch \
file://CVE-2022-32923.patch \
+   file://CVE-2022-46691.patch \
"
 SRC_URI[sha256sum] = 
"0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182428): 
https://lists.openembedded.org/g/openembedded-core/message/182428
Mute This Topic: https://lists.openembedded.org/mt/99361658/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] libxpm: upgrade 3.5.13 -> 3.5.15

[Urade, Yogita via lists.openembedded.org]

Upgrade libxpm 3.5.13 to 3.5.15

License-update: additional copyright holders
   f0857c0 man pages: Correct Copyright/License notices
The above commit is introduced while upgrading the libxpm 3.5.15.
which is mentioned in below changelog.
Due to this commit LIC_FILES_CHKSUM is changed.

Disable reading compressed files as that requires compress/uncompress 
executables.
Following the approach in oe-core/master:
   7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15

Changelog:

-
-
ddd8339 libXpm 3.5.15
8178eb0 Use gzip -d instead of gunzip
c5ab17b Prevent a double free in the error code path
515294b Fix CVE-2022-4883: compression commands depend on $PATH
f80fa6a Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
f7fbbb9 test: add test cases for CVE-2022-44617 (zero-width w/enormous height)
a3a7c6d Fix CVE-2022-46285: Infinite loop on unclosed comments
f7a167a test: add test case for CVE-2022-46285 (unclosed comments)
0ff2c6a cxpm: getc/ungetc wrappers should not adjust position when c == EOF
501494c test: Add unit tests using glib framework
4841039 configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE
aef0c8d man pages: Apply standard man page style/formatting
5d55a0b man pages: Replace "See Also" entries with more useful ones
392cb8f man pages: Fix typos and other minor editing
08bc174 libXpm 3.5.14
f0857c0 man pages: Correct Copyright/License notices
deb81a9 man pages: Fix typos
2d5fa4c man pages: Add missing word 'function' where needed
2b7357e man pages: Make function synopses more consistent with other pages
fb8590c man pages: Fix shadow man pages
bfaebfd man pages: Make file names consistent with their displayed names
7a138a5 gitlab CI: add a basic build test
3433f43 man: strip trailing whitespace
9612454 Fix spelling/wording issues
fa16fbd Build xz tarballs instead of bzip2
83e5427 update man pages
e48e649 add man pages based on doc/xpm.PS

Signed-off-by: Yogita Urade 
---
 .../xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.15.bb}   | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)
 rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.15.bb} 
(67%)

diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb 
b/meta/recipes-graphics/xorg-lib/libxpm_3.5.15.bb
similarity index 67%
rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.15.bb
index 4f0a5d7ba0..22e322a9eb 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.15.bb
@@ -11,17 +11,19 @@ an extension of the monochrome XBM bitmap specificied in 
the X \
 protocol."
 
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7"
+LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff"
 DEPENDS += "libxext libsm libxt gettext-native"
 PE = "1"
 
 XORG_PN = "libXpm"
+XORG_EXT = "tar.xz"
+EXTRA_OECONF += "--disable-open-zfile"
 
 PACKAGES =+ "sxpm cxpm"
 FILES:cxpm = "${bindir}/cxpm"
 FILES:sxpm = "${bindir}/sxpm"
 
-SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa"
-SRC_URI[sha256sum] = 
"9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"
+SRC_URI[md5sum] = "b3c58c94e284fd6940d3615e660a0007"
+SRC_URI[sha256sum] = 
"60bb906c5c317a6db863e39b69c4a83fdbd2ae2154fcf47640f8fefc9fdfd1c1"
 
 BBCLASSEXTEND = "native"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180464): 
https://lists.openembedded.org/g/openembedded-core/message/180464
Mute This Topic: https://lists.openembedded.org/mt/98530578/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] xorg-lib-common: Add variable to set tarball type

[Urade, Yogita via lists.openembedded.org]

Upstream has switched some new releases from bz2 to xz compression. Add
an XORG_EXT variable so recipes can set the file name extension needed
for the compression type.

Following the approach in oe-core/master:
  6a8068e036b4b2a40b38896275b936916b4db76e  xorg-lib-common: Add variable to 
set tarball type
use a variable for the tarball suffix/compression format.

Signed-off-by: Robert Joslyn 
Signed-off-by: Alexandre Belloni 

Signed-off-by: Yogita Urade 
---
 meta/recipes-graphics/xorg-lib/xorg-lib-common.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc 
b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
index 60bc8c76fa..68137c4147 100644
--- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
+++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
@@ -6,8 +6,9 @@ LICENSE = "MIT"
 DEPENDS = "util-macros"
 
 XORG_PN = "${BPN}"
+XORG_EXT ?= "tar.bz2"
 
-SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2"
+SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180463): 
https://lists.openembedded.org/g/openembedded-core/message/180463
Mute This Topic: https://lists.openembedded.org/mt/98530536/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-